802.1x multidomain not working

Unanswered Question
Sep 17th, 2010

Hello team:

I configured multidomain on a Cisco 3650 port (12.2(53)SE1), and connected a 7941 Phone and laptop behind it. The phone gets successfully authenticated but the PC does not get fully connected. The PC adapter´s icon shows a "authentication error" message.

The same PC, connected to another port (same commands except "authentication host-mode multi-domain") works perfect, including new VLAN and ACL assigned from ACS.

¿Any ideas of what I could be doing wrong?

This is the configuration on the switch port where the PC chained to the phone fails:

interface FastEthernet0/6
switchport access vlan 701
switchport mode access
switchport voice vlan 123
authentication event fail action next-method
authentication event server dead action authorize vlan 704
authentication event no-response action authorize vlan 701
authentication host-mode multi-domain
authentication open
authentication port-control auto
authentication periodic
dot1x pae authenticator
dot1x timeout tx-period 60
spanning-tree portfast

This is the configuration on the switch port where the PC without a phone works OK (exactly the same config, except for multidomain):

interface FastEthernet0/7
switchport access vlan 701
switchport mode access
switchport voice vlan 123
authentication event fail action next-method
authentication event server dead action authorize vlan 704
authentication event no-response action authorize vlan 701
authentication open
authentication port-control auto
authentication periodic
dot1x pae authenticator
dot1x timeout tx-period 60
spanning-tree portfast

When the PC fails to get connected, I see the following messages on the switch:

Sep 17 18:36:18: %DOT1X-5-SUCCESS: Authentication successful for client (0023.ae
b8.ce44) on Interface Fa0/6 AuditSessionID 0A01460A000000310080FDFC
Sep 17 18:36:18: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x'
for client (0023.aeb8.ce44) on Interface Fa0/6 AuditSessionID 0A01460A000000310
080FDFC
Sep 17 18:36:18: %AUTHMGR-5-FAIL: Authorization failed for client (0023.aeb8.ce4
4) on Interface Fa0/6 AuditSessionID 0A01460A000000310080FDFC
Sep 17 18:36:18: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for
client (0023.aeb8.ce44) on Interface Fa0/6 AuditSessionID 0A01460A000000310080FD
FC
Sep 17 18:36:18: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0023.ae
b8.ce44) on Interface Fa0/6 AuditSessionID 0A01460A000000310080FDFC

Any hints will be greatly appreciated.

Best regards, Rogelio

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
rogelioalvez Fri, 09/17/2010 - 13:27

Guys, I found the context in which it fails.

The switch fails to authorize (but authentication is still OK) if CiscoSecure ACS sends the contents of an ACL when the port is configured in multidomain.

It does not matter whether the PC is directly attached to the port or behind a phone. As soon as I include the multidomain command, the switch fails to grant the PC the right to get into the port.

As soon as I remove the ACL information (either downloadable ACL or inacl# entries), the PC is successfully authenticated and moved to the VLAN ordered by ACS to the switch.

By other hand, as I mentioned in my previous note, the ACL is succesfully loaded to the port if this port is not configured is not in multidomain.

So the problem is with ACLs or ACL entries. ¿Shouldn´t this be supported on multidomain?

Any help will be greatly appreciated.

Regards, Rogelio

kuchma.stanislav Mon, 09/20/2010 - 14:08

Hello Rogelio

Can you check this on you configration:

1. Remove authentication open from port config

2. Add ACL (some general ACL with few entries) to port

3. Add ip device tracking to global config

4. After authentication check following: sh ip acccess-l and sh ip access-l int fax/x. If output from second command is empty try execute sh auth session int fax/x detail. Switch should correctly recognize ip address for ip phone and PC. If not this is a bug in IOS.

Regards,

Stas

rogelioalvez Mon, 09/20/2010 - 14:28

Hello Stan, thank you very much for your advice.

I will check on this tomorrow when I test in the customer site, and let you know.

Best regards,

rogelioalvez Tue, 09/21/2010 - 11:14

Hello Stas:

I tested as suggested, without success. Basically, I removed the "authentication open" command, added an ACL to the port (permit ip any any), and the "ip device tracking" command.

Now the switch failed to authorize BOTH ports (PC and Phone). Just in case of interest:

1. The output of the "show ip access-list interface Fa0/6" commands is empty

2. The output of the "show auth session int fa 0/6" command is the following

Switch# sh auth session int fa0/6
            Interface:  FastEthernet0/6
            MAC Address:  Unknown
            IP Address:  Unknown
            User-Name:  UNRESPONSIVE
               Status:  Authz Success
               Domain:  DATA
           Security Policy:  Should Secure
           Security Status:  Unsecure
           Oper host mode:  multi-host
           Oper control dir:  both
           Authorized By:  Guest Vlan
          Vlan Policy:  701
          Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  0A01460A0000009814F3D712
      Acct Session ID:  0x000000A2
               Handle:  0xAB000098

Runnable methods list:
       Method   State
       dot1x    Failed over

Switch#

Finally, I collecte a set of syslog messages, just in case someone would like to take a look. 001e.138c.5bf5 is the Phone`s MAC.

Thank you very much.

Regards, Rogelio

kuchma.stanislav Tue, 09/21/2010 - 12:15

Hello Rogelio

Could you also remove from fa0/6 following strings:

authentication event fail action next-method
authentication event server dead action authorize vlan 704
authentication event no-response action authorize vlan 701

authentication periodic

Also if you can't use Downloadable ACL please remove ACL from fa0/6.

Next chek port settings. In output from sh auth sess int fa0/6 Oper host mode is multi-host. This is incorrect. It should be multi-domain.

Next in first message you wrote that you have phone and PC behind phone. How you phone authenticated? By dot1x or MAB? In multidomain mode ACS should provide for switch av-pair for voice vlan.

Example from 3750 with MAB for phone and open auth for PC

sh authentication sessions interface gigabitEthernet 3/0/1
          Interface:  GigabitEthernet3/0/1
          MAC Address:  0001.0001.0001
           IP Address:   x.x.x.x
            User-Name:  000100010001
               Status:  Authz Success
               Domain:  VOICE
      Security Policy:  Should Secure
      Security Status:  Unsecure
       Oper host mode:  multi-domain
     Oper control dir:  both
        Authorized By:  Authentication Server
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  AC112E6A000002B5DA302795
      Acct Session ID:  0x000007AE
               Handle:  0x590002B5

Runnable methods list:
       Method   State
       dot1x    Failed over
       mab      Authc Success

Regards,

Stas

rogelioalvez Tue, 09/21/2010 - 18:56

Hello Stas:

I am also confused about the output of the switch, since the configuration of the port says "multidomain".I will start it over from zero and let you know the results.

With respect to the phone, I am authenticating it with 802.1X. This works OK. I am not using MAB for it.

I have never used Downloadable ACLs. Instead, I have been using Cisco avpairs ip:inacl#xx=permit ip . They work OK when not in multidomain.

I plan to visit the customer site in two or three days. I will let you know as soon as I get new output.

Thank you for your support.

Rogelio

MAGNUS SVENSSON Fri, 10/01/2010 - 01:26

HI,

I have experiensed the same problem and it has to be a BUG, I have a C4506 with gig access-ports, I have ACS5.1 and Cisco 7940 phones, if i run multi-host it works fine but then i have security issues, if i switch to multi-domain al looks fine (success in ACS loggs and debug output) but the phone and client are not able to communicate (ex can´t ping the default gw), the phone and client recieves an ip address.

I have logged a case at cisco TAC and are wating for an answer.

/Magnus

kuchma.stanislav Tue, 07/05/2011 - 13:51

Hello

Bug with Multi Domain Authentication was fixed in Catalyst IOS since 12.5.50SE5 (Oct, 2010). I think most IOS's released after Oct,2010 include fix, but for me problem in 3750-48PSS was gone after I updated to 12.2.50SE5

Stas

Actions

This Discussion