Dot1x multi-domain on Catalyst 2960

Answered Question
Feb 20th, 2009

Hello,


I upgraded my 2960 with the latest LAN base release 12.2(46)SE which includes Multi Domain Authentication (MDA) and tried to setup what is described here:


http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a00808abf2d.shtml


I have the following exceptions in my setup:


1) Cat 2960 with latest IOS release 12.2(46)SE which supports MDA;

2) Using Win2K IAS as radius server; and

3) Third party IP Phone (Avaya) with dot1x supplicant enabled. I have a PC with dot1x capability connected to the second port of the IP phone.


This is what I have configured on the IP Phone port:


interface FastEthernet0/9

switchport access vlan 221

switchport mode access

switchport voice vlan 222

dot1x pae authenticator

dot1x port-control auto

dot1x host-mode multi-domain

dot1x violation-mode protect

dot1x timeout reauth-period 30

dot1x reauthentication

spanning-tree portfast


I have also configured the Win2K IAS Radius server to send RADIUS attribute "cisco-av-pair" to tell the Authenticator (Cisco Catalyst 2960) that a Supplicant (IP Phone) is allowed on the voice VLAN as described in the config-notes link above.


When the IP Phone supplicant starts to authenticate, it succeeds but that port does not authorize the VOICE domain even though the 2960 receives the RADIUS attribute "cisco-av-pair" from the Radius server. I have confirmed receipt of this attribute through debugging on the switch.


RADIUS: Received from id 1645/64 160.2.100.74:1645, Access-Accept, len

110

17:02:38: RADIUS: authenticator 7D AC 50 FE 14 B4 DC FC - 3A A4 E5 3F 76 1E 62

C3

17:02:38: RADIUS: EAP-Message [79] 6

17:02:38: RADIUS: 03 05 00 04

17:02:38: RADIUS: Class [25] 32

17:02:38: RADIUS: 44 05 05 A2 00 00 01 37 00 01 A0 02 64 4A 01 C9 1E 33 79 52

58 D8 00 00 00 00 00 00 E7 1B [ D7dJ3yRX]

17:02:38: RADIUS: Vendor, Cisco [26] 34

17:02:38: RADIUS: Cisco AVpair [1] 28 "device-traffic-class=voice"

17:02:38: RADIUS: Message-Authenticato[80] 18

17:02:38: RADIUS: D9 42 78 AF 88 26 C7 5A E0 65 B0 83 68 5E 51 0F [ B

x&Zeh^Q]

17:02:38: RADIUS(00000009): Received from id 1645/64

17:02:38: RADIUS/DECODE: EAP-Message fragments, 4, total 4 bytes

Cat2960#show dot1x int fa0/9 details


Dot1x Info for FastEthernet0/9

-----------------------------------

PAE = AUTHENTICATOR

PortControl = AUTO

ControlDirection = Both

HostMode = MULTI_DOMAIN

Violation Mode = PROTECT

ReAuthentication = Enabled

QuietPeriod = 60

ServerTimeout = 0

SuppTimeout = 30

ReAuthPeriod = 30 (Locally configured)

ReAuthMax = 2

MaxReq = 2

TxPeriod = 30

RateLimitPeriod = 0


Dot1x Authenticator Client List

-------------------------------

Domain = DATA

Supplicant = 0004.0d9b.46d8

Auth SM State = AUTHENTICATED


Auth BEND SM State = IDLE

Port Status = AUTHORIZED

ReAuthPeriod = 30

ReAuthAction = Reauthenticate

TimeToNextReauth = 20

Authentication Method = Dot1x

Authorized By = Authentication Server

Vlan Policy = N/A


I don't think I need CDP to authorize the Voice domain if the Radius server is sending the "cisco-av-pair" attribute.


Have I misunderstood the concept?


Thanks!

Correct Answer by jafrazie about 8 years 5 days ago

Can you share the switch config?

Are you missing aaa authorization network default group radius for example?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
jafrazie Sat, 02/21/2009 - 07:43

Can you share the switch config?

Are you missing aaa authorization network default group radius for example?

ksng2000 Mon, 02/23/2009 - 03:45

you are spot on! it's working now. thank you very much!

Actions

This Discussion