I am having an issue with 7960/7940 phones and their connected pcs authenticating with 802.1x. I read a post that an individual had in 2009 but it doesn't quite describe the situation I'm having and cannot figure out. I know that the 7940 and 7960 phones have to be at version 8.1(1) in order to work with 802.1x; our phones are running at version 8.1(SR2) so, according to Cisco, they should work. The problem I'm having is that the port on the switch gets thrown into an err disabled state. Once I bounce the port, the phone will authenticate but the associated pc will not, even though both the phone and the pc are configured correctly in the NPS server and in AD. If I force the pc to authenticate to the user vlan, the pc will authenticate but the phone will not. Each device will authenticate independently if they are separated on the network.
The only way I can avoid this situation is if I put on the switch the following band-aid: errdisable recovery cause security-violation or I remove 802.x completely. I tried putting the errdisable recovery command on a bunch of switches and that caused the trunk ports and the ports that wanted to go into errdisable mode to start flapping and almost brought down the network soooo, I took it off.
The switches we use are 3750Gs or 3750V2s running ipservicesk9 images. I'm attaching the configurations we use.
I appreciate any insight into this maddening problem that just won't go away.
I should also note that it is not ALL of our 7940/7960 phones that do this.
interface FastEthernetx/x/x switchport access vlan 666 switchport mode access switchport voice vlan 667 authentication event fail retry 1 action authorize vlan 666 authentication event server dead action authorize vlan 666 authentication event no-response action authorize vlan 666 authentication host-mode multi-domain authentication order mab dot1x authentication priority mab dot1x authentication port-control auto authentication periodic mab dot1x pae authenticator spanning-tree portfast spanning-tree bpdufilter enable spanning-tree bpduguard enable end
show mac address-table int fax/x/x Mac Address Table -------------------------------------------
Vlan Mac Address Type Ports ---- ----------- -------- ----- xx xxxx.xxxx.e9f1 STATIC Fax/x/x --> phone 666 xxxx.xxxx.2681 DYNAMIC Drop --> pc
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...