dot1x - Juniper IC4500 vs Cisco Cats + Iphone and PC

Unanswered Question
Nov 29th, 2010

I have been struggeling with getting our Juniper IC4500 NAC send VLAN assignments to my Cisco Switches for some time now.

Last night I managed to get the switch to accept VLAN tags for ports with a Cisco Iphone on it and assign it the proper VLAN tag.

Nov 29 11:10:43.306: %MAB-5-SUCCESS: Authentication successful for client (001a.a1d0.46e4) on Interface Fa0/2 AuditSessionID AC1202A00000001102E90153
Nov 29 11:10:43.306: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (001a.a1d0.46e4) on Interface Fa0/2 AuditSessionID AC1202A00000001102E90153
Nov 29 11:10:43.306: %AUTHMGR-5-VLANASSIGN: VLAN 400 assigned to Interface Fa0/2 AuditSessionID AC1202A00000001102E90153

Thats all well and fine.

Next issue. I want to connect a PC behind the IPhone as well.

Strangely this also works, but it assigns the PC the same VLAN as the IPhone.

The solution to get the IPhone VLAN tag working, as far as I can tell, was to complete remove the switchport voice vlan xxx tag from the switch port.

Normally, I'd just use

switchport access vlan xxx

switchport voice vlan xxx

However, with the current setup and the IC4500, it seems I have to remove the voice parameter. I'm rather new to dot1x at root, so this might be a general consenses for all I know.

Anyway, is something switch related I have to consider to get the vlan assigned correctly to the attached PC behind the phone, or is this a phone or radius issue within the IC unit.

Any advice would be greatly appreciated!!

This is my current switchport config, its on a Cisco Cat 3560 using IPSERVICES:

Global:

authentication mac-move permi

aaa authentication login default line local
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius

dot1x system-auth-control

interface FastEthernet0/2
switchport access vlan 5
switchport mode access
authentication host-mode multi-host
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x max-reauth-req 1
spanning-tree portfast

---

Best regards,

Frank James Wilson

Network & Security Bama Gruppen AS

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
fziliott Fri, 12/24/2010 - 01:56

Hi Frank,

When using IP phones with a client behind (both authenticated via 802.1X), the most common host-mode is multi-domain:

authentication host-mode multi-domain

Multi-host is generally being used to authenticate one single device on the 802.1X port, and then let any other device behind get through the same port.
http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_55_se/configuration/guide/sw8021x.html#wp1271507

So your interface configuration should look more like the following:

interface FastEthernet0/2
switchport access vlan 5
switchport mode access
switchport voice vlan 400
authentication host-mode multi-domain
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x max-reauth-req 1
spanning-tree portfast

On top of this, if you are using Cisco IP phones, the best way to tell the switch to place them in the voice vlan after a successful authentication is to have the Radius server passing back the following attribute:

cisco-av-pair:device-traffic-class=voice

Hope this helps,

Fede

--
If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

willin007 Sat, 06/09/2012 - 15:02

Hi Fererico,

I'm having a similar issue with a Juniper IC and Cisco switches.

I have applied the multi-domain command to the switch ports and also have added the av pair for voice traffic. But here is my problem. The phone will authenticate and will be assigned to the voice vlan but if you plug in a pc on the pc port of the phone it authenticates but it doesn't get assigned any vlan so it justs keeps authenticating.

At this point i don't know if the issue is still with the attributes in the Juniper ic or the issue is with the switch port config.

Here is an example config of the switch port.

IT-Test#sh run int gi0/6

Building configuration...

Current configuration : 496 bytes

!

interface GigabitEthernet0/6

switchport access vlan 20

switchport mode access

switchport voice vlan 10

authentication control-direction in

authentication event fail action authorize vlan 999

authentication event server dead action authorize

authentication host-mode multi-domain

authentication order mab

authentication priority mab

authentication port-control auto

authentication periodic

authentication violation protect

mab

dot1x pae authenticator

spanning-tree portfast

end

On the sample below, you are supposed to have the same output for voice and for the data.

IT-Test#sh auth sess int g0/6

            Interface:  GigabitEthernet0/6

          MAC Address:  000e.3833.9ccd

           IP Address:  Unknown

            User-Name:  000e38339ccd

               Status:  Authz Success

               Domain:  VOICE

      Security Policy:  Should Secure

      Security Status:  Unsecure

       Oper host mode:  multi-domain

     Oper control dir:  in

        Authorized By:  Authentication Server

      Session timeout:  3600s (local), Remaining: 3295s

       Timeout action:  Reauthenticate

         Idle timeout:  N/A

    Common Session ID:  C0A8190500004DB706A26A44

      Acct Session ID:  0x00004DBC

               Handle:  0x32000DC3

Runnable methods list:

       Method   State

       mab      Authc Success

Actions

Login or Register to take actions

This Discussion

Posted November 29, 2010 at 2:23 AM
Stats:
Replies:2 Avg. Rating:5
Views:1576 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard