Solved: We have finally got there...

bgl-group · ‎10-13-2014

We have a problem with Cisco Switches, Avaya IP Phones and Dot1x authentication.

The workstations do not as yet have a dot1x supplicant configured on them.

The Avaya phones are a mixture of 9630 and 9630G hardware all running the same code level and configuration file.

The switches are a mixture of 2960 (v15) and 3560 (v12) code.

What is happening is as follows.

1. The workstation connects to the switch

2. The switch authenticates the workstation and as there isn't a dot1x supplicant fails through to MAB

3. The switch gets the mac address of the workstation and the IP Phone stored as static entries in the MAC table.

4. You disconnect the workstation

5. The workstations mac address is retained in the switch mac table.

6. It doesn't time out and after a couple of minutes you can see a MAB reauthentication message (which passes?)

7. Attempting to plug into another port with the workstation usually results in the ports being locked out.

We did another test when I had a machine with a dot1x supplicant enabled in this case.

1. The workstation connects to the switch

2. The switch authenticates the workstation and passes dot1x authentication

3. The switch gets the mac address of the workstation and the IP Phone stored as static entries in the MAC table.

4. You disconnect the workstation

5. The phone sends a dot1x release message to the switch

6. The mac address is removed from the switch mac table.

7. you can plug the workstation in anywhere else and it works perfectly.

If you disable dot1x port-control then the port works as normal.

Under advice from our support provider we added in some port-security commands to age the mac table entries out - however this has made no difference.

The port configuration looks as below.

interface GigabitEthernet1/0/20

description Port 082

switchport access vlan 24

switchport mode access

switchport voice vlan 44

switchport port-security maximum 100

switchport port-security

switchport port-security aging time 1

switchport port-security aging static

ip access-group ACL-ALLOW in

srr-queue bandwidth share 10 10 60 20

queue-set 2

priority-queue out

authentication event fail action next-method

authentication event server dead action reinitialize vlan 24

authentication event server alive action reinitialize

authentication host-mode multi-auth

authentication open

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

authentication violation restrict

mab

mls qos trust dscp

dot1x pae authenticator

dot1x timeout tx-period 10

auto qos voip trust

spanning-tree portfast

end

The IP Phones are running code S3.104S

Any suggestions - we have currently put the rollout of the switch configurations on hold as we can't lose the ability to move between desks without issues for the userbase (a lot of users have laptops and keep plugging into different wired ports depending on where they feel like sitting in the building....

Thanks in advance

Giles Cooper

Jimmy Johansson · ‎10-14-2014

So the problem is moving a dot1x supplicant (with a VM) from one switch to another, is that correct of me? And it seems like the problem is caused by a MAC-address not leaving the mac add-table from the switch. Is the session still active on the port when disconnecting? Check that using "show auth sess int <port>".

It seems weird that the MAC-address is lingering when you disconnect it from the port. But also, will the computers with VMs move from one switch to another that often? There should be a timer which times out the MAC-address from either the mac-table or the session from the port.

global# mac address-table aging-time x (default 300sec)
port# authentication timer inactivity/reauthenticate

I'm happy to help any way I can since I'm also learning from it.

View solution in original post

Jimmy Johansson · ‎10-14-2014

I don't think you need the port-securtiy commands, especially since they didn't make any difference.

Have you tried the same thing in closed mode? Also try the command "ip device tracking" and see if it helps.

bgl-group · ‎10-14-2014

The switch does have ip device tracking enabled.

Can you clarify what you mean by closed mode?

I have attached the full switch configuration as well.

Jimmy Johansson · ‎10-14-2014

Closed mode is when you remove the command "authentication open" from the port. As it is now, every unit will be granted access to the network without passing authentication. When you remove the command "auth open" every unit has to pass authentication to be granted access. It also means that you don't need the ACL-ALLOW as long as the port is in auth open.

Edit: I now saw that you attempted to plug in the workstation in another port in the first example. Maybe the command you're looking for is "Mac move"

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/dot1x.html#wp1143287

bgl-group · ‎10-14-2014

I have just done some more testing.

I added the authentication mac-move permit command to the switch and it now almost works as expected.

The scenarios now are:

Machine without dot1x supplicant plugged into phone, when unplugged the switch immediately deletes the mac address from the port.

Machine with dot1x supplied plugged into phone, exactly the same.

Machine without dot1x plugged directly into port exactly the same

Machine with dot1x plugged directly into port exactly the same.

The problem is if someone has a machine running a dot1x supplicant and hosting a VM.

In that case as long as you move to a different port on the same switch it works fine (as the workstation reconnects the mac-move process works).

If you move this machine from one switch to another with the IP phone installed. the de-auth message removes the VM or the host from the original switch mac table and leaves one of the old addresses behind.

I suppose a solution would be to ban all VMs but that won't go down well.

I don't want to change the authentication method as we will have machines without a supplicant that need to connect to resources (i.e. using mab)

Thanks for your help (and a faster reply than my support company who still haven't rung me back).

Giles

Jimmy Johansson · ‎10-14-2014

So the problem is moving a dot1x supplicant (with a VM) from one switch to another, is that correct of me? And it seems like the problem is caused by a MAC-address not leaving the mac add-table from the switch. Is the session still active on the port when disconnecting? Check that using "show auth sess int <port>".

It seems weird that the MAC-address is lingering when you disconnect it from the port. But also, will the computers with VMs move from one switch to another that often? There should be a timer which times out the MAC-address from either the mac-table or the session from the port.

global# mac address-table aging-time x (default 300sec)
port# authentication timer inactivity/reauthenticate

I'm happy to help any way I can since I'm also learning from it.

bgl-group · ‎10-14-2014

We have finally got there....

I didn't change the mac address-table aging timers

Instead I added authentication timer inactivity 30 to the port configuration.

Now when the VM Host is disconnected, the VM which remained times out within 30 seconds and allows the machine to move to another switch. There is a slight delay as you reconnect but nothing that should be noticeable to the users.

Looks like I can close this issue off (just now need to amend the configuration on the 80 switches I had already worked on and finish off the other 100 switches...)

It will keep me quiet the rest of the day

Thanks

Giles

Jimmy Johansson · ‎10-14-2014

Glad to hear you solved the problem! Good luck with your rollout and thanks for the rating.

Jimmy

IOS Switches and Avaya IP Phones not releasing MAC Addresses