[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Cisco 3750,  802.1x Issue.

Posted on 2009-04-28
14
Medium Priority
?
3,182 Views
Last Modified: 2012-05-06
We have a Alcatel-Lucent IP Phone with 802.1x PC daisychained to it, the Phone Connects to a Cisco 3750 Autenticated Port.  
If the PC is connected to the Phone, once the Phone is booted up, All works fine,
But if the PC is Connected while the Phone is in its booting Process, the Phone will not complete its booting process or connect to the Network even if static IP address Given to it, but the 802.1x PC will be authenticated and will work fine.

Need help ASAP, Please clarify if any questions related to the same, will be glad to answer the same.



debug-dot1x-220409.TXT
0
Comment
Question by:CartikALU
  • 7
  • 7
14 Comments
 
LVL 32

Expert Comment

by:harbor235
ID: 24272487


Sounds like a phone problem, does this happen on other phones of the same model? Do you have the latest version of firmware?

harbor235 ;}
0
 

Author Comment

by:CartikALU
ID: 24273232
We tried it with couple of Models, still the same Issue. Dont you think Since one the Port see a EAPOL packet from the PC, the Port only allows authenticated devices. and since the IP Phone doesnt pass any Authentication, is been blocked.  Just a thought??

We are using the latest firmware....

Cartik
0
 
LVL 32

Expert Comment

by:harbor235
ID: 24273317


Why is this a problem, just do not connect the PC during phone bootup, have it in place prior to boot?
What happens if you wait till the phone boot process complates then connect the PC?

harbor235 ;}
0
Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

 

Author Comment

by:CartikALU
ID: 24273971
We have Around 2000 Phones, and say for example if there is any upgrade or Patch installed to the PCX System the Phones will boot to acquire the new changes, so when the Phone boots due to the PC's already connected to the system, will get authenticated, before the Phone completes its booting process, and because the Cisco Switch port changes to Authorized port, it wont allow the Phone to get connected. thats what I am assuming from the problem.  

But It dosent make sence , lets say the Phone is booted up, and later we connect the PC, even then the PC will be Sending the EAPOL Packet and the Port will be in authorized state, how come than the phone s Unathorized traffic is passing through,

Is it because the MAC address of the Phone is already learned in the Cisco 3750 CAM table?

thanks again

cartik
0
 
LVL 32

Expert Comment

by:harbor235
ID: 24280114


What if you force a re-auth from the switch(es) on the phone ports?   Have you called Alcatel bout this problem?


harbor235 ;}
0
 

Author Comment

by:CartikALU
ID: 24280466
Re-Auth from the Phone, thats sound, like a solution to be tried, ya I am working with Alcatel on but no clues till now who ( Cisco Switch, Alcatel-IP Phones, Radius Server) is the device that is causing this issue.

But dont you think this is the way the dot1x port should work, and there is no issues with the IP Phone. and only having the IP phones getting authenticated by dot1x or MAC is the solution.

what you think Harbor235.

cartik

0
 
LVL 32

Expert Comment

by:harbor235
ID: 24281607

 Once the phone reboots this should cause the switch port to change dot1x state and send an EAP-request/identity frame to the phone restarting the dot1x authentication process.

Have you performed a debug of this process to see whats going on?  Do a "shop dot1x interface <interface>" before and after rebooting to check state, should look like the following;

sh dot1x int g0/41
Dot1x Info for GigabitEthernet0/41
-----------------------------------
PAEýýýýýýýýýýýýýýýýýýýýýý = AUTHENTICATOR
PortControlýýýýýýýýýýýýýý = AUTO
ControlDirectionýýýýýýýýý = Both
HostModeýýýýýýýýýýýýýýýýý = SINGLE_HOST
ReAuthenticationýýýýýýýýý = Enabled
QuietPeriodýýýýýýýýýýýýýý = 60
ServerTimeoutýýýýýýýýýýýý = 30
SuppTimeoutýýýýýýýýýýýýýý = 30
ReAuthPeriodýýýýýýýýýýýýý = 60 (Locally configured)
ReAuthMaxýýýýýýýýýýýýýýýý = 2
MaxReqýýýýýýýýýýýýýýýýýýý = 2
TxPeriodýýýýýýýýýýýýýýýýý = 30
RateLimitPeriodýýýýýýýýýý = 0
Guest-Vlanýýýýýýýýýýýýýýý = 1ý

So, no, I do not believe this is how dot1x should act
harbor235 ;}
0
 

Author Comment

by:CartikALU
ID: 24282016
I am doing some Isolation to narrow down the Problem.. will update u with the going. which will help us resolve the issue.

Thanks for your timely advice and suggestions.

cartik
0
 
LVL 32

Expert Comment

by:harbor235
ID: 24282649


Is "001b.7847.ae84" the PC or the phone?

Looks like the phone reboot here;
Apr 22 12:26:44 UAE: dot1x-ev:Resetting eapol_seen flag on GigabitEthernet1/0/3 for DATA domain

Apr 22 12:26:44 UAE: dot1x-ev:dot1x_switch_port_unauthorized: Unauthorizing interface GigabitEthernet1/0/3

Apr 22 12:26:44 UAE: dot1x-ev:dot1x_switch_pm_port_set_vlan: Setting vlan 0 on interface GigabitEthernet1/0/3 in
Apr 22 12:26:44 UAE: dot1x-ev:vlan 97 vp is removed on interface GigabitEthernet1/0/3

Apr 22 12:26:44 UAE: dot1x-ev:ignored vlan 22 vp is added on interface GigabitEthernet1/0/3

Apr 22 12:26:44 UAE: dot1x-ev:dot1x_switch_is_dot1x_forwarding_enabled: Forwarding is disabled on Gi1/0/3

Apr 22 12:26:44 UAE: dot1x-ev:Setting vlan to 0 for GigabitEthernet1/0/3 on data Vlan

Apr 22 12:26:44 UAE: dot1x-ev:dot1x_switch_is_dot1x_forwarding_enabled: Forwarding is disabled on Gi1/0/3

Apr 22 12:26:44 UAE: dot1x-ev:dot1x_switch_is_dot1x_forwarding_enabled: Forwarding is disabled on Gi1/0/3

Apr 22 12:26:44 UAE: dot1x-ev:dot1x_mgr_if_state_change: GigabitEthernet1/0/3 has changed to UP

Apr 22 12:26:44 UAE: dot1x-ev:Sending create new context event to EAP for 0000.0000.0000

Apr 22 12:26:44 UAE: dot1x-ev:Created a client entry for the supplicant 0000.0000.0000

Apr 22 12:26:44 UAE: dot1x-ev:Created a default authenticator instance on GigabitEthernet1/0/3

Apr 22 12:26:44 UAE: dot1x-ev:dot1x_switch_enable_on_port:  Enabling dot1x on interface GigabitEthernet1/0/3

Apr 22 12:26:44 UAE: dot1x-ev:dot1x_switch_enable_on_port: set dot1x ask handler on interface GigabitEthernet1/0/3

Apr 22 12:26:44 UAE: dot1x-ev:dot1x_switch_is_dot1x_forwarding_enabled: Forwarding is disabled on Gi1/0/3

Apr 22 12:26:44 UAE: dot1x-ev:dot1x_switch_addr_remove: Removed MAC 001b.7847.ae84 from vlan 97 on interface GigabitEthernet1/0/3

Apr 22 12:26:44 UAE: dot1x-ev:dot1x_vlan_assign_client_deleted for 001b.7847.ae84 on interface GigabitEthernet1/0/3

Apr 22 12:26:44 UAE: dot1x-ev:Deleted all Authenticator clients on GigabitEthernet1/0/3

Apr 22 12:26:44 UAE: dot1x-ev:dot1x_switch_port_unauthorized: Unauthorizing interface GigabitEthernet1/0/3

Apr 22 12:26:44 UAE: dot1x-ev:dot1x_switch_is_dot1x_forwarding_enabled: Forwarding is disabled on Gi1/0/3

Apr 22 12:26:44 UAE: dot1x-ev:dot1x_switch_addr_remove: Did not locate HA entry for MAC 0000.0000.0000 on interface GigabitEthernet1/0/3

INTERSTING:
Apr 22 12:28:22 UAE: dot1x-ev:dot1x_guest_vlan_modify_host_mode: Guest VLAN feature overriding host_mode on port GigabitEthernet1/0/3, forcing to DOT1X_MULTI_HOST

Apr 22 12:28:22 UAE: dot1x-ev:Couldn't find a supplicant with mac 001b.7847.ae84

Apr 22 12:28:22 UAE: dot1x-ev:dot1x_switch_mac_address_notify: Ignoring MAC 001b.7847.ae84 discovered on GigabitEthernet1/0/3(96).  Nobody is interested.

I see where it gets unauth and tries to reauth to no avail, what type of radius server do you have? Is the network stable between the phones and the radius server?

harbor235 ;}


vlan0 = unuauthenticated



0
 

Author Comment

by:CartikALU
ID: 24283417
"001b.7847.ae84"  is a PC
0
 
LVL 32

Expert Comment

by:harbor235
ID: 24284013

Ok, so it reaauths, what is the mac of the phone?

harbor235 ;}
0
 

Author Comment

by:CartikALU
ID: 24313201
Harbor,

Dont you think if there is a dot1x client daisychained to a IP phones, even the IP Phone should be a Supplicant ??
0
 
LVL 32

Accepted Solution

by:
harbor235 earned 2000 total points
ID: 24314099

Absolutley, the phone should act as a layer 2 switch that trunks the data and voice vlan to the upstream switch, even though the devies are daisy chained they act independantly. At least thats how a cisco tandem architecture works, have you looked into the docs for the phone you are using?

I never see in your dumps a different mac other than the PC mac (001b.7847.ae84) on port g1/03?

I assume vlan 57 is the voice vlan and 22 is the data vlan for the PC?

Do you have CDP enabled on the switch port, globally?

Does your port configuration include dual host mode on the switchport? i.e "switchport voice vlan 57"?

Do you have port security on as well?

hope this helps,

harbor235 ;}

0
 

Author Closing Comment

by:CartikALU
ID: 31575596
Hi Harbor,

Thanks for ur time and expertise.... will distrub you with such tricky questions in the future. cheers
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Examines three attack vectors, specifically, the different types of malware used in malicious attacks, web application attacks, and finally, network based attacks.  Concludes by examining the means of securing and protecting critical systems and inf…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses
Course of the Month19 days, 16 hours left to enroll

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question