02-20-2009 08:43 PM - edited 03-10-2019 04:20 PM
Hello,
I upgraded my 2960 with the latest LAN base release 12.2(46)SE which includes Multi Domain Authentication (MDA) and tried to setup what is described here:
http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a00808abf2d.shtml
I have the following exceptions in my setup:
1) Cat 2960 with latest IOS release 12.2(46)SE which supports MDA;
2) Using Win2K IAS as radius server; and
3) Third party IP Phone (Avaya) with dot1x supplicant enabled. I have a PC with dot1x capability connected to the second port of the IP phone.
This is what I have configured on the IP Phone port:
interface FastEthernet0/9
switchport access vlan 221
switchport mode access
switchport voice vlan 222
dot1x pae authenticator
dot1x port-control auto
dot1x host-mode multi-domain
dot1x violation-mode protect
dot1x timeout reauth-period 30
dot1x reauthentication
spanning-tree portfast
I have also configured the Win2K IAS Radius server to send RADIUS attribute "cisco-av-pair" to tell the Authenticator (Cisco Catalyst 2960) that a Supplicant (IP Phone) is allowed on the voice VLAN as described in the config-notes link above.
When the IP Phone supplicant starts to authenticate, it succeeds but that port does not authorize the VOICE domain even though the 2960 receives the RADIUS attribute "cisco-av-pair" from the Radius server. I have confirmed receipt of this attribute through debugging on the switch.
RADIUS: Received from id 1645/64 160.2.100.74:1645, Access-Accept, len
110
17:02:38: RADIUS: authenticator 7D AC 50 FE 14 B4 DC FC - 3A A4 E5 3F 76 1E 62
C3
17:02:38: RADIUS: EAP-Message [79] 6
17:02:38: RADIUS: 03 05 00 04
17:02:38: RADIUS: Class [25] 32
17:02:38: RADIUS: 44 05 05 A2 00 00 01 37 00 01 A0 02 64 4A 01 C9 1E 33 79 52
58 D8 00 00 00 00 00 00 E7 1B [ D7dJ3yRX]
17:02:38: RADIUS: Vendor, Cisco [26] 34
17:02:38: RADIUS: Cisco AVpair [1] 28 "device-traffic-class=voice"
17:02:38: RADIUS: Message-Authenticato[80] 18
17:02:38: RADIUS: D9 42 78 AF 88 26 C7 5A E0 65 B0 83 68 5E 51 0F [ B
x&Zeh^Q]
17:02:38: RADIUS(00000009): Received from id 1645/64
17:02:38: RADIUS/DECODE: EAP-Message fragments, 4, total 4 bytes
Cat2960#show dot1x int fa0/9 details
Dot1x Info for FastEthernet0/9
-----------------------------------
PAE = AUTHENTICATOR
PortControl = AUTO
ControlDirection = Both
HostMode = MULTI_DOMAIN
Violation Mode = PROTECT
ReAuthentication = Enabled
QuietPeriod = 60
ServerTimeout = 0
SuppTimeout = 30
ReAuthPeriod = 30 (Locally configured)
ReAuthMax = 2
MaxReq = 2
TxPeriod = 30
RateLimitPeriod = 0
Dot1x Authenticator Client List
-------------------------------
Domain = DATA
Supplicant = 0004.0d9b.46d8
Auth SM State = AUTHENTICATED
Auth BEND SM State = IDLE
Port Status = AUTHORIZED
ReAuthPeriod = 30
ReAuthAction = Reauthenticate
TimeToNextReauth = 20
Authentication Method = Dot1x
Authorized By = Authentication Server
Vlan Policy = N/A
I don't think I need CDP to authorize the Voice domain if the Radius server is sending the "cisco-av-pair" attribute.
Have I misunderstood the concept?
Thanks!
Solved! Go to Solution.
02-21-2009 07:43 AM
Can you share the switch config?
Are you missing aaa authorization network default group radius for example?
02-21-2009 07:43 AM
Can you share the switch config?
Are you missing aaa authorization network default group radius for example?
02-23-2009 03:45 AM
you are spot on! it's working now. thank you very much!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide