Re: EAPOL pass-through on Cisco 7945

roland.theisen · ‎05-18-2022

Hello,

We are currently trying to implement 802.1x port authentication and the idea is to use MAB for the Cisco phones and certificate based authentication for the workstations. In the majority of cases the workstation is connected behind the phone so we need the phone to pass on the EAPOL packet to the switch.

When the phone and the computer boot at the same timem for example after shuting down the port, port authentication is working fine and the work station can authenticate using the certificate. After some time the phone is then authencitcated via MAB. However when we then reboot the workstation or unplug the cable it seems that the phone is no longer passing on the EAPOL packet and the workstation is trying MAB instead and is thus put into the guest VLAN.

When using a model 8851 the entire procedure is wotking as expected, also after rebooting or unpluging the workstation it is performing 802.1X

The phone has the following firmware version: SCCP45.9-4-2SR4-3S

The Call Manager is on version 10.5.2.10000-5

The following is the interface config

switchport access vlan <vlan id>
 switchport mode access
 switchport voice vlan <voice vlan id>
 authentication host-mode multi-domain
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate 10800
 authentication timer restart 5
 authentication violation replace
 mab
 no snmp trap link-status
 dot1x pae authenticator
 dot1x timeout quiet-period 2
 dot1x timeout tx-period 3
 spanning-tree portfast

MHM Cisco World · ‎05-18-2022

can I see show auth session ?

roland.theisen · ‎05-18-2022

When connected to Cisco 7945

Switch#sh auth sess

Interface    MAC Address    Method  Domain  Status Fg Session ID
Gi0/1        e8ed.f3aa.xxxx mab     VOICE   Auth      0AE1FE64000000390569C84B
Gi0/1        3464.a9cf.xxxx mab     DATA    Auth      0AE1FE640000003805698FC5

Session count = 2

Key to Session Events Blocked Status Flags:

  A - Applying Policy (multi-line status for details)
  D - Awaiting Deletion
  F - Final Removal in progress
  I - Awaiting IIF ID allocation
  N - Waiting for AAA to come up
  P - Pushed Session
  R - Removing User Profile (multi-line status for details)
  U - Applying User Profile (multi-line status for details)
  X - Unknown Blocker

When connected to Cisco 8851

Switch#sh auth sess

Interface    MAC Address    Method  Domain  Status Fg Session ID
Gi0/1        e8ed.f3aa.xxxx mab     VOICE   Auth      0AE1FE64000000390569C84B
Gi0/1        3464.a9cf.xxxx dot1x   DATA    Auth      0AE1FE640000003805698FC5

Session count = 2

Key to Session Events Blocked Status Flags:

  A - Applying Policy (multi-line status for details)
  D - Awaiting Deletion
  F - Final Removal in progress
  I - Awaiting IIF ID allocation
  N - Waiting for AAA to come up
  P - Pushed Session
  R - Removing User Profile (multi-line status for details)
  U - Applying User Profile (multi-line status for details)
  X - Unknown Blocker

MHM Cisco World · ‎05-18-2022

https://bst.cisco.com/bugsearch/bug/CSCsz59661

check this bug

roland.theisen · ‎05-18-2022

Thanks for pointing out the article, however the phone is on version 9.4.2SR4-3S so not relevant for the bug.

Also it is working when phone itself is not yet authenticated, only after the phone is authenticated via MAB the computer can no longer authenticate with 802.1X

MHM Cisco World · ‎05-19-2022

https://bst.cisco.com/bugsearch/bug/CSCuu87604

I fully sure this bug so I search for bug of IP Phone 7900 series,
I found one interest bug the IP Phone 7900

""because SECD process isn't started on IP Phone""

this explain why first time the 802.1x success and then not.
so please check the log message and if same upgrade the IP Phone.