10-28-2010 04:56 PM - edited 03-10-2019 05:31 PM
Hi experts,
I'm trying to configure my 3750 switch to authenticate phones and laptops separately on Voice and data vlan. Here is my config:
aaa group server radius FreeRadius
server 172.17.1.1 auth-port 1812 acct-port 1813
!
aaa authentication dot1x default group FreeRadius none
aaa authorization network default group FreeRadius none
aaa accounting dot1x default start-stop broadcast group FreeRadius
!
radius-server host 172.17.1.1 auth-port 1812 acct-port 1813 retransmit 0 key JAr5frAr
!
interface FastEthernet1/0/2
switchport access vlan 417
switchport mode access
switchport voice vlan 418
load-interval 30
authentication event fail action authorize vlan 417
authentication event no-response action authorize vlan 417
authentication host-mode multi-domain
authentication port-control auto
authentication violation protect
mab
dot1x pae authenticator
dot1x timeout tx-period 3
dot1x timeout supp-timeout 3
spanning-tree portfast
The phone doesn't support 802.1x so I have to use MAB. This is for a hotel enviroment so the laptop can be a hotel staff PC which supports 802.1x , or if it's a guest PC then it won't support 802.1x and need to be put in the guest VLAN.
So the problem is that I can successfully authenticate the MAC of the phone however the Voice VLAN still doesn't allow the phone traffic to pass. After the "successful" authentication the phone can't get an IP on the Voice VLAN because all the DHCP request packets are dropped.
This is what I see on the switch:
*Mar 4 02:45:09.020: %LINK-3-UPDOWN: Interface FastEthernet1/0/2, changed state to up
*Mar 4 02:45:10.026: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/2, changed state to up
*Mar 4 02:45:16.301: %DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Fa1/0/2 AuditSessionID AC11FE0200000026100A3F67
*Mar 4 02:45:16.301: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (Unknown MAC) on Interface Fa1/0/2 AuditSessionID AC11FE0200000026100A3F67
*Mar 4 02:45:16.301: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (Unknown MAC) on Interface Fa1/0/2 AuditSessionID AC11FE0200000026100A3F67
*Mar 4 02:45:40.879: %AUTHMGR-5-START: Starting 'mab' for client (0015.62fe.07c1) on Interface Fa1/0/2 AuditSessionID AC11FE0200000026100A3F67
*Mar 4 02:45:40.888: %MAB-5-SUCCESS: Authentication successful for client (0015.62fe.07c1) on Interface Fa1/0/2 AuditSessionID AC11FE0200000026100A3F67
*Mar 4 02:45:40.888: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (0015.62fe.07c1) on Interface Fa1/0/2 AuditSessionID AC11FE0200000026100A3F67
*Mar 4 02:45:41.911: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0015.62fe.07c1) on Interface Fa1/0/2 AuditSessionID AC11FE0200000026100A3F67
When I do "show dot1x interface f1/0/2 detail" I still see the port unauthorized...
Dot1x Info for FastEthernet1/0/2
-----------------------------------
PAE = AUTHENTICATOR
PortControl = AUTO
ControlDirection = Both
HostMode = MULTI_DOMAIN
QuietPeriod = 60
ServerTimeout = 0
SuppTimeout = 3
ReAuthMax = 2
MaxReq = 2
TxPeriod = 3
Dot1x Authenticator Client List Empty
Port Status = UNAUTHORIZED
The switch works fine when I plug a laptop directly in the port, no matter whether it's authenticated by EAP or MAB.
Any ideas??
Thanks!
10-29-2010 05:52 AM
Hi!
Yes, you can use MAB + dot1x in your scenario.
Dot1x info shows unauthorized, as you're indeed not authorized by dot1x. You're authorized by MAB. Try "show mab interface f1/0/2 detail".
It should look like:
MAB details for FastEthernetX/X
-------------------------------------
Mac-Auth-Bypass = Enabled
MAB Client List
---------------
Client MAC = 0003.e3XX.XXXX
Session ID = 0A3049D30000002C9A23649E
MAB SM state = TERMINATE
Auth Status = AUTHORIZED
Why do you think DHCP requests are dropped? Could you show logs/debugs?
Cheers, Iron
--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
10-29-2010 10:20 AM
Hi iilyinas,
Thank you very much for quick reply! I checked the MAB status on the port and I do see that the port is successfully authorized.
MAB details for FastEthernet1/0/2
-------------------------------------
Mac-Auth-Bypass = Enabled
MAB Client List
---------------
Client MAC = 0015.62fe.07c1
Session ID = AC11FE0200000026100A3F67
MAB SM state = TERMINATE
Auth Status = AUTHORIZED
I think I found something very interesting.
So for troubleshooting purpose I used another 3560 switch to simulate the phone. I turned off spanning-tree, CDP, keepalive, switchport mode negotiation on the port f0/1 and plug the port in the f1/0/2 on the 3750. I created the vlan 418 on the 3560 and also a vlan interface and configured it to get IP through DHCP. I also have SPAN setup on the 3560 and watch the traffic going through f0/1 on another port (f0/3 where I have a WinXP laptop plugged in with Wireshark running on it). The followings are the configs on the 3560 switch:
interface Vlan418
ip address dhcp
!
interface FastEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
no keepalive
no cdp enable
spanning-tree portfast trunk
spanning-tree bpdufilter enable
end
Then on the monitoring PC I see only the EAP request from the 3750 switch and the DHCP Discover from the 3560 and nothing else... I have debug running on my dhcp server and I see nothing as well. Then I was wondering if the MAB would only allow the traffic to pass on the data/access VLAN but not the Voice VLAN. So I changed the native VLAN to be 418 on the f0/1 (without unplugging the cable) on the 3560 and then guess what, the switch vlan 418 interface got an IP just fine... Is this the right behavior of 3750 switch? Can I change it? I'm running 12.2(53)SE2 IPService IOS on it...
Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide