Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Need help on Dot1x with Avaya phone MAB

hi All:

I have configured dot1x on my Cat45 switches,  enabled MAB(mac authentication bypass) for avaya phones.

My aaa server is Microsoft NPS.

The problem is: NPS shows my phone authenticated successuflly and grant full access, and the switch port turns into authorized status. but my phone still unable to talk to the avaya call manager. Then dot1x request start again (failed), follow by mab(successful), dot1x,mab... keeps in this loop.....

---------------switch configuration--------------

interface GigabitEthernet2/34
switchport access vlan 101
switchport mode access
switchport voice vlan 301
switchport port-security maximum 4
switchport port-security maximum 3 vlan access
switchport port-security maximum 1 vlan voice
switchport port-security
switchport port-security aging time 1
switchport port-security violation restrict
switchport port-security aging type inactivity
power inline never
authentication event fail action authorize vlan 400
authentication event no-response action authorize vlan 400
authentication host-mode multi-domain
authentication order dot1x mab
authentication port-control auto
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout quiet-period 5
dot1x timeout tx-period 5
dot1x timeout supp-timeout 5
spanning-tree portfast
end

----------------------------------------------

when connecting the avaya phone to this port, i can see this message:

016003: Jul  7 16:13:16.090 SGP: %AUTHMGR-5-START: Starting 'dot1x' for client (0007.3bbb.1474) on Interface Gi2/34
016004: Jul  7 16:13:31.451 SGP: %DOT1X-5-FAIL: Authentication failed for client (0007.3bbb.1474) on Interface Gi2/34
016005: Jul  7 16:13:31.451 SGP: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (0007.3bbb.1474) on Interface Gi2/34
016006: Jul  7 16:13:31.451 SGP: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (0007.3bbb.1474) on Interface Gi2/34
016007: Jul  7 16:13:31.451 SGP: %AUTHMGR-5-START: Starting 'mab' for client (0007.3bbb.1474) on Interface Gi2/34
016008: Jul  7 16:13:31.451 SGP: %MAB-5-SUCCESS: Authentication successful for client (0007.3bbb.1474) on Interface Gi2/34
016009: Jul  7 16:13:31.455 SGP: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (0007.3bbb.1474) on Interface Gi2/34
016010: Jul  7 16:13:32.479 SGP: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0007.3bbb.1474) on Interface Gi2/34
016011: Jul  7 16:13:47.091 SGP: %AUTHMGR-5-START: Starting 'dot1x' for client (0007.3bbb.1474) on Interface Gi2/34
016012: Jul  7 16:14:02.455 SGP: %DOT1X-5-FAIL: Authentication failed for client (0007.3bbb.1474) on Interface Gi2/34
016013: Jul  7 16:14:02.455 SGP: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (0007.3bbb.1474) on Interface Gi2/34
016014: Jul  7 16:14:02.455 SGP: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (0007.3bbb.1474) on Interface Gi2/34
016015: Jul  7 16:14:02.455 SGP: %AUTHMGR-5-START: Starting 'mab' for client (0007.3bbb.1474) on Interface Gi2/34
016016: Jul  7 16:14:02.459 SGP: %MAB-5-SUCCESS: Authentication successful for client (0007.3bbb.1474) on Interface Gi2/34
016017: Jul  7 16:14:02.459 SGP: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (0007.3bbb.1474) on Interface Gi2/34
016018: Jul  7 16:14:03.483 SGP: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0007.3bbb.1474) on Interface Gi2/34

-----------------------------------------------------------------------------------------------------

when mab authencation and authrozation succeeded, i can see this

MAB details for GigabitEthernet2/34
-------------------------------------
Mac-Auth-Bypass           = Enabled

MAB Client List
---------------
Client MAC                = 0007.3bbb.1474
Session ID                = 0A0C812900000268876F02F0
MAB SM state              = TERMINATE
Auth Status               = AUTHORIZED

-------------------------------------------------------------------------

----------------------logs from NPS server----------------------

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          7/7/2010 4:05:27 PM
Event ID:      6272
Task Category: Network Policy Server
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      NUHNPS.nhg.local
Description:
Network Policy Server granted access to a user.

User:
    Security ID:            NPS\00073bbb1474
    Account Name:            00073bbb1474
    Account Domain:            NPS
    Fully Qualified Account Name:    NPS\00073bbb1474

Client Machine:
    Security ID:            NULL SID
    Account Name:            -
    Fully Qualified Account Name:    -
    OS-Version:            -
    Called Station Identifier:        88-43-E1-07-B4-81
    Calling Station Identifier:        00-07-3B-BB-14-74

NAS:
    NAS IPv4 Address:        10.12.129.41
    NAS IPv6 Address:        -
    NAS Identifier:            -
    NAS Port-Type:            Ethernet
    NAS Port:            50234

RADIUS Client:
    Client Friendly Name:        L01_SW01
    Client IP Address:            10.12.129.41

Authentication Details:
    Connection Request Policy Name:    Use Windows authentication for all users
    Network Policy Name:        NUH Secure Wired (AVAYA) Connections
    Authentication Provider:        Windows
    Authentication Server:        NPS.nnn.local
    Authentication Type:        PAP
    EAP Type:            -
    Account Session Identifier:        -
    Logging Results:            Accounting information was written to the local log file.

Quarantine Information:
    Result:                Full Access
    Session Identifier:            -

-----------------------------------------------------------------------------------------

Everyone's tags (4)
2 REPLIES
Community Member

Hi,i just gone through the

Hi,

i just gone through the issue,

I had similar issue. But I just want to more information about your issue.

Are you running to LLDP for getting the vlan information or DHCP option are using.

If you are using the LLDP then try the below mentioned options it will work fine

Change the authentication order like

Authenticate order mab dot1x

If you are using DHCP then check whether NAC /Radius what is attributes (VLAN ID) sending after the successful authentication. If it is sending the correct Vlan id then verify your DHCP scope options

Port Security
In general, Cisco does not recommend enabling port security when IEEE 802.1X is also enabled.
Therefore, port security is not a recommended best practice when deploying IP Telephony in an
IEEE 802.1X-enabled network.

To reslove this issue:

1. remove the port security configuration from the port

2. reorder the authentication mentioned like authentication order mab dot1x

i hope this will reslove your issue if not then share the show mac addres interace gigx/x

and show auth inter gigx/x det

 

Community Member

I am having the exact same

I am having the exact same issue even after doing what purubrain18 suggested.

Here's what I got sho authentication and mac commands.

> sho authentication interface gigabitEthernet 2/0/6

Client list:
Interface  MAC Address     Method   Domain   Status         Session ID
  Gi2/0/6    f815.47bc.60c5  mab      DATA     Authz Success  0A405421000001EB999D43E1

Available methods list:
  Handle  Priority  Name
    3        0      dot1x
    4        1      mab
Runnable methods list:
  Handle  Priority  Name
    4        0      mab
    3        1      dot1x

>sho mac address-table interface gigabitEthernet 2/0/6
Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
 215    f815.47bc.60c5    DYNAMIC     Gi2/0/6
 224    f815.47bc.60c5    STATIC      Gi2/0/6
Total Mac Addresses for this criterion: 2

Any help would be appreciated. Thanks.

2998
Views
0
Helpful
2
Replies
CreatePlease to create content