cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2105
Views
0
Helpful
16
Replies

7960 and 802.1x

ak7246
Level 1
Level 1

I am trying to implement 802.1x on our network. We mostly have Cisco 7960 phones which don't support 802.1x. However I though you can configure a VOICE vlan and they can still work. however, the switch seems to put the phone in Guest VLAN because of authentication failure. here's my configuration on the port.

I will appreciate any help on this.

thanks

Anand

interface FastEthernet0/7

switchport access vlan 17

switchport mode access

switchport voice vlan 3030

srr-queue bandwidth share 10 10 60 20

srr-queue bandwidth shape 10 0 0 0

mls qos trust device cisco-phone

mls qos trust cos

auto qos voip cisco-phone

dot1x pae authenticator

dot1x port-control auto

dot1x host-mode multi-domain

dot1x timeout tx-period 10

dot1x reauthentication

dot1x guest-vlan 999

dot1x auth-fail vlan 999

dot1x auth-fail max-attempts 2

spanning-tree portfast

16 Replies 16

jafrazie
Cisco Employee
Cisco Employee

You have Multi-Doamin auth turned on, per:

dot1x host-mode multi-domain

This means you must authenticate the phone with 802.1X or MAC-Auth. If this is your desire, this will help:

http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a00808abf2d.shtml#MDA

huh!! Somehow I had this working before when i did similar testing before. I just copied the configs to new switch.

Taking off the multi-domain command seems to help.

Thanks Jason.

Anand

Yep. To be clear, taking that off now allows the phone to get into the network "for free" just b/c it can do CDP with the switch. Essentially, the phone is ignored entirely based on a CDP-exchange.

Thanks. Now i am running into another issue. When i connect the computer to the phone even though the computer has a Valid Certificate it goes into Guest VLAN. I have to issue reauthenticate cmd to allow it to get proper VLAN. I have configured the Supplicant on Computer, have dot1x guest-vlan supplicant command configured on switch and my 7960 phone is running 8.0 (9.0). But it doesn't seem to help.

Anand

Make sure your supplicant is configure for EAPOL-Starts. MSFT doesn't have this enabled by default with anything XP SP2 and below. Else, the port will be in the guest-vlan just after you plug the phone in and stay there.

Yes, I do have SupplicantMode=3 configured on the Laptops. I had used the same computers for my previous testing.

For some reason i am seeing mixed results. Now when i have a computer without a valid certificate, the switch puts it in Guest VLAN. But then it takes it out and puts it in Unauthorized state (no access) after 30secs. this keeps repeating so the port keeps bouncing from Guest VLAN to Unauthorized state. I have attached the logs and also the configuration.

I am still trying to identify why this is happening.

Thanks

Anand

Make sure this machine work when you plug it directly into the switch. From the log, the machine sends an EAPOL-Start and then doesn't answer the switch's initial identity request. This could indicate that there is in fact no cert on the box for it to use.

Yes, the Machine I used to get this log DOES NOT have the certificate. So it should be assigned GUEST VLAN and stay in GUEST VLAN. But instead, it(switch port) keeps flapping between GUEST VLAN and Unauthorized Status. You can see that in the logs i attached. This is same even if i Connect the Laptop directly to the Switch.

The Machine WITH a valid certificate staying in GUEST is another issue and it looks intermittent at this time.

Well, your supplicant is sending an EAPOL-Start to the switch. Which to the switch is an indication that the client is in fact capable of running 1X so it removes the Guest-VLAN and tries to authenticate it.

Yes, even though the client is capable of running 802.1x it doesn't have a valid certificate. So the authentication should fail and it should be assigned auth failed vlan which is 999. The switch actually assigns that vlan but then keeps flapping.

If you take a look at the log you see following messages in the log right after it assigns the GUEST VLAN which i don't understand.

23:16:04: dot1x-ev:Found the default authenticator instance on FastEthernet0/11

23:16:04: dot1x-ev:dot1x_guest_vlan_set_eapol_seen: Deactivated guest VLAN 999 on port FastEthernet0/11

23:16:04: dot1x-ev:dot1x_switch_pm_port_set_vlan: Setting vlan 0 on interface FastEthernet0/11 in DATA domain

23:16:04: dot1x-ev:vlan 999 vp is removed on interface FastEthernet0/11

23:16:04: dot1x-ev:ignored vlan 17 vp is added on interface FastEthernet0/11

23:16:04: dot1x-ev:dot1x_switch_is_dot1x_forwarding_enabled: Forwarding is disabled on Fa0/11

23:16:04: dot1x-ev:Setting vlan to 0 for FastEthernet0/11 on data Vlan

The client is not failing authentication. It's timing out on authentication. Failing would mean you get a reject back from RADIUS, EAPOL-Failure message to client, etc.

Yes Right.

Looks like if the computer is 802.1x capable but doesn't have the cert then doesn't work.

Are you aware of a way to fix this?

Thanks

Anand

This is what the dot1x guest-vlan supplicant should do. I think MSFT supplicant will give up sending EAPOL after 3 attempts.

Understood. I successfully tested the Computer that supports 802.1x Supplicant but has an invalid certificate.

However; i also noticed that the switch interface flaps between Guest VLAN and Unauthorized state if i use a computer which is not 802.1x Supplicant. This is case if the Computer is connected Directed to the Switch or Connected through an IP Phone. This will be a usual situation in the company for the guest users. I thought dot1x guest-vlan supplicant should have fixed this and put the port in Guest VLAN.

Anand

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: