MAB ACS 5.2 IP Phone

Unanswered Question
Nov 3rd, 2010
User Badges:

Hi,


I am unable to get my Cisco IP Phone to authenticate using MAB on ACS5.2. The phone is not being allocated to the Voice vlan, and hence not getting IP address from DHCP. My switch port config below:



interface FastEthernet1/0/10
switchport access vlan 11
switchport mode access
switchport voice vlan 2
switchport port-security maximum 4
authentication control-direction in
authentication host-mode multi-domain
authentication order mab dot1x
authentication port-control auto
authentication periodic
authentication timer restart 900
authentication timer reauthenticate 5400
mab
dot1x pae authenticator
dot1x timeout tx-period 3
spanning-tree portfast
spanning-tree bpduguard enable


It appears to be authenticating repeatedly, am I missing configuration in ACS to allow the Phone to the Voice Vlan? Under Authorization Profile I had Voice VLAN Permission to Join: set to Static, which is Yes (device-traffic-class=voice).


Capture of the authentication below:

*Mar  1 02:06:19.333: %AUTHMGR-5-START: Starting 'mab' for client (001e.be91.6baa) on Interface Fa1/0/10
*Mar  1 02:06:19.350: %MAB-5-SUCCESS: Authentication successful for client (001e.be91.6baa) on Interface Fa1/0/10
*Mar  1 02:06:19.350: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (001e.be91.6baa) on Interface Fa1/0/10
*Mar  1 02:06:20.373: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (001e.be91.6baa) on Interface Fa1/0/10
*Mar  1 02:07:15.814: %AUTHMGR-5-START: Starting 'mab' for client (001e.be91.6baa) on Interface Fa1/0/10
*Mar  1 02:07:15.822: %MAB-5-SUCCESS: Authentication successful for client (001e.be91.6baa) on Interface Fa1/0/10
*Mar  1 02:07:15.822: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (001e.be91.6baa) on Interface Fa1/0/10
*Mar  1 02:07:16.862: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (001e.be91.6baa) on Interface Fa1/0/10
*Mar  1 02:08:15.834: %AUTHMGR-5-START: Starting 'mab' for client (001e.be91.6baa) on Interface Fa1/0/10
*Mar  1 02:08:15.851: %MAB-5-SUCCESS: Authentication successful for client (001e.be91.6baa) on Interface Fa1/0/10
*Mar  1 02:08:15.851: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (001e.be91.6baa) on Interface Fa1/0/10
*Mar  1 02:08:16.883: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (001e.be91.6baa) on Interface Fa1/0/10



Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jedubois Fri, 11/05/2010 - 11:32
User Badges:
  • Cisco Employee,

Hello,

     You can get more information about why it is cycling with (debug dot1x all, debug radius, debug authenticaion all, debug auth feature all).  Also ACS does not assign the phone to the voice vlan, that is going to happen as if the 802.1x was not enabled, this will be via CDP, LLDP, DHCP or Staticaly defined on the phone.  The attribute device-traffic-class=voice assigns the phone to the voice domain which is strictly an authentication manager designation.

--Jesse

Actions

This Discussion