Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1394
Views
0
Helpful
2
Replies

ISE MAB for IP-PHone and Dot1.x Authentication for PC connected Behind IP-Phone not working properly

sachin.sg
Level 1
Level 1

‎05-16-2014 07:23 AM - edited ‎03-10-2019 09:43 PM

Hi

We have configure the ISE and our requirement is Clients which connects behind the IP-Phone should be getting dot1x authentication Posturing done and MAB for Phones no Authentication..

Problem face by us is Dot1x authentication Posture for Client is working and even the MAB for IP-Phone is working , but the IP-Phone get IP address of data vlan 326 , but in the authentication policy its show the voice vlan tag..

secondly everytime dot1x happens for client , also the MAB occure for IP Phone

Please find the configuration and logs

interface FastEthernet0/5
 switchport access vlan 390
 switchport mode access
 switchport voice vlan 338
 ip access-group ACL-ALLOW in
 authentication event fail action next-method
 authentication host-mode multi-auth
 authentication open
 authentication order mab dot1x
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 5
 dot1x max-reauth-req 3
 spanning-tree portfast
end

9Floor_2960_3#show authentication sessions interface fastEthernet 0/5
            Interface:  FastEthernet0/5
          MAC Address:  c062.6b62.d767
           IP Address:  10.22.50.36
            User-Name:  C0-62-6B-62-D7-67
               Status:  Authz Success
               Domain:  VOICE
       Oper host mode:  multi-auth
     Oper control dir:  both
        Authorized By:  Authentication Server
          Vlan Policy:  338
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  0A1666120000020D25E0B591
      Acct Session ID:  0x0000042E
               Handle:  0xD300020E

Runnable methods list:
       Method   State
       mab      Authc Success
       dot1x    Not run

----------------------------------------
            Interface:  FastEthernet0/5
          MAC Address:  e89a.8f13.11fb
           IP Address:  10.22.50.35
            User-Name:  kbank\kge10315
               Status:  Authz Success
               Domain:  DATA
       Oper host mode:  multi-auth
     Oper control dir:  both
        Authorized By:  Authentication Server
          Vlan Policy:  326
              ACS ACL:  xACSACLx-IP-PERMIT_ALL_TRAFFIC-51ef7db1
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  0A1666120000020E25E0BE51
      Acct Session ID:  0x00000430
               Handle:  0x1500020F

Runnable methods list:
       Method   State
       mab      Failed over
       dot1x    Authc Success

9Floor_2960_3#show epm session summary
EPM Session Information
-----------------------
Total sessions seen so far : 141
Total active sessions      : 2

Interface               IP Address        MAC Address     VLAN   Audit Session Id:
----------------------------------------------------------------------------------
FastEthernet0/5         10.22.50.36       c062.6b62.d767  326     0A1666120000020D25E0B591
FastEthernet0/5         10.22.50.35       e89a.8f13.11fb  326     0A1666120000020E25E0BE51

9Floor_2960_3#show authentication sessions

Interface  MAC Address     Method   Domain   Status         Session ID
Fa0/5      c062.6b62.d767  mab      VOICE    Authz Success  0A1666120000020D25E0B591
Fa0/5      e89a.8f13.11fb  dot1x    DATA     Authz Success  0A1666120000020E25E0BE51

Can any one come up with suggestion

Labels:
0 Helpful
2 Replies 2

sachin.sg
Level 1
Level 1

‎05-26-2014 06:28 AM

Issue got resolve , as cdp was disable on port level ....

After enabling the cdp , IP Phone was able to get voice vlan ip address..
 

0 Helpful

teymur azimov
Level 1
Level 1
In response to sachin.sg

‎08-06-2014 11:51 AM

I also configurate that but the problem is the phone is authenticate successfully but the wired user want to authenticate but it can not. the switch configuration is same as your confiq. Can you provide me the any practice ise configuration. before it i have only wired user authentication and it is working normally. when i configure new aithentication and autherization profile for phone at this time the phone is authenticate normal but wired user not.

my email address: educcna@gmail.com

Thank for your helping.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents