Christoforos Acadjiotis
asked on
Multi-Domain authentication with non-cisco phones
Dear all,
I am currently using Dot1x to authenticate my users on the domain through an NPS server. My switchport implementation is the following:
interface GigabitEthernet1/0/X
switchport mode access
switchport voice vlan 100
no logging event link-status
authentication control-direction in
authentication event server dead action authorize vlan 300
authentication event no-response action authorize vlan 1023
authentication host-mode multi-domain
authentication order mab dot1x
authentication port-control auto
authentication violation restrict
mab eap
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 10
flowcontrol receive desired
storm-control broadcast level 0.50 0.40
storm-control multicast level 0.50 0.40
spanning-tree portfast
Users are authenticated with no problem. the final implementation needs the AASTRA telephones to be connected to the switchport and then PCs to be connected to the telephones. The telephones are discovered through LLDP but then do not authenticate on the network.
The Authentication implementation is as follows: the telephone should not authenticate on Vlan 100 (voice vlan) and the user through the PC port of the telephone device to authenticate through Dot1x.
While the telephone is set with no authentication the NPS server is sending EAPOL packets to the device for authentication with the following debug:
Mar 24 2015 12:19:39.449 EET: @@@ dot1x_auth Gi1/0/19: auth_authenticating -> auth_authc_result
Mar 24 2015 12:19:39.449 EET: dot1x-sm(Gi1/0/19): 0x810007EC:auth_authentica
Mar 24 2015 12:19:39.455 EET: dot1x-sm(Gi1/0/19): 0x810007EC:auth_authc_resu
Mar 24 2015 12:19:39.455 EET: %DOT1X-5-FAIL: Authentication failed for client (0008.5d44.e338) on Interface Gi1/0/19 AuditSessionID 0A97140700004BD4E7BF7913
Mar 24 2015 12:19:39.455 EET: dot1x-ev(Gi1/0/19): Sending event (2) to Auth Mgr for 0008.5d44.e338
Mar 24 2015 12:19:39.455 EET: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (0008.5d44.e338) on Interface Gi1/0/19 AuditSessionID 0A97140700004BD4E7BF7913
Mar 24 2015 12:19:39.455 EET: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (0008.5d44.e338) on Interface Gi1/0/19 AuditSessionID 0A97140700004BD4E7BF7913
Mar 24 2015 12:19:39.455 EET: dot1x-redundancy: State for client 0008.5d44.e338 successfully retrieved
Mar 24 2015 12:19:39.455 EET: dot1x-ev(Gi1/0/19): Received Authz fail for the client 0x810007EC (0008.5d44.e338)
Mar 24 2015 12:19:39.455 EET: dot1x-sm(Gi1/0/19): Posting_AUTHZ_FAIL on Client 0x810007EC
Mar 24 2015 12:19:39.455 EET: dot1x_auth Gi1/0/19: during state auth_authc_result, got event 22(authzFail)
has anyone came across such an implementation problem?
I am currently using Dot1x to authenticate my users on the domain through an NPS server. My switchport implementation is the following:
interface GigabitEthernet1/0/X
switchport mode access
switchport voice vlan 100
no logging event link-status
authentication control-direction in
authentication event server dead action authorize vlan 300
authentication event no-response action authorize vlan 1023
authentication host-mode multi-domain
authentication order mab dot1x
authentication port-control auto
authentication violation restrict
mab eap
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 10
flowcontrol receive desired
storm-control broadcast level 0.50 0.40
storm-control multicast level 0.50 0.40
spanning-tree portfast
Users are authenticated with no problem. the final implementation needs the AASTRA telephones to be connected to the switchport and then PCs to be connected to the telephones. The telephones are discovered through LLDP but then do not authenticate on the network.
The Authentication implementation is as follows: the telephone should not authenticate on Vlan 100 (voice vlan) and the user through the PC port of the telephone device to authenticate through Dot1x.
