I am trying to implement 802.1x on our network. We mostly have Cisco 7960 phones which don't support 802.1x. However I though you can configure a VOICE vlan and they can still work. however, the switch seems to put the phone in Guest VLAN because of authentication failure. here's my configuration on the port.
I will appreciate any help on this.
switchport access vlan 17
switchport mode access
switchport voice vlan 3030
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
dot1x pae authenticator
dot1x port-control auto
dot1x host-mode multi-domain
dot1x timeout tx-period 10
dot1x guest-vlan 999
dot1x auth-fail vlan 999
dot1x auth-fail max-attempts 2
You have Multi-Doamin auth turned on, per:
dot1x host-mode multi-domain
This means you must authenticate the phone with 802.1X or MAC-Auth. If this is your desire, this will help:
huh!! Somehow I had this working before when i did similar testing before. I just copied the configs to new switch.
Taking off the multi-domain command seems to help.
Yep. To be clear, taking that off now allows the phone to get into the network "for free" just b/c it can do CDP with the switch. Essentially, the phone is ignored entirely based on a CDP-exchange.
Thanks. Now i am running into another issue. When i connect the computer to the phone even though the computer has a Valid Certificate it goes into Guest VLAN. I have to issue reauthenticate cmd to allow it to get proper VLAN. I have configured the Supplicant on Computer, have dot1x guest-vlan supplicant command configured on switch and my 7960 phone is running 8.0 (9.0). But it doesn't seem to help.
Make sure your supplicant is configure for EAPOL-Starts. MSFT doesn't have this enabled by default with anything XP SP2 and below. Else, the port will be in the guest-vlan just after you plug the phone in and stay there.
Yes, I do have SupplicantMode=3 configured on the Laptops. I had used the same computers for my previous testing.
For some reason i am seeing mixed results. Now when i have a computer without a valid certificate, the switch puts it in Guest VLAN. But then it takes it out and puts it in Unauthorized state (no access) after 30secs. this keeps repeating so the port keeps bouncing from Guest VLAN to Unauthorized state. I have attached the logs and also the configuration.
I am still trying to identify why this is happening.
Make sure this machine work when you plug it directly into the switch. From the log, the machine sends an EAPOL-Start and then doesn't answer the switch's initial identity request. This could indicate that there is in fact no cert on the box for it to use.
Yes, the Machine I used to get this log DOES NOT have the certificate. So it should be assigned GUEST VLAN and stay in GUEST VLAN. But instead, it(switch port) keeps flapping between GUEST VLAN and Unauthorized Status. You can see that in the logs i attached. This is same even if i Connect the Laptop directly to the Switch.
The Machine WITH a valid certificate staying in GUEST is another issue and it looks intermittent at this time.
Well, your supplicant is sending an EAPOL-Start to the switch. Which to the switch is an indication that the client is in fact capable of running 1X so it removes the Guest-VLAN and tries to authenticate it.
Yes, even though the client is capable of running 802.1x it doesn't have a valid certificate. So the authentication should fail and it should be assigned auth failed vlan which is 999. The switch actually assigns that vlan but then keeps flapping.
If you take a look at the log you see following messages in the log right after it assigns the GUEST VLAN which i don't understand.
23:16:04: dot1x-ev:Found the default authenticator instance on FastEthernet0/11
23:16:04: dot1x-ev:dot1x_guest_vlan_set_eapol_seen: Deactivated guest VLAN 999 on port FastEthernet0/11
23:16:04: dot1x-ev:dot1x_switch_pm_port_set_vlan: Setting vlan 0 on interface FastEthernet0/11 in DATA domain
23:16:04: dot1x-ev:vlan 999 vp is removed on interface FastEthernet0/11
23:16:04: dot1x-ev:ignored vlan 17 vp is added on interface FastEthernet0/11
23:16:04: dot1x-ev:dot1x_switch_is_dot1x_forwarding_enabled: Forwarding is disabled on Fa0/11
23:16:04: dot1x-ev:Setting vlan to 0 for FastEthernet0/11 on data Vlan
The client is not failing authentication. It's timing out on authentication. Failing would mean you get a reject back from RADIUS, EAPOL-Failure message to client, etc.
Looks like if the computer is 802.1x capable but doesn't have the cert then doesn't work.
Are you aware of a way to fix this?
Understood. I successfully tested the Computer that supports 802.1x Supplicant but has an invalid certificate.
However; i also noticed that the switch interface flaps between Guest VLAN and Unauthorized state if i use a computer which is not 802.1x Supplicant. This is case if the Computer is connected Directed to the Switch or Connected through an IP Phone. This will be a usual situation in the company for the guest users. I thought dot1x guest-vlan supplicant should have fixed this and put the port in Guest VLAN.
The guest-vlan supplicant stuff is only useful if the supplicant gives up on EAPOL entirely AFTER there's been EAPOL on the port during the life of link on the port.
Here's what happens based on your config if a 1X session fails.
1) 1X will fail normally.
2) 1X will fail again immediately (b/c you have auth-fail-vlan turned on, and not sure why you set it to max-attempts 2 but OK).
3) Port enters into Auth-Fail-VLAN immediately after step 2.
4) Upon existing HELD state (probably 60-sec), supplicant will try to re-auth but the switch will ignore any subsequent EAPOL-Start frames from the supplicant since it's placed it in the Auth-Fail-VLAN at step3.
Here's what happens based on your config if a 1X session times out and has no supplicant at all.
1) EAPOL-Id-Request from switch.
2) 10-sec later, another (b/c you tweaked your tx-period).
3) 10-sec later, another.
4- 10-sec later, port goes into Guest-VLAN and stays there (as long as you don't in fact send in EAPOL to the switch).
So not counting the issue of being enabled for TLS, but in fact not having a cert if the above is NOT happening, if the above is not happening per the above, I'd recommend a TAC case for a closer look.
HTH a little,
Thanks for your help Jason. I will look into the configurations on all the devices again because I had this working before. Maybe I am missing something. If not then will check with TAC.
Appreciate your help.