I have issue configuring 802.1x for my customer. I'm using the following components:
Supplicant : Windows XP Native IEEE 802.1x
Authenticator : Cisco Catalyst 3560G-48PS-S, IOS version 12.2(44)SE2
Authentication server : CiscoSecure ACS Release 4.1(4) Build 13 Patch 10
An LG-Nortel IP phone (model: LIP-6812D, hardware version 2.1, software version 1.2.06s) connects to the 802.1x enabled switch port. A PC with Windows XP 802.1x enabled connects to the phone's PC port. EAP-MD5 is used.
Since it is a non-Cisco phone and the administrator confirmed it does not have 802.1x supplicant, I configured Multi-Domain Authentication (MDA). The phone will be authenticated using MAC Authentication Bypass (MAB) in the VOICE domain and the PC will be authenticated using 802.1x in the DATA domain.
My switch port config is as follows:
switchport access vlan 70
switchport mode access
switchport voice vlan 71
no snmp trap link-status
dot1x pae authenticator
dot1x port-control auto
dot1x host-mode multi-domain
dot1x violation-mode protect
dot1x max-reauth-req 1
dot1x guest-vlan 999
Please see the attached file "hps07354_switch_config.log" for the full config.
MAB of the LG-Nortel IP phone is successful. Please see attached log file "IP_Phone.log". MAC address of the phone is 0040.5a17.c630.
Issue arises when I connected a PC behind the phone after the phone is authorized in the VOICE domain. As soon as the PC is connected to the phone, the switch sends an Access-Request to RADIUS with Service-Type=10. This looks like MAB to me. I'm expecting 802.1x to take place because I enabled 802.1x on the PC's LAN connection.
RADIUS returns an Access-Reject. In the ACS Failed Attempts log, there's an entry with User-Name=001e37823378 (PC's MAC address) and Authen-Failure-Code=ACS user unknown. I suspect the phone is blocking the PC's EAPOL packets from reaching the switch. However if it is true, the switch should have waited for 802.1x to timeout (in my config, it is set to 60 seconds) before kicking MAB in. Right? Please refer to attached log file "PC_behind_IP_Phone.log".
If I connect PC directly to the switch port (with the same config), I have no issue. 802.1x took place and the user is successfully authenticated using EAP-MD5. Please refer to attached log file "PC_Direct_to_Switchport.log".
Please advise how to resolve this issue.