11-29-2010 02:23 AM - edited 02-21-2020 04:10 AM
I have been struggeling with getting our Juniper IC4500 NAC send VLAN assignments to my Cisco Switches for some time now.
Last night I managed to get the switch to accept VLAN tags for ports with a Cisco Iphone on it and assign it the proper VLAN tag.
Nov 29 11:10:43.306: %MAB-5-SUCCESS: Authentication successful for client (001a.a1d0.46e4) on Interface Fa0/2 AuditSessionID AC1202A00000001102E90153
Nov 29 11:10:43.306: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (001a.a1d0.46e4) on Interface Fa0/2 AuditSessionID AC1202A00000001102E90153
Nov 29 11:10:43.306: %AUTHMGR-5-VLANASSIGN: VLAN 400 assigned to Interface Fa0/2 AuditSessionID AC1202A00000001102E90153
Thats all well and fine.
Next issue. I want to connect a PC behind the IPhone as well.
Strangely this also works, but it assigns the PC the same VLAN as the IPhone.
The solution to get the IPhone VLAN tag working, as far as I can tell, was to complete remove the switchport voice vlan xxx tag from the switch port.
Normally, I'd just use
switchport access vlan xxx
switchport voice vlan xxx
However, with the current setup and the IC4500, it seems I have to remove the voice parameter. I'm rather new to dot1x at root, so this might be a general consenses for all I know.
Anyway, is something switch related I have to consider to get the vlan assigned correctly to the attached PC behind the phone, or is this a phone or radius issue within the IC unit.
Any advice would be greatly appreciated!!
This is my current switchport config, its on a Cisco Cat 3560 using IPSERVICES:
Global:
authentication mac-move permi
aaa authentication login default line local
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
dot1x system-auth-control
interface FastEthernet0/2
switchport access vlan 5
switchport mode access
authentication host-mode multi-host
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x max-reauth-req 1
spanning-tree portfast
---
Best regards,
Frank James Wilson
Network & Security Bama Gruppen AS
12-24-2010 01:56 AM
Hi Frank,
When using IP phones with a client behind (both authenticated via 802.1X), the most common host-mode is multi-domain:
authentication host-mode multi-domain
Multi-host is generally being used to authenticate one single device on the 802.1X port, and then let any other device behind get through the same port.
http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_55_se/configuration/guide/sw8021x.html#wp1271507
So your interface configuration should look more like the following:
interface FastEthernet0/2
switchport access vlan 5
switchport mode access
switchport voice vlan 400
authentication host-mode multi-domain
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x max-reauth-req 1
spanning-tree portfast
On top of this, if you are using Cisco IP phones, the best way to tell the switch to place them in the voice vlan after a successful authentication is to have the Radius server passing back the following attribute:
cisco-av-pair:device-traffic-class=voice
Hope this helps,
Fede
--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
06-09-2012 03:02 PM
Hi Fererico,
I'm having a similar issue with a Juniper IC and Cisco switches.
I have applied the multi-domain command to the switch ports and also have added the av pair for voice traffic. But here is my problem. The phone will authenticate and will be assigned to the voice vlan but if you plug in a pc on the pc port of the phone it authenticates but it doesn't get assigned any vlan so it justs keeps authenticating.
At this point i don't know if the issue is still with the attributes in the Juniper ic or the issue is with the switch port config.
Here is an example config of the switch port.
IT-Test#sh run int gi0/6
Building configuration...
Current configuration : 496 bytes
!
interface GigabitEthernet0/6
switchport access vlan 20
switchport mode access
switchport voice vlan 10
authentication control-direction in
authentication event fail action authorize vlan 999
authentication event server dead action authorize
authentication host-mode multi-domain
authentication order mab
authentication priority mab
authentication port-control auto
authentication periodic
authentication violation protect
mab
dot1x pae authenticator
spanning-tree portfast
end
On the sample below, you are supposed to have the same output for voice and for the data.
IT-Test#sh auth sess int g0/6
Interface: GigabitEthernet0/6
MAC Address: 000e.3833.9ccd
IP Address: Unknown
User-Name: 000e38339ccd
Status: Authz Success
Domain: VOICE
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-domain
Oper control dir: in
Authorized By: Authentication Server
Session timeout: 3600s (local), Remaining: 3295s
Timeout action: Reauthenticate
Idle timeout: N/A
Common Session ID: C0A8190500004DB706A26A44
Acct Session ID: 0x00004DBC
Handle: 0x32000DC3
Runnable methods list:
Method State
mab Authc Success
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: