07-10-2008 09:50 AM - edited 03-10-2019 03:58 PM
Hello,
I am trying to configure 802.1x on our network. I am running into an issue. When the PC without a certificate is connected to the IP Phone, upon the authentication failure the switch does not assign the port to Guest or auth-failed vlan. so I never get the IP.
This happens when i connect the PC to the IP Phone. It works fine if i connect the PC directly to the switchport.
Here's my configuration on the switch port.
interface FastEthernet0/5
switchport access vlan 8
switchport mode access
switchport voice vlan 3030
speed 100
duplex full
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
dot1x pae authenticator
dot1x port-control auto
dot1x reauthentication
dot1x guest-vlan 999
dot1x auth-fail vlan 999
dot1x auth-fail max-attempts 2
no mdix auto
spanning-tree portfast
end
thanks
Anand
07-10-2008 10:03 AM
What supplicant are we talking about here?
Are EAPOL-Starts enabled?
07-10-2008 01:24 PM
Hi jafrazie,
Thanks for your reply. I am using Windows XP SP2. I have configured the EAPOL-Start as below.
Software\Microsoft\EAPOL\Parameters\General\Global\SupplicantMode and set it to 3.
When i look at the switch it looks like it's tries the authentication again and again and never really assigns the guest vlan to the port.
After enabling the debugs I repeatedly see the following log msgs in the switch
05:46:07: dot1x-sm:Posting AUTH_FAIL on Client=2F58670
05:46:07: dot1x_auth Fa0/5: during state auth_fallback, got event 16(authFail)
05:46:07: @@@ dot1x_auth Fa0/5: auth_fallback -> auth_authc_result
05:46:07: dot1x-sm:Fa0/5:0000.0000.0000:auth_authc_result_enter called
05:46:07: dot1x-ev:dot1x_guest_vlan_applicable: Guest VLAN not applicable. Supplicant disabled and EAPOL seen on port FastEthernet0/5.
05:46:07: dot1x-sm:Posting AUTHC_FAIL on Client=2F58670
05:46:07: dot1x_auth Fa0/5: during state auth_authc_result, got event 24(authcFail)
05:46:07: @@@ dot1x_auth Fa0/5: auth_authc_result -> auth_held
05:46:07: dot1x-ev:dot1x_guest_vlan_applicable: Guest VLAN not applicable. Supplicant disabled and EAPOL seen on port FastEthernet0/5.
05:46:07: dot1x-sm:Posting RESTART on Client=2F58670
05:46:07: dot1x_auth Fa0/5: during state auth_held, got event 14(restart)
05:46:07: @@@ dot1x_auth Fa0/5: auth_held -> auth_restart
Again this only happens when the PC is connected behind the Phone.
Anand
07-10-2008 09:45 PM
Right, so what's happening here is that the supplicant is sending an EAPOL-Start at link up. This immediately means it won't get in the Guest-VLAN.
Also, the switch replies back with EAPOL-Id-Request frames. However, now .. the supplicant doesn't have a cert, so it doesn't bother replying back with anything!
So this means it won't get in the Auth-Fail-VLAN either, since it's not actually failing.
You need to configure a global knob called "dot1x guest-vlan supplicant". This should allow you to get the port into the Guest-VLAN .. even though it has technically seen EAPOL on the port before .. it'll place it into the guest-VLAN since it won't answer EAPOL-Id-Request frames.
Hope this helps,
07-11-2008 06:58 AM
Nice. So looks like that command helped. Thanks.
However, Now when i disconnect the PC without a cert and connect a PC with a cert i have to issue the "dot1x re-authenticate int" command for the switch to start the re-authentication for the new computer. Without issuing this command the switch port remains in the Guest Vlan. Does this have anything to do with the timers? my re-authentication timer is default 3600.
thanks
Anand
07-11-2008 07:52 AM
To take the port out of Guest VLAN, the switch either needs to see a link state change (impossible in this case since you have a phone in the middle) or receive an EAPoL-Start. Can you confirm that the new PC with the cert is configured to send EAPoL starts?
07-11-2008 08:04 AM
Yes, the PC is configured with EAPoL-Start. Surprising thing is when I disconnect the PC with the Certificate the port goes in Un-authorized status however when i disconnect the PC without the Cert the port stays in Guest VLAN until i actually issue re-authenticate cmd. I also tried waiting for the Re-auth period (3600) which might force re-auth but it didn't happen. I thought the phone sends a log-off msg on behalf of the PC may be i am wrong. we have 7960 Running 8.0(7.0)
07-11-2008 08:13 AM
OK, yes. The reason for this is b/c only an EPAOL-Start comes from the PC. Else, more than a single EAPOL message would always come from the PC. There was a problem on the phone where it needed more than one EAPOL message to send an EAPOL-Logoff frame to the switch. If you can see it online, it's CSCsl48111.
This is why when you disco the PC with a cert, and EAPOL-Logoff got sent from the phone, and why when you disco without a cert, no EAPOL-Logoff got sent, hence the Guest-VLAN, etc. couldn't get subsequently deployed either.
Hope this helps,
07-11-2008 08:38 AM
thank jafrazie. Yes after reading the BUG description it makes sense. The description says the BUG was fixed in 8.0(8.1). So if i upgrade my phones to that version this should be solved?
Is there any other way to resolve this issue?
If it helps, this is what i see in the Switch when the PC with Cert is connected. Not sure what the last line means here.
02:24:05: dot1x-ev:Dot1x Querying CDP for 0013.1aa6.8103 Mac
02:24:05: dot1x-ev:dot1x_switch_addr_add: Host access entry already exists for 0013.1aa6.8103 3030
02:24:05: dot1x-ev:dot1x_switch_addr_add: Added MAC 0013.1aa6.8103 to vlan 3030 on interface FastEthernet0/5
02:24:05: dot1x-ev:dot1x_switch_secure_vvid_pkt:Secured Phone MAC = 0013.1aa6.8103 on Vlan = 3030
02:24:05: dot1x-ev:dot1x_switch_mac_address_notify: Ignoring MAC 0013.1aa6.8103 discovered on FastEthernet0/5(999). Nobody is interested.
07-13-2008 09:08 PM
Yes, upgrading to that phone firmware rev should fix you up. I've tested it myself and it works as advertised.
Hope this helps,
07-14-2008 08:52 AM
The Phone Firmware Upgrade seems to fix the issue. Now i just have to assign IPs using to the Guest VLAN.
Thanks for ur help jafrazie and everyone else.
Anand
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: