Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2394
Views
0
Helpful
2
Replies

Switchport Stuck in Guest Mode

paul.l.kyte
Level 1
Level 1

‎03-19-2012 10:04 AM - edited ‎03-10-2019 06:55 PM

I am using 802.1x authentication with multi-domain ports; Phone and PC connected to phone. The phones are Nortel (Avaya) and the PCs are Dell/HP Laptops. All are configured for Certificate authentication and this works well. However we sometimes get some ports stuck in Guest mode. when a non certificated laptop connects to a phone port and fails authentication, the data port is placed in the Guest VLAN. However when the laptop disconnects the port isn't reset and remains in the guest state. When a subsequent good laptop connects and attempts to authenticate the switch ignores this and leaves the data port in the Guest VLAN. Anyone any idea why this happens and how I can overcome it?

The switch is a 2960S with Version 12.2(58)SE2 IOS.

The port is configured as follows:

!

interface GigabitEthernet1/0/15

description DANS Port

switchport access vlan 1807

switchport mode access

switchport voice vlan 1855

priority-queue out

authentication event fail action authorize vlan 1871

authentication event no-response action authorize vlan 1871

authentication host-mode multi-domain

authentication order mab dot1x

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

mab

dot1x pae authenticator

dot1x timeout tx-period 7

dot1x max-reauth-req 10

spanning-tree portfast

service-policy input INGRESS-CLASSIFY

end

The auth status and mac addresses on the port after the failed laptop disconnects are as follows:

sh auth sess inter g1/0/15
            Interface:  GigabitEthernet1/0/15
          MAC Address:  Unknown
           IP Address:  Unknown
            User-Name:  UNRESPONSIVE
               Status:  Authz Success
               Domain:  DATA
       Oper host mode:  multi-host
     Oper control dir:  both
        Authorized By:  Guest Vlan
          Vlan Policy:  1871
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  0AEF212D000003055C8D1DAC
      Acct Session ID:  0x00000653
               Handle:  0x94000306

Runnable methods list:
       Method   State
       mab      Failed over
       dot1x    Failed over

----------------------------------------
            Interface:  GigabitEthernet1/0/15
          MAC Address:  0022.67cd.0eec
           IP Address:  Unknown
            User-Name:  RBT18991
               Status:  Authz Success
               Domain:  VOICE
       Oper host mode:  multi-domain
     Oper control dir:  both
        Authorized By:  Authentication Server
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  0AEF212D00000026000286D1
      Acct Session ID:  0x00000028
               Handle:  0xFC000027

Runnable methods list:
         
       Method   State
       mab      Not run
       dot1x    Authc Success

sh mac address-table int g1/0/15      
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
1855    0022.67cd.0eec    STATIC      Gi1/0/15
Total Mac Addresses for this criterion: 1

I placed the AAA, dot1x, eap and auth debug on for all events and then connected a good laptop, the only debug message I got were as follows:

Mar 19 16:17:01.391 GMT: AUTH-EVENT (Gi1/0/15) dot1x_switch_is_restrictive_vlan_open_auth:Multi-Host with Guest Vlan/Auth Fail Vlan or open aut

Mar 19 16:17:01.653 GMT: AUTH-EVENT (Gi1/0/15) dot1x_switch_is_restrictive_vlan_open_auth:Multi-Host with Guest Vlan/Auth Fail Vlan or open aut

Mar 19 16:17:02.654 GMT: AUTH-EVENT (Gi1/0/15) dot1x_switch_is_restrictive_vlan_open_auth:Multi-Host with Guest Vlan/Auth Fail Vlan or open aut

Mar 19 16:17:03.708 GMT: AUTH-EVENT (Gi1/0/15) dot1x_switch_is_restrictive_vlan_open_auth:Multi-Host with Guest Vlan/Auth Fail Vlan or open aut

Mar 19 16:18:43.784 GMT: AUTH-EVENT (Gi1/0/15) dot1x_switch_is_auth_client_present: client for mac address 0022.67cd.0eec has been notified on GigabitEthernet1/0/15