While the telephone is set with no authentication the NPS server is sending EAPOL packets to the device for authentication with the following debug:
Mar 24 2015 12:19:39.449 EET: @@@ dot1x_auth Gi1/0/19: auth_authenticating -> auth_authc_result
Mar 24 2015 12:19:39.449 EET: dot1x-sm(Gi1/0/19): 0x810007EC:auth_authentica
Mar 24 2015 12:19:39.455 EET: dot1x-sm(Gi1/0/19): 0x810007EC:auth_authc_resu
Mar 24 2015 12:19:39.455 EET: %DOT1X-5-FAIL: Authentication failed for client (0008.5d44.e338) on Interface Gi1/0/19 AuditSessionID 0A97140700004BD4E7BF7913
Mar 24 2015 12:19:39.455 EET: dot1x-ev(Gi1/0/19): Sending event (2) to Auth Mgr for 0008.5d44.e338
Mar 24 2015 12:19:39.455 EET: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (0008.5d44.e338) on Interface Gi1/0/19 AuditSessionID 0A97140700004BD4E7BF7913
Mar 24 2015 12:19:39.455 EET: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (0008.5d44.e338) on Interface Gi1/0/19 AuditSessionID 0A97140700004BD4E7BF7913
Mar 24 2015 12:19:39.455 EET: dot1x-redundancy: State for client 0008.5d44.e338 successfully retrieved
Mar 24 2015 12:19:39.455 EET: dot1x-ev(Gi1/0/19): Received Authz fail for the client 0x810007EC (0008.5d44.e338)
Mar 24 2015 12:19:39.455 EET: dot1x-sm(Gi1/0/19): Posting_AUTHZ_FAIL on Client 0x810007EC
Mar 24 2015 12:19:39.455 EET: dot1x_auth Gi1/0/19: during state auth_authc_result, got event 22(authzFail)
has anyone came across such an implementation problem?
Are the phones authenticating by mab or dot1x? Can you post screenshots of the authentication and authorization statements that should be allowing the phones on?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Please have a look at the following debugging. The PC connceceted to the PC port of the Mitel telephone eventually fails to VLAN 1023 (guest Vlan).
Mar 26 2015 11:33:37.679 EET: dot1x-sm(Gi1/0/19): Posting EAP_REQ for 0xD7000020
Mar 26 2015 11:33:37.679 EET: dot1x_auth_bend Gi1/0/19: during state auth_bend_request, got event 7(eapReq)
Mar 26 2015 11:33:37.679 EET: @@@ dot1x_auth_bend Gi1/0/19: auth_bend_request -> auth_bend_request
Mar 26 2015 11:33:37.679 EET: dot1x-sm(Gi1/0/19): 0xD7000020:auth_bend_reque
Mar 26 2015 11:33:37.679 EET: dot1x-sm(Gi1/0/19): 0xD7000020:auth_bend_reque
Mar 26 2015 11:33:37.679 EET: dot1x-ev(Gi1/0/19): Sending EAPOL packet to 0050.b67c.0c14
Mar 26 2015 11:33:37.679 EET: dot1x-ev(Gi1/0/19): Role determination not required
cy1-b2-c2960-7#
Mar 26 2015 11:33:37.679 EET: dot1x-registry:registry:do
Mar 26 2015 11:33:37.679 EET: dot1x-ev(Gi1/0/19): Sending out EAPOL packet
Mar 26 2015 11:33:37.679 EET: EAPOL pak dump Tx
Mar 26 2015 11:33:37.679 EET: EAPOL Version: 0x3 type: 0x0 length: 0x0005
Mar 26 2015 11:33:37.679 EET: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
Mar 26 2015 11:33:37.679 EET: dot1x-packet(Gi1/0/19): EAPOL packet sent to client 0xD7000020 (0050.b67c.0c14)
cy1-b2-c2960-7#
Mar 26 2015 11:34:08.608 EET: dot1x-sm(Gi1/0/19): Posting EAP_REQ for 0xD7000020
Mar 26 2015 11:34:08.608 EET: dot1x_auth_bend Gi1/0/19: during state auth_bend_request, got event 7(eapReq)
Mar 26 2015 11:34:08.608 EET: @@@ dot1x_auth_bend Gi1/0/19: auth_bend_request -> auth_bend_request
