05-18-2022 05:53 AM
Hello,
We are currently trying to implement 802.1x port authentication and the idea is to use MAB for the Cisco phones and certificate based authentication for the workstations. In the majority of cases the workstation is connected behind the phone so we need the phone to pass on the EAPOL packet to the switch.
When the phone and the computer boot at the same timem for example after shuting down the port, port authentication is working fine and the work station can authenticate using the certificate. After some time the phone is then authencitcated via MAB. However when we then reboot the workstation or unplug the cable it seems that the phone is no longer passing on the EAPOL packet and the workstation is trying MAB instead and is thus put into the guest VLAN.
When using a model 8851 the entire procedure is wotking as expected, also after rebooting or unpluging the workstation it is performing 802.1X
The phone has the following firmware version: SCCP45.9-4-2SR4-3S
The Call Manager is on version 10.5.2.10000-5
The following is the interface config
switchport access vlan <vlan id> switchport mode access switchport voice vlan <voice vlan id> authentication host-mode multi-domain authentication order dot1x mab authentication priority dot1x mab authentication port-control auto authentication periodic authentication timer reauthenticate 10800 authentication timer restart 5 authentication violation replace mab no snmp trap link-status dot1x pae authenticator dot1x timeout quiet-period 2 dot1x timeout tx-period 3 spanning-tree portfast
05-18-2022 06:00 AM - edited 05-18-2022 06:29 AM
can I see show auth session ?
05-18-2022 06:50 AM
When connected to Cisco 7945
Switch#sh auth sess Interface MAC Address Method Domain Status Fg Session ID Gi0/1 e8ed.f3aa.xxxx mab VOICE Auth 0AE1FE64000000390569C84B Gi0/1 3464.a9cf.xxxx mab DATA Auth 0AE1FE640000003805698FC5 Session count = 2 Key to Session Events Blocked Status Flags: A - Applying Policy (multi-line status for details) D - Awaiting Deletion F - Final Removal in progress I - Awaiting IIF ID allocation N - Waiting for AAA to come up P - Pushed Session R - Removing User Profile (multi-line status for details) U - Applying User Profile (multi-line status for details) X - Unknown Blocker
When connected to Cisco 8851
Switch#sh auth sess Interface MAC Address Method Domain Status Fg Session ID Gi0/1 e8ed.f3aa.xxxx mab VOICE Auth 0AE1FE64000000390569C84B Gi0/1 3464.a9cf.xxxx dot1x DATA Auth 0AE1FE640000003805698FC5 Session count = 2 Key to Session Events Blocked Status Flags: A - Applying Policy (multi-line status for details) D - Awaiting Deletion F - Final Removal in progress I - Awaiting IIF ID allocation N - Waiting for AAA to come up P - Pushed Session R - Removing User Profile (multi-line status for details) U - Applying User Profile (multi-line status for details) X - Unknown Blocker
05-18-2022 12:19 PM
05-18-2022 10:54 PM
Thanks for pointing out the article, however the phone is on version 9.4.2SR4-3S so not relevant for the bug.
Also it is working when phone itself is not yet authenticated, only after the phone is authenticated via MAB the computer can no longer authenticate with 802.1X
05-19-2022 03:19 AM
https://bst.cisco.com/bugsearch/bug/CSCuu87604
I fully sure this bug so I search for bug of IP Phone 7900 series,
I found one interest bug the IP Phone 7900
""because SECD process isn't started on IP Phone""
this explain why first time the 802.1x success and then not.
so please check the log message and if same upgrade the IP Phone.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide