12.2(50)SE, 802.1x, Cisco IP Phones & Guest/Auth-Fail VLANs?

Unanswered Question
Mar 21st, 2009
User Badges:
  • Gold, 750 points or more

This all worked prior to upgrading to the latest 12.2(50)SE IOS on Catalyst 3560's :o(

I have the following access port configuration:


interface FastEthernet0/1

switchport access vlan 10

switchport mode access

switchport voice vlan 15

switchport port-security maximum 3

switchport port-security maximum 2 vlan access

switchport port-security maximum 1 vlan voice

switchport port-security

switchport port-security aging time 3

switchport port-security violation restrict

switchport port-security aging type inactivity

no logging event link-status

srr-queue bandwidth share 1 70 25 5

srr-queue bandwidth shape 3 0 0 0

priority-queue out

authentication event fail retry 3 action authorize vlan 99

authentication event server dead action authorize vlan 99

authentication event no-response action authorize vlan 99

authentication port-control auto

authentication periodic

authentication timer restart 30

authentication timer reauthenticate server

no snmp trap link-status

dot1x pae authenticator

spanning-tree portfast

service-policy input IPPHONE+PC-BASIC

ip dhcp snooping limit rate 100


The previous 'dot1x' commands have been replaced with the 'authentication' commands but in theory should work the same as I checked in the latest documentation.

The scenario I have is Cisco IP Phones (7960, 7940 & 7970's all with the very latest firmware) in hot-desk areas each with a LAN cable available. The idea being a guest or an employee can connect their laptop. Authorised PC's (Domain Members) should be able to connect, authenticate via dot1x (machine or user authentication) and be placed into the access VLAN (10). Guests or messed-up PC's should be placed into the Guest or Auth-Fail VLAN (99). ACLs on the Guest VLAN SVI allows restrictive access.

With previous software releases this worked fine but now the port is placed in the Guest VLAN and never transitions to the access VLAN when a valid client is attached. If the port is manually reauthenticated (dot1x re-authenticate interface fastethernet0/1) or a PC is already connected to the IP Phone and the port is disconnected/connected from the switchport then it works. The phones are permanently connected, but the laptops aren't. There have been no changes to the clients, just the IOS. The clients are XP SP3 and Vista SP1 and get the Wired dot1x settings from a GPO.


It may be 12.2(50)SE needs some addition configuration? Does anyone have a similar setup that is working with 12.2(50)SE on 3560/3750s?


Andy

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
stuartgeddes Wed, 03/25/2009 - 21:49
User Badges:

Hi Andy,


I am having the same problem, albeit a slightly different scenario (using MAC authentication also).


I have tried all sorts of different configurations but can't seem to get it to work.


Might have to resort to logging a TAC case :(


Cheers,



andrew.butterworth Thu, 03/26/2009 - 09:49
User Badges:
  • Gold, 750 points or more

Hi Stuart,


Was it working for you with earlier IOS releases? As I said this all seemed to work perfectly up to 12.2(46)SE but 12.2(50)SE seems to have broken it :o(


Andy

andrew.butterworth Mon, 03/30/2009 - 08:39
User Badges:
  • Gold, 750 points or more

I think I have solved this now....


When I tested this previously I used a Windows XP SP2 workstation and had to change the SupplicantMode registry entry to 3 to force the client to begin the 802.1x EAPoL. During testing Microsoft released SP3 and split the 802.1x supplicant so there are now two services - one for Wired & one for Wireless. With both, settings can be configured via GPO (but need to be edited with Vista or Server 2008).

Due to SP3 making it easier I simply forgot about the SupplicantMode registry entry and the workstation I have been testing with is actually running Windows Server 2003. Unfortunately Microsoft haven't updated the 802.1x supplicant in Server 2003 (or the x64 version of XP) and it doesn't look like they are going to :o( This just means I need to make the registry changes on the 'workstations' that are running Server 2003. The existing XP SP3 machines (as well as Vista & Server 2008) are fine as they use the settings in a GPO that force this.


Andy

andrew.butterworth Sat, 04/04/2009 - 03:33
User Badges:
  • Gold, 750 points or more

I have done some more testing and I am still seeing a problem where the switch doesn't respond to the dot1x supplicants start frames.

I have the configuration as shown in the 1st post on several 'hot-desk' ports with 7960 & 7970 IP Phones. When the desk is free the access-port is assigned to the Guest/Auth-Fail VLAN (99), however there is obviously no supplicant as nothing is connected to the IP Phone, the phone is working fine.

I have spanned a port and have captured the traffic with Wireshark. When I connect a valid machine I can see the machine attempt to start dot1x but there are no replies. The machine sends three EAPoL starts that go unreplied. The machine then continues but is assigned to the Guest/Auth-Fail VLAN. If the machine is shutdown it sends an EAPoL logoff (or the phone does the proxy thing) which the switch reponds to and places the port in an unauthenticated state. On reboot the PC connects and authenticates as long as it is within the timeout period of the switch flipping the port into the Guest-Auth-Fail VLAN.


So what is happening is the switch is not responding to the EAPoL start frames from the PC behind the IP Phone once the access-port has fallen back to the Guest/Auth-Fail VLAN. I have testing this multiple times and the behaviour is consistent and it doesn't matter if the client is XP SP3 or Windows Server 2003 SP2 with the SupplicantMode set to 3.


This is not how it worked in previous IOS releases - The switch would respond to the EAPoL start frames when the access-port had fallen back to the Guest-Auth-Fail VLAN. The authentication control-direction is set to both so my understanding is the switch should respond to the EAPoL starts regardless of whether the port has fallen back to the Guest-Auth-Fail VLAN or not.


This looks like either a bug or a new behaviour that isn't documented?


Andy


rcierny Wed, 04/08/2009 - 08:47
User Badges:

Andrew,

We have experienced similar issue.

We use MAB and guest vlan.

After reverting back to 12.2(44)SE6 issue disappeared. Did you submit this as a bug?


andrew.butterworth Wed, 04/08/2009 - 09:40
User Badges:
  • Gold, 750 points or more

I haven't raised a TAC case as these switches aren't covered under any contracts. I was hoping someone from Cisco would reply and confirm this was a either a bug or a 'feature' and tell us when (if?) this was going to be fixed.

I work for a Gold Partner but I can't raise cases without a valid contract number.


Andy

andrew.butterworth Fri, 04/17/2009 - 04:50
User Badges:
  • Gold, 750 points or more

12.2(50)SE has been pulled from CCO....


The software pages on CCO seem to have moved around again and IOS for the Catalysts has gone a bit haywire. However the software is listed under the 'Switches' section - obvious really but a bit of communication about this change might have been useful.


Anyway 12.2(50)SE1 has been released. Nothing in the release notes about 802.1x and guest vlans unfortunately. I have just installed this on a 3560 and my initial test shows the same behaviour :o(


I need to have a bit more of a test but it isn't going to be today.


Andy

rcierny Sat, 04/18/2009 - 08:31
User Badges:

Thanks for the update (and hard work with testing) Andy!

Bummer regarding SE1...I had such high hopes for the 12.2(50) (so many slick features) but it appears nowadays new feature releases are half baked... I have spent excessive amount of time testing only to be disappointed...

Actions

This Discussion