Mar 26 2015 11:34:08.608 EET: dot1x-sm(Gi1/0/19): 0xD7000020:auth_bend_reque
Mar 26 2015 11:34:08.608 EET: dot1x-sm(Gi1/0/19): 0xD7000020:auth_bend_reque
Mar 26 2015 11:34:08.608 EET: dot1x-ev(Gi1/0/19): Sending EAPOL packet to 0050.b67c.0c14
Mar 26 2015 11:34:08.608 EET: dot1x-ev(Gi1/0/19): Role determination not required
cy1-b2-c2960-7#
Mar 26 2015 11:34:08.608 EET: dot1x-registry:registry:do
Mar 26 2015 11:34:08.608 EET: dot1x-ev(Gi1/0/19): Sending out EAPOL packet
Mar 26 2015 11:34:08.608 EET: EAPOL pak dump Tx
Mar 26 2015 11:34:08.608 EET: EAPOL Version: 0x3 type: 0x0 length: 0x0005
Mar 26 2015 11:34:08.608 EET: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
Mar 26 2015 11:34:08.608 EET: dot1x-packet(Gi1/0/19): EAPOL packet sent to client 0xD7000020 (0050.b67c.0c14)
Mar 26 2015 11:34:39.489 EET: dot1x-ev(Gi1/0/19): Received an EAP Timeout
Mar 26 2015 11:34:39.489 EET: dot1x-sm(Gi1/0/19): Posting EAP_TIMEOUT for 0xD7000020
Mar 26 2015 11:34:39.489 EET: dot1x_auth_bend Gi1/0/19: during state auth_bend_request, got event 12(eapTimeout)
Mar 26 2015 11:34:39.489 EET: @@@ dot1x_auth_bend Gi1/0/19: auth_bend_request -> auth_bend_timeout
Mar 26 2015 11:34:39.489 EET: dot1x-sm(Gi1/0/19): 0xD7000020:auth_bend_timeo
Mar 26 2015 11:34:39.489 EET: dot1x-sm(Gi1/0/19): 0xD7000020:auth_bend_reque
Mar 26 2015 11:34:39.489 EET: dot1x_auth_bend Gi1/0/19: idle during state auth_bend_timeout
Mar 26 2015 11:34:39.489 EET: @@@ dot1x_auth_bend Gi1/0/19: auth_bend_timeout -> auth_bend_idle
Mar 26 2015 11:34:39.489 EET: dot1x-sm(Gi1/0/19): 0xD7000020:auth_bend_idle_
Mar 26 2015 11:34:39.489 EET: dot1x-sm(Gi1/0/19): Posting AUTH_TIMEOUT on Client 0xD7000020
Mar 26 2015 11:34:39.489 EET: dot1x_auth Gi1/0/19: during state auth_authenticating, got event 14(authTimeout)
Mar 26 2015 11:34:39.489 EET: @@@ dot1x_auth Gi1/0/19: auth_authenticating -> auth_authc_result
Mar 26 2015 11:34:39.489 EET: dot1x-sm(Gi1/0/19): 0xD7000020:auth_authentica
Mar 26 2015 11:34:39.489 EET: dot1x-sm(Gi1/0/19): 0xD7000020:auth_authc_resu
Mar 26 2015 11:34:39.489 EET: %DOT1X-5-FAIL: Authentication failed for client (0050.b67c.0c14) on Interface Gi1/0/19 AuditSessionID 0A971407000008620301DC58
Mar 26 2015 11:34:39.489 EET: dot1x-ev(Gi1/0/19): Sending event (2) to Auth Mgr for 0050.b67c.0c14
Mar 26 2015 11:34:39.489 EET: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (0050.b67c.0c14) on Interface Gi1/0/19 AuditSessionID 0A971407000008620301DC58
Mar 26 2015 11:34:39.489 EET: dot1x-ev(Gi1/0/19): Received Authz fail for the client 0xD7000020 (0050.b67c.0c14)
Mar 26 2015 11:34:39.489 EET: dot1x-ev(Gi1/0/19): Deleting client 0xD7000020 (0050.b67c.0c14)
Mar 26 2015 11:34:39.489 EET: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (0050.b67c.0c14) on Interface Gi1/0/19 AuditSessionID 0A971407000008620301DC58
Mar 26 2015 11:34:39.495 EET: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (0050.b67c.0c14) on Interface Gi1/0/19 AuditSessionID 0A971407000008620301DC58
Mar 26 2015 11:34:39.495 EET: %AUTHMGR-5-VLANASSIGN: VLAN 1023 assigned to Interface Gi1/0/19 AuditSessionID 0A971407000008620301DC58
Mar 26 2015 11:34:39.510 EET: dot1x-sm(Gi1/0/19): Posting_AUTHZ_FAIL on Client 0xD7000020
Mar 26 2015 11:34:39.510 EET: dot1x_auth Gi1/0/19: during state auth_authc_result, got event 22(authzFail)
Mar 26 2015 11:34:39.510 EET: @@@ dot1x_auth Gi1/0/19: auth_authc_result -> auth_held
Mar 26 2015 11:34:39.510 EET: dot1x-ev:Delete auth client (0xD7000020) message
Mar 26 2015 11:34:39.510 EET: dot1x-ev:Auth client ctx destroyed
Mar 26 2015 11:34:39.510 EET: dot1x-ev:Aborted posting message to authenticator state machine: Invalid client
cy1-b2-c2960-7#show authentication sessions interface gio
Mar 26 2015 11:34:39.794 EET: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (Unknown MAC) on Interface Gi1/0/19 AuditSessionID 0A971407000008620301DC58
Mar 26 2015 11:33:37.679 EET: dot1x-sm(Gi1/0/19): Posting EAP_REQ for 0xD7000020
Mar 26 2015 11:33:37.679 EET: dot1x_auth_bend Gi1/0/19: during state auth_bend_request, got event 7(eapReq)
Mar 26 2015 11:33:37.679 EET: @@@ dot1x_auth_bend Gi1/0/19: auth_bend_request -> auth_bend_request
Mar 26 2015 11:33:37.679 EET: dot1x-sm(Gi1/0/19): 0xD7000020:auth_bend_reque
Mar 26 2015 11:33:37.679 EET: dot1x-sm(Gi1/0/19): 0xD7000020:auth_bend_reque
Mar 26 2015 11:33:37.679 EET: dot1x-ev(Gi1/0/19): Sending EAPOL packet to 0050.b67c.0c14
Mar 26 2015 11:33:37.679 EET: dot1x-ev(Gi1/0/19): Role determination not required
cy1-b2-c2960-7#
Mar 26 2015 11:33:37.679 EET: dot1x-registry:registry:do
Mar 26 2015 11:33:37.679 EET: dot1x-ev(Gi1/0/19): Sending out EAPOL packet
Mar 26 2015 11:33:37.679 EET: EAPOL pak dump Tx
Mar 26 2015 11:33:37.679 EET: EAPOL Version: 0x3 type: 0x0 length: 0x0005
Mar 26 2015 11:33:37.679 EET: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
Mar 26 2015 11:33:37.679 EET: dot1x-packet(Gi1/0/19): EAPOL packet sent to client 0xD7000020 (0050.b67c.0c14)
cy1-b2-c2960-7#
Mar 26 2015 11:34:08.608 EET: dot1x-sm(Gi1/0/19): Posting EAP_REQ for 0xD7000020
Mar 26 2015 11:34:08.608 EET: dot1x_auth_bend Gi1/0/19: during state auth_bend_request, got event 7(eapReq)
Mar 26 2015 11:34:08.608 EET: @@@ dot1x_auth_bend Gi1/0/19: auth_bend_request -> auth_bend_request
Mar 26 2015 11:34:08.608 EET: dot1x-sm(Gi1/0/19): 0xD7000020:auth_bend_reque
Mar 26 2015 11:34:08.608 EET: dot1x-sm(Gi1/0/19): 0xD7000020:auth_bend_reque
Mar 26 2015 11:34:08.608 EET: dot1x-ev(Gi1/0/19): Sending EAPOL packet to 0050.b67c.0c14
Mar 26 2015 11:34:08.608 EET: dot1x-ev(Gi1/0/19): Role determination not required
cy1-b2-c2960-7#
Mar 26 2015 11:34:08.608 EET: dot1x-registry:registry:do
Mar 26 2015 11:34:08.608 EET: dot1x-ev(Gi1/0/19): Sending out EAPOL packet
Mar 26 2015 11:34:08.608 EET: EAPOL pak dump Tx
Mar 26 2015 11:34:08.608 EET: EAPOL Version: 0x3 type: 0x0 length: 0x0005
Mar 26 2015 11:34:08.608 EET: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
Mar 26 2015 11:34:08.608 EET: dot1x-packet(Gi1/0/19): EAPOL packet sent to client 0xD7000020 (0050.b67c.0c14)
Mar 26 2015 11:34:39.489 EET: dot1x-ev(Gi1/0/19): Received an EAP Timeout
Mar 26 2015 11:34:39.489 EET: dot1x-sm(Gi1/0/19): Posting EAP_TIMEOUT for 0xD7000020
Mar 26 2015 11:34:39.489 EET: dot1x_auth_bend Gi1/0/19: during state auth_bend_request, got event 12(eapTimeout)
Mar 26 2015 11:34:39.489 EET: @@@ dot1x_auth_bend Gi1/0/19: auth_bend_request -> auth_bend_timeout
Mar 26 2015 11:34:39.489 EET: dot1x-sm(Gi1/0/19): 0xD7000020:auth_bend_timeo
Mar 26 2015 11:34:39.489 EET: dot1x-sm(Gi1/0/19): 0xD7000020:auth_bend_reque
Mar 26 2015 11:34:39.489 EET: dot1x_auth_bend Gi1/0/19: idle during state auth_bend_timeout
Mar 26 2015 11:34:39.489 EET: @@@ dot1x_auth_bend Gi1/0/19: auth_bend_timeout -> auth_bend_idle
Mar 26 2015 11:34:39.489 EET: dot1x-sm(Gi1/0/19): 0xD7000020:auth_bend_idle_
Mar 26 2015 11:34:39.489 EET: dot1x-sm(Gi1/0/19): Posting AUTH_TIMEOUT on Client 0xD7000020
Mar 26 2015 11:34:39.489 EET: dot1x_auth Gi1/0/19: during state auth_authenticating, got event 14(authTimeout)
Mar 26 2015 11:34:39.489 EET: @@@ dot1x_auth Gi1/0/19: auth_authenticating -> auth_authc_result
Mar 26 2015 11:34:39.489 EET: dot1x-sm(Gi1/0/19): 0xD7000020:auth_authentica
Mar 26 2015 11:34:39.489 EET: dot1x-sm(Gi1/0/19): 0xD7000020:auth_authc_resu
Mar 26 2015 11:34:39.489 EET: %DOT1X-5-FAIL: Authentication failed for client (0050.b67c.0c14) on Interface Gi1/0/19 AuditSessionID 0A971407000008620301DC58
Mar 26 2015 11:34:39.489 EET: dot1x-ev(Gi1/0/19): Sending event (2) to Auth Mgr for 0050.b67c.0c14
Mar 26 2015 11:34:39.489 EET: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (0050.b67c.0c14) on Interface Gi1/0/19 AuditSessionID 0A971407000008620301DC58
Mar 26 2015 11:34:39.489 EET: dot1x-ev(Gi1/0/19): Received Authz fail for the client 0xD7000020 (0050.b67c.0c14)
Mar 26 2015 11:34:39.489 EET: dot1x-ev(Gi1/0/19): Deleting client 0xD7000020 (0050.b67c.0c14)
Mar 26 2015 11:34:39.489 EET: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (0050.b67c.0c14) on Interface Gi1/0/19 AuditSessionID 0A971407000008620301DC58
Mar 26 2015 11:34:39.495 EET: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (0050.b67c.0c14) on Interface Gi1/0/19 AuditSessionID 0A971407000008620301DC58
Mar 26 2015 11:34:39.495 EET: %AUTHMGR-5-VLANASSIGN: VLAN 1023 assigned to Interface Gi1/0/19 AuditSessionID 0A971407000008620301DC58
Mar 26 2015 11:34:39.510 EET: dot1x-sm(Gi1/0/19): Posting_AUTHZ_FAIL on Client 0xD7000020
Mar 26 2015 11:34:39.510 EET: dot1x_auth Gi1/0/19: during state auth_authc_result, got event 22(authzFail)
Mar 26 2015 11:34:39.510 EET: @@@ dot1x_auth Gi1/0/19: auth_authc_result -> auth_held
Mar 26 2015 11:34:39.510 EET: dot1x-ev:Delete auth client (0xD7000020) message
Mar 26 2015 11:34:39.510 EET: dot1x-ev:Auth client ctx destroyed
Mar 26 2015 11:34:39.510 EET: dot1x-ev:Aborted posting message to authenticator state machine: Invalid client
cy1-b2-c2960-7#show authentication sessions interface gio
Mar 26 2015 11:34:39.794 EET: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (Unknown MAC) on Interface Gi1/0/19 AuditSessionID 0A971407000008620301DC58
ASKER
The solution to the task at hand was a bad entry on the NPS server. The VSA string was mistyped based on bad information.
The correct format for the Vendor Specific Attribute is "device-traffic-class=voic
The correct format for the Vendor Specific Attribute is "device-traffic-class=voic