Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1910
Views
0
Helpful
2
Replies

802.1x: Can I use MAB to authenticate a phone on the voice VLAN?

Difan Zhao
Level 5
Level 5

‎10-28-2010 04:56 PM - edited ‎03-10-2019 05:31 PM

Hi experts,

I'm trying to configure my 3750 switch to authenticate phones and laptops separately on Voice and data vlan. Here is my config:

aaa group server radius FreeRadius
server 172.17.1.1 auth-port 1812 acct-port 1813
!
aaa authentication dot1x default group FreeRadius none
aaa authorization network default group FreeRadius none
aaa accounting dot1x default start-stop broadcast group FreeRadius
!

radius-server host 172.17.1.1 auth-port 1812 acct-port 1813 retransmit 0 key JAr5frAr
!

interface FastEthernet1/0/2
   switchport access vlan 417
   switchport mode access
   switchport voice vlan 418
   load-interval 30
   authentication event fail action authorize vlan 417
   authentication event no-response action authorize vlan 417
   authentication host-mode multi-domain
   authentication port-control auto
   authentication violation protect
   mab
   dot1x pae authenticator
   dot1x timeout tx-period 3
   dot1x timeout supp-timeout 3
   spanning-tree portfast

The phone doesn't support 802.1x so I have to use MAB. This is for a hotel enviroment so the laptop can be a hotel staff PC which supports 802.1x , or if it's a guest PC then it won't support 802.1x and need to be put in the guest VLAN.

So the problem is that I can successfully authenticate the MAC of the phone however the Voice VLAN still doesn't allow the phone traffic to pass. After the "successful" authentication the phone can't get an IP on the Voice VLAN because all the DHCP request packets are dropped.

This is what I see on the switch:

*Mar  4 02:45:09.020: %LINK-3-UPDOWN: Interface FastEthernet1/0/2, changed state to up
*Mar  4 02:45:10.026: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/2, changed state to up
*Mar  4 02:45:16.301: %DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Fa1/0/2 AuditSessionID AC11FE0200000026100A3F67
*Mar  4 02:45:16.301: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (Unknown MAC) on Interface Fa1/0/2 AuditSessionID AC11FE0200000026100A3F67
*Mar  4 02:45:16.301: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (Unknown MAC) on Interface Fa1/0/2 AuditSessionID AC11FE0200000026100A3F67
*Mar  4 02:45:40.879: %AUTHMGR-5-START: Starting 'mab' for client (0015.62fe.07c1) on Interface Fa1/0/2 AuditSessionID AC11FE0200000026100A3F67
*Mar  4 02:45:40.888: %MAB-5-SUCCESS: Authentication successful for client (0015.62fe.07c1) on Interface Fa1/0/2 AuditSessionID AC11FE0200000026100A3F67
*Mar  4 02:45:40.888: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (0015.62fe.07c1) on Interface Fa1/0/2 AuditSessionID AC11FE0200000026100A3F67
*Mar  4 02:45:41.911: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0015.62fe.07c1) on Interface Fa1/0/2 AuditSessionID AC11FE0200000026100A3F67

When I do "show dot1x interface f1/0/2 detail" I still see the port unauthorized...

Dot1x Info for FastEthernet1/0/2
-----------------------------------
PAE                       = AUTHENTICATOR
PortControl               = AUTO
ControlDirection          = Both
HostMode                  = MULTI_DOMAIN
QuietPeriod               = 60
ServerTimeout             = 0
SuppTimeout               = 3
ReAuthMax                 = 2
MaxReq                    = 2
TxPeriod                  = 3

Dot1x Authenticator Client List Empty

Port Status               = UNAUTHORIZED

The switch works fine when I plug a laptop directly in the port, no matter whether it's authenticated by EAP or MAB.

Any ideas??

Thanks!

Labels:
0 Helpful
2 Replies 2

iilyinas
Level 3
Level 3

‎10-29-2010 05:52 AM

Hi!

Yes, you can use MAB + dot1x in your scenario.

Dot1x info shows unauthorized, as you're indeed not authorized by dot1x. You're authorized by MAB. Try "show mab interface f1/0/2 detail".

It should look like:

MAB details for FastEthernetX/X

-------------------------------------

Mac-Auth-Bypass           = Enabled

MAB Client List

---------------

Client MAC                = 0003.e3XX.XXXX

Session ID                = 0A3049D30000002C9A23649E

MAB SM state              = TERMINATE

Auth Status               = AUTHORIZED

Why do you think DHCP requests are dropped? Could you show logs/debugs?

Cheers, Iron

--

If   this helps you and/or answers your question please mark the question  as  "answered" and/or rate it, so other users can easily find it.

0 Helpful

Difan Zhao
Level 5
Level 5
In response to iilyinas

‎10-29-2010 10:20 AM

Hi iilyinas,

Thank you very much for quick reply! I checked the MAB status on the port and I do see that the port is successfully authorized.

MAB details for FastEthernet1/0/2
-------------------------------------
Mac-Auth-Bypass           = Enabled

MAB Client List
---------------
Client MAC                = 0015.62fe.07c1
Session ID                = AC11FE0200000026100A3F67
MAB SM state              = TERMINATE
Auth Status               = AUTHORIZED

I think I found something very interesting.

So for troubleshooting purpose I used another 3560 switch to simulate the phone. I turned off spanning-tree, CDP, keepalive, switchport mode negotiation on the port f0/1 and plug the port in the f1/0/2 on the 3750. I created the vlan 418 on the 3560 and also a vlan interface and configured it to get IP through DHCP. I also have SPAN setup on the 3560 and watch the traffic going through f0/1 on another port (f0/3 where I have a WinXP laptop plugged in with Wireshark running on it). The followings are the configs on the 3560 switch:

interface Vlan418
ip address dhcp
!

interface FastEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
no keepalive
no cdp enable
spanning-tree portfast trunk
spanning-tree bpdufilter enable
end

Then on the monitoring PC I see only the EAP request from the 3750 switch and the DHCP Discover from the 3560 and nothing else... I have debug running on my dhcp server and I see nothing as well. Then I was wondering if the MAB would only allow the traffic to pass on the data/access VLAN but not the Voice VLAN. So I changed the native VLAN to be 418 on the f0/1 (without unplugging the cable) on the 3560 and then guess what, the switch vlan 418 interface got an IP just fine... Is this the right behavior of 3750 switch? Can I change it? I'm running 12.2(53)SE2 IPService IOS on it...

Thanks!

0 Helpful
Customers Also Viewed These Support Documents