Mar 19 16:18:43.784 GMT: AUTH-EVENT (Gi1/0/15) dot1x_switch_is_auth_client_authorized: client for mac address 0022.67cd.0eec is authorized GigabitEthernet1/0/15

Mar 19 16:18:43.784 GMT: AUTH-EVENT (Gi1/0/15) dot1x_switch_is_auth_client_present: client for mac address 0022.67cd.0eec has been notified on GigabitEthernet1/0/15

Mar 19 16:18:43.784 GMT: AUTH-EVENT (Gi1/0/15) dot1x_switch_is_restrictive_vlan_open_auth:Multi-Host with Guest Vlan/Auth Fail Vlan or open autn

Mar 19 16:17:01.391 GMT: AUTH-EVENT (Gi1/0/15) dot1x_switch_is_restrictive_vlan_open_auth:Multi-Host with Guest Vlan/Auth Fail Vlan or open aut
Mar 19 16:17:01.653 GMT: AUTH-EVENT (Gi1/0/15) dot1x_switch_is_restrictive_vlan_open_auth:Multi-Host with Guest Vlan/Auth Fail Vlan or open aut
Mar 19 16:17:02.654 GMT: AUTH-EVENT (Gi1/0/15) dot1x_switch_is_restrictive_vlan_open_auth:Multi-Host with Guest Vlan/Auth Fail Vlan or open aut
Mar 19 16:17:03.708 GMT: AUTH-EVENT (Gi1/0/15) dot1x_switch_is_restrictive_vlan_open_auth:Multi-Host with Guest Vlan/Auth Fail Vlan or open aut

Mar 19 16:18:43.784 GMT: AUTH-EVENT (Gi1/0/15) dot1x_switch_is_auth_client_present: client for mac address 0022.67cd.0eec has been notified on GigabitEthernet1/0/15
Mar 19 16:18:43.784 GMT: AUTH-EVENT (Gi1/0/15) dot1x_switch_is_auth_client_authorized: client for mac address 0022.67cd.0eec is authorized GigabitEthernet1/0/15
Mar 19 16:18:43.784 GMT: AUTH-EVENT (Gi1/0/15) dot1x_switch_is_auth_client_present: client for mac address 0022.67cd.0eec has been notified on GigabitEthernet1/0/15
Mar 19 16:18:43.784 GMT: AUTH-EVENT (Gi1/0/15) dot1x_switch_is_restrictive_vlan_open_auth:Multi-Host with Guest Vlan/Auth Fail Vlan or open autn

I would have expected the auth function to have reacted to the EAP packets sent by the good client when it connected and performed eap authentication but it didn't, all it did was say the ports in Guest mode and left the laptop in this VLAN.

All help will be much appreciated.

Thanks,

Paul

1 person had this problem
Labels:
0 Helpful
2 Replies 2

Eduardo Aliaga
Level 4
Level 4

‎03-19-2012 02:26 PM

I 'm taking your PCs are behind nortel phones, if that is so, then when you disconnect your PC , the switch doesn't know anything about it because the switchport is still up

This issue won't happen with Cisco Phones , because they have two features to deal with it. Those features are called "proxy EAPOL logoff" and "CDP second port disconnect" features. Please see http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-605524.html#wp9000357

Please rate if it helps. Kind regards

0 Helpful

paul.l.kyte
Level 1
Level 1
In response to Eduardo Aliaga

‎03-20-2012 04:46 AM

Thanks for this reply, although it does provide valuable information for the "Cisco" world it doesn't help me with the problem I have.

The big question is as follows:

Why doesn't the switch react to the EAP packets it gets from the good laptop connected to the port stuck in the Guest state. The port doesn't have a data MAC in its table for the port, only a Voice MAC. It recognises a device has connected as it then places the good laptops MAC in the table BUT it totally ignores the EAP packets from this device and leaves it in the Guest VLAN where the laptop gets a DHCP address once its EAP has timed out.

Completely wrong activity!!!

Is this a bug?

Any help is much appreciated.

Regards,

Paul

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents