Multi-Domain authentication with non-cisco phones
Dear all,
I am currently using Dot1x to authenticate my users on the domain through an NPS server. My switchport implementation is the following:
interface GigabitEthernet1/0/X
switchport mode access
switchport voice vlan 100
no logging event link-status
authentication control-direction in
authentication event server dead action authorize vlan 300
authentication event no-response action authorize vlan 1023
authentication host-mode multi-domain
authentication order mab dot1x
authentication port-control auto
authentication violation restrict
mab eap
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 10
flowcontrol receive desired
storm-control broadcast level 0.50 0.40
storm-control multicast level 0.50 0.40
spanning-tree portfast
Users are authenticated with no problem. the final implementation needs the AASTRA telephones to be connected to the switchport and then PCs to be connected to the telephones. The telephones are discovered through LLDP but then do not authenticate on the network.
The Authentication implementation is as follows: the telephone should not authenticate on Vlan 100 (voice vlan) and the user through the PC port of the telephone device to authenticate through Dot1x.
While the telephone is set with no authentication the NPS server is sending EAPOL packets to the device for authentication with the following debug:
Mar 24 2015 12:19:39.449 EET: @@@ dot1x_auth Gi1/0/19: auth_authenticating -> auth_authc_result
Mar 24 2015 12:19:39.449 EET: dot1x-sm(Gi1/0/19): 0x810007EC:auth_authentica
Mar 24 2015 12:19:39.455 EET: dot1x-sm(Gi1/0/19): 0x810007EC:auth_authc_resu
Mar 24 2015 12:19:39.455 EET: %DOT1X-5-FAIL: Authentication failed for client (0008.5d44.e338) on Interface Gi1/0/19 AuditSessionID 0A97140700004BD4E7BF7913
Mar 24 2015 12:19:39.455 EET: dot1x-ev(Gi1/0/19): Sending event (2) to Auth Mgr for 0008.5d44.e338
Mar 24 2015 12:19:39.455 EET: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (0008.5d44.e338) on Interface Gi1/0/19 AuditSessionID 0A97140700004BD4E7BF7913
Mar 24 2015 12:19:39.455 EET: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (0008.5d44.e338) on Interface Gi1/0/19 AuditSessionID 0A97140700004BD4E7BF7913
Mar 24 2015 12:19:39.455 EET: dot1x-redundancy: State for client 0008.5d44.e338 successfully retrieved
Mar 24 2015 12:19:39.455 EET: dot1x-ev(Gi1/0/19): Received Authz fail for the client 0x810007EC (0008.5d44.e338)
Mar 24 2015 12:19:39.455 EET: dot1x-sm(Gi1/0/19): Posting_AUTHZ_FAIL on Client 0x810007EC
Mar 24 2015 12:19:39.455 EET: dot1x_auth Gi1/0/19: during state auth_authc_result, got event 22(authzFail)
has anyone came across such an implementation problem?
I am currently using Dot1x to authenticate my users on the domain through an NPS server. My switchport implementation is the following:
interface GigabitEthernet1/0/X
switchport mode access
switchport voice vlan 100
no logging event link-status
authentication control-direction in
authentication event server dead action authorize vlan 300
authentication event no-response action authorize vlan 1023
authentication host-mode multi-domain
authentication order mab dot1x
authentication port-control auto
authentication violation restrict
mab eap
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 10
flowcontrol receive desired
storm-control broadcast level 0.50 0.40
storm-control multicast level 0.50 0.40
spanning-tree portfast
Users are authenticated with no problem. the final implementation needs the AASTRA telephones to be connected to the switchport and then PCs to be connected to the telephones. The telephones are discovered through LLDP but then do not authenticate on the network.
The Authentication implementation is as follows: the telephone should not authenticate on Vlan 100 (voice vlan) and the user through the PC port of the telephone device to authenticate through Dot1x.
While the telephone is set with no authentication the NPS server is sending EAPOL packets to the device for authentication with the following debug:
Mar 24 2015 12:19:39.449 EET: @@@ dot1x_auth Gi1/0/19: auth_authenticating -> auth_authc_result
Mar 24 2015 12:19:39.449 EET: dot1x-sm(Gi1/0/19): 0x810007EC:auth_authentica
Mar 24 2015 12:19:39.455 EET: dot1x-sm(Gi1/0/19): 0x810007EC:auth_authc_resu
Mar 24 2015 12:19:39.455 EET: %DOT1X-5-FAIL: Authentication failed for client (0008.5d44.e338) on Interface Gi1/0/19 AuditSessionID 0A97140700004BD4E7BF7913
Mar 24 2015 12:19:39.455 EET: dot1x-ev(Gi1/0/19): Sending event (2) to Auth Mgr for 0008.5d44.e338
Mar 24 2015 12:19:39.455 EET: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (0008.5d44.e338) on Interface Gi1/0/19 AuditSessionID 0A97140700004BD4E7BF7913
Mar 24 2015 12:19:39.455 EET: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (0008.5d44.e338) on Interface Gi1/0/19 AuditSessionID 0A97140700004BD4E7BF7913
Mar 24 2015 12:19:39.455 EET: dot1x-redundancy: State for client 0008.5d44.e338 successfully retrieved
Mar 24 2015 12:19:39.455 EET: dot1x-ev(Gi1/0/19): Received Authz fail for the client 0x810007EC (0008.5d44.e338)
Mar 24 2015 12:19:39.455 EET: dot1x-sm(Gi1/0/19): Posting_AUTHZ_FAIL on Client 0x810007EC
Mar 24 2015 12:19:39.455 EET: dot1x_auth Gi1/0/19: during state auth_authc_result, got event 22(authzFail)
has anyone came across such an implementation problem?
Who is Participating?
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with premium.
Start your 7-day free trial.
I wear a lot of hats...
"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.
LVL 22
Are the phones authenticating by mab or dot1x? Can you post screenshots of the authentication and authorization statements that should be allowing the phones on?
Update! The phones authenticate through MAB and a connection with the PBX and DHCP has been established. The telephone got updates and an IP address. I'm getting closer! The problem was a misconfiguration on the NPS server at the VSA string implementation.
the problem now is that whatever PC I connect to the PC port of the Mitel Telephone does not attempt a Dot1x authentication so the switchport turns to the guest VLAN. My current switchport is the following:
interface GigabitEthernet1/0/19
description Dot1x KM office test link
switchport mode access
switchport voice vlan 100
no logging event link-status
authentication control-direction in
authentication event server dead action authorize vlan 300
authentication event no-response action authorize vlan 1023
authentication host-mode multi-domain
authentication order dot1x mab
authentication port-control auto
mab eap
dot1x pae authenticator
flowcontrol receive desired
storm-control broadcast level 0.50 0.40
storm-control multicast level 0.50 0.40
spanning-tree portfast
the results of the authentication sessions for that switchport is the following:
cy1-b2-c2960-7#show authentication sessions inter gi 1/0/19
Interface: GigabitEthernet1/0/19
MAC Address: Unknown
IP Address: Unknown
User-Name: UNRESPONSIVE
Status: Authz Success
Domain: DATA
Oper host mode: multi-host
Oper control dir: in
Authorized By: Guest Vlan
Vlan Policy: 1023
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A971407000000CD000ACF9B
Acct Session ID: 0x000000CF
Handle: 0xA20000CE
Runnable methods list:
Method State
dot1x Failed over
mab Failed over
--------------------------
Interface: GigabitEthernet1/0/19
MAC Address: 0008.5d44.e338
IP Address: Unknown
User-Name: 00085d44e338
Status: Authz Success
Domain: VOICE
Oper host mode: multi-domain
Oper control dir: in
Authorized By: Authentication Server
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A9714070000000C00025412
Acct Session ID: 0x0000000D
Handle: 0x2600000D
Runnable methods list:
Method State
dot1x Not run
mab Authc Success
the problem now is that whatever PC I connect to the PC port of the Mitel Telephone does not attempt a Dot1x authentication so the switchport turns to the guest VLAN. My current switchport is the following:
interface GigabitEthernet1/0/19
description Dot1x KM office test link
switchport mode access
switchport voice vlan 100
no logging event link-status
authentication control-direction in
authentication event server dead action authorize vlan 300
authentication event no-response action authorize vlan 1023
authentication host-mode multi-domain
authentication order dot1x mab
authentication port-control auto
mab eap
dot1x pae authenticator
flowcontrol receive desired
storm-control broadcast level 0.50 0.40
storm-control multicast level 0.50 0.40
spanning-tree portfast
the results of the authentication sessions for that switchport is the following:
cy1-b2-c2960-7#show authentication sessions inter gi 1/0/19
Interface: GigabitEthernet1/0/19
MAC Address: Unknown
IP Address: Unknown
User-Name: UNRESPONSIVE
Status: Authz Success
Domain: DATA
Oper host mode: multi-host
Oper control dir: in
Authorized By: Guest Vlan
Vlan Policy: 1023
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A971407000000CD000ACF9B
Acct Session ID: 0x000000CF
Handle: 0xA20000CE
Runnable methods list:
Method State
dot1x Failed over
mab Failed over
--------------------------
Interface: GigabitEthernet1/0/19
MAC Address: 0008.5d44.e338
IP Address: Unknown
User-Name: 00085d44e338
Status: Authz Success
Domain: VOICE
Oper host mode: multi-domain
Oper control dir: in
Authorized By: Authentication Server
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A9714070000000C00025412
Acct Session ID: 0x0000000D
Handle: 0x2600000D
Runnable methods list:
Method State
dot1x Not run
mab Authc Success
Experts Exchange Solution brought to you by
Your issues matter to us.
Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.
Start your 7-day free trial
Please have a look at the following debugging. The PC connceceted to the PC port of the Mitel telephone eventually fails to VLAN 1023 (guest Vlan).
Mar 26 2015 11:33:37.679 EET: dot1x-sm(Gi1/0/19): Posting EAP_REQ for 0xD7000020
Mar 26 2015 11:33:37.679 EET: dot1x_auth_bend Gi1/0/19: during state auth_bend_request, got event 7(eapReq)
Mar 26 2015 11:33:37.679 EET: @@@ dot1x_auth_bend Gi1/0/19: auth_bend_request -> auth_bend_request
Mar 26 2015 11:33:37.679 EET: dot1x-sm(Gi1/0/19): 0xD7000020:auth_bend_reque
Mar 26 2015 11:33:37.679 EET: dot1x-sm(Gi1/0/19): 0xD7000020:auth_bend_reque
Mar 26 2015 11:33:37.679 EET: dot1x-ev(Gi1/0/19): Sending EAPOL packet to 0050.b67c.0c14
Mar 26 2015 11:33:37.679 EET: dot1x-ev(Gi1/0/19): Role determination not required
cy1-b2-c2960-7#
Mar 26 2015 11:33:37.679 EET: dot1x-registry:registry:do
Mar 26 2015 11:33:37.679 EET: dot1x-ev(Gi1/0/19): Sending out EAPOL packet
Mar 26 2015 11:33:37.679 EET: EAPOL pak dump Tx
Mar 26 2015 11:33:37.679 EET: EAPOL Version: 0x3 type: 0x0 length: 0x0005
Mar 26 2015 11:33:37.679 EET: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
Mar 26 2015 11:33:37.679 EET: dot1x-packet(Gi1/0/19): EAPOL packet sent to client 0xD7000020 (0050.b67c.0c14)
cy1-b2-c2960-7#
Mar 26 2015 11:34:08.608 EET: dot1x-sm(Gi1/0/19): Posting EAP_REQ for 0xD7000020
Mar 26 2015 11:34:08.608 EET: dot1x_auth_bend Gi1/0/19: during state auth_bend_request, got event 7(eapReq)
Mar 26 2015 11:34:08.608 EET: @@@ dot1x_auth_bend Gi1/0/19: auth_bend_request -> auth_bend_request
Mar 26 2015 11:34:08.608 EET: dot1x-sm(Gi1/0/19): 0xD7000020:auth_bend_reque
Mar 26 2015 11:34:08.608 EET: dot1x-sm(Gi1/0/19): 0xD7000020:auth_bend_reque
Mar 26 2015 11:34:08.608 EET: dot1x-ev(Gi1/0/19): Sending EAPOL packet to 0050.b67c.0c14
Mar 26 2015 11:34:08.608 EET: dot1x-ev(Gi1/0/19): Role determination not required
cy1-b2-c2960-7#
Mar 26 2015 11:34:08.608 EET: dot1x-registry:registry:do
Mar 26 2015 11:34:08.608 EET: dot1x-ev(Gi1/0/19): Sending out EAPOL packet
Mar 26 2015 11:34:08.608 EET: EAPOL pak dump Tx
Mar 26 2015 11:34:08.608 EET: EAPOL Version: 0x3 type: 0x0 length: 0x0005
Mar 26 2015 11:34:08.608 EET: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
Mar 26 2015 11:34:08.608 EET: dot1x-packet(Gi1/0/19): EAPOL packet sent to client 0xD7000020 (0050.b67c.0c14)
Mar 26 2015 11:34:39.489 EET: dot1x-ev(Gi1/0/19): Received an EAP Timeout
Mar 26 2015 11:34:39.489 EET: dot1x-sm(Gi1/0/19): Posting EAP_TIMEOUT for 0xD7000020
Mar 26 2015 11:34:39.489 EET: dot1x_auth_bend Gi1/0/19: during state auth_bend_request, got event 12(eapTimeout)
Mar 26 2015 11:34:39.489 EET: @@@ dot1x_auth_bend Gi1/0/19: auth_bend_request -> auth_bend_timeout
Mar 26 2015 11:34:39.489 EET: dot1x-sm(Gi1/0/19): 0xD7000020:auth_bend_timeo
Mar 26 2015 11:34:39.489 EET: dot1x-sm(Gi1/0/19): 0xD7000020:auth_bend_reque
Mar 26 2015 11:34:39.489 EET: dot1x_auth_bend Gi1/0/19: idle during state auth_bend_timeout
Mar 26 2015 11:34:39.489 EET: @@@ dot1x_auth_bend Gi1/0/19: auth_bend_timeout -> auth_bend_idle
Mar 26 2015 11:34:39.489 EET: dot1x-sm(Gi1/0/19): 0xD7000020:auth_bend_idle_
Mar 26 2015 11:34:39.489 EET: dot1x-sm(Gi1/0/19): Posting AUTH_TIMEOUT on Client 0xD7000020
Mar 26 2015 11:34:39.489 EET: dot1x_auth Gi1/0/19: during state auth_authenticating, got event 14(authTimeout)
Mar 26 2015 11:34:39.489 EET: @@@ dot1x_auth Gi1/0/19: auth_authenticating -> auth_authc_result
Mar 26 2015 11:34:39.489 EET: dot1x-sm(Gi1/0/19): 0xD7000020:auth_authentica
Mar 26 2015 11:34:39.489 EET: dot1x-sm(Gi1/0/19): 0xD7000020:auth_authc_resu
Mar 26 2015 11:34:39.489 EET: %DOT1X-5-FAIL: Authentication failed for client (0050.b67c.0c14) on Interface Gi1/0/19 AuditSessionID 0A971407000008620301DC58
Mar 26 2015 11:34:39.489 EET: dot1x-ev(Gi1/0/19): Sending event (2) to Auth Mgr for 0050.b67c.0c14
Mar 26 2015 11:34:39.489 EET: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (0050.b67c.0c14) on Interface Gi1/0/19 AuditSessionID 0A971407000008620301DC58
Mar 26 2015 11:34:39.489 EET: dot1x-ev(Gi1/0/19): Received Authz fail for the client 0xD7000020 (0050.b67c.0c14)
Mar 26 2015 11:34:39.489 EET: dot1x-ev(Gi1/0/19): Deleting client 0xD7000020 (0050.b67c.0c14)
Mar 26 2015 11:34:39.489 EET: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (0050.b67c.0c14) on Interface Gi1/0/19 AuditSessionID 0A971407000008620301DC58
Mar 26 2015 11:34:39.495 EET: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (0050.b67c.0c14) on Interface Gi1/0/19 AuditSessionID 0A971407000008620301DC58
Mar 26 2015 11:34:39.495 EET: %AUTHMGR-5-VLANASSIGN: VLAN 1023 assigned to Interface Gi1/0/19 AuditSessionID 0A971407000008620301DC58
Mar 26 2015 11:34:39.510 EET: dot1x-sm(Gi1/0/19): Posting_AUTHZ_FAIL on Client 0xD7000020
Mar 26 2015 11:34:39.510 EET: dot1x_auth Gi1/0/19: during state auth_authc_result, got event 22(authzFail)
Mar 26 2015 11:34:39.510 EET: @@@ dot1x_auth Gi1/0/19: auth_authc_result -> auth_held
Mar 26 2015 11:34:39.510 EET: dot1x-ev:Delete auth client (0xD7000020) message
Mar 26 2015 11:34:39.510 EET: dot1x-ev:Auth client ctx destroyed
Mar 26 2015 11:34:39.510 EET: dot1x-ev:Aborted posting message to authenticator state machine: Invalid client
cy1-b2-c2960-7#show authentication sessions interface gio
Mar 26 2015 11:34:39.794 EET: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (Unknown MAC) on Interface Gi1/0/19 AuditSessionID 0A971407000008620301DC58
Mar 26 2015 11:33:37.679 EET: dot1x-sm(Gi1/0/19): Posting EAP_REQ for 0xD7000020
Mar 26 2015 11:33:37.679 EET: dot1x_auth_bend Gi1/0/19: during state auth_bend_request, got event 7(eapReq)
Mar 26 2015 11:33:37.679 EET: @@@ dot1x_auth_bend Gi1/0/19: auth_bend_request -> auth_bend_request
Mar 26 2015 11:33:37.679 EET: dot1x-sm(Gi1/0/19): 0xD7000020:auth_bend_reque
Mar 26 2015 11:33:37.679 EET: dot1x-sm(Gi1/0/19): 0xD7000020:auth_bend_reque
Mar 26 2015 11:33:37.679 EET: dot1x-ev(Gi1/0/19): Sending EAPOL packet to 0050.b67c.0c14
Mar 26 2015 11:33:37.679 EET: dot1x-ev(Gi1/0/19): Role determination not required
cy1-b2-c2960-7#
Mar 26 2015 11:33:37.679 EET: dot1x-registry:registry:do
Mar 26 2015 11:33:37.679 EET: dot1x-ev(Gi1/0/19): Sending out EAPOL packet
Mar 26 2015 11:33:37.679 EET: EAPOL pak dump Tx
Mar 26 2015 11:33:37.679 EET: EAPOL Version: 0x3 type: 0x0 length: 0x0005
Mar 26 2015 11:33:37.679 EET: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
Mar 26 2015 11:33:37.679 EET: dot1x-packet(Gi1/0/19): EAPOL packet sent to client 0xD7000020 (0050.b67c.0c14)
cy1-b2-c2960-7#
Mar 26 2015 11:34:08.608 EET: dot1x-sm(Gi1/0/19): Posting EAP_REQ for 0xD7000020
Mar 26 2015 11:34:08.608 EET: dot1x_auth_bend Gi1/0/19: during state auth_bend_request, got event 7(eapReq)
Mar 26 2015 11:34:08.608 EET: @@@ dot1x_auth_bend Gi1/0/19: auth_bend_request -> auth_bend_request
Mar 26 2015 11:34:08.608 EET: dot1x-sm(Gi1/0/19): 0xD7000020:auth_bend_reque
Mar 26 2015 11:34:08.608 EET: dot1x-sm(Gi1/0/19): 0xD7000020:auth_bend_reque
Mar 26 2015 11:34:08.608 EET: dot1x-ev(Gi1/0/19): Sending EAPOL packet to 0050.b67c.0c14
Mar 26 2015 11:34:08.608 EET: dot1x-ev(Gi1/0/19): Role determination not required
cy1-b2-c2960-7#
Mar 26 2015 11:34:08.608 EET: dot1x-registry:registry:do
Mar 26 2015 11:34:08.608 EET: dot1x-ev(Gi1/0/19): Sending out EAPOL packet
Mar 26 2015 11:34:08.608 EET: EAPOL pak dump Tx
Mar 26 2015 11:34:08.608 EET: EAPOL Version: 0x3 type: 0x0 length: 0x0005
Mar 26 2015 11:34:08.608 EET: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
Mar 26 2015 11:34:08.608 EET: dot1x-packet(Gi1/0/19): EAPOL packet sent to client 0xD7000020 (0050.b67c.0c14)
Mar 26 2015 11:34:39.489 EET: dot1x-ev(Gi1/0/19): Received an EAP Timeout
Mar 26 2015 11:34:39.489 EET: dot1x-sm(Gi1/0/19): Posting EAP_TIMEOUT for 0xD7000020
Mar 26 2015 11:34:39.489 EET: dot1x_auth_bend Gi1/0/19: during state auth_bend_request, got event 12(eapTimeout)
Mar 26 2015 11:34:39.489 EET: @@@ dot1x_auth_bend Gi1/0/19: auth_bend_request -> auth_bend_timeout
Mar 26 2015 11:34:39.489 EET: dot1x-sm(Gi1/0/19): 0xD7000020:auth_bend_timeo
Mar 26 2015 11:34:39.489 EET: dot1x-sm(Gi1/0/19): 0xD7000020:auth_bend_reque
Mar 26 2015 11:34:39.489 EET: dot1x_auth_bend Gi1/0/19: idle during state auth_bend_timeout
Mar 26 2015 11:34:39.489 EET: @@@ dot1x_auth_bend Gi1/0/19: auth_bend_timeout -> auth_bend_idle
Mar 26 2015 11:34:39.489 EET: dot1x-sm(Gi1/0/19): 0xD7000020:auth_bend_idle_
Mar 26 2015 11:34:39.489 EET: dot1x-sm(Gi1/0/19): Posting AUTH_TIMEOUT on Client 0xD7000020
Mar 26 2015 11:34:39.489 EET: dot1x_auth Gi1/0/19: during state auth_authenticating, got event 14(authTimeout)
Mar 26 2015 11:34:39.489 EET: @@@ dot1x_auth Gi1/0/19: auth_authenticating -> auth_authc_result
Mar 26 2015 11:34:39.489 EET: dot1x-sm(Gi1/0/19): 0xD7000020:auth_authentica
Mar 26 2015 11:34:39.489 EET: dot1x-sm(Gi1/0/19): 0xD7000020:auth_authc_resu
Mar 26 2015 11:34:39.489 EET: %DOT1X-5-FAIL: Authentication failed for client (0050.b67c.0c14) on Interface Gi1/0/19 AuditSessionID 0A971407000008620301DC58
Mar 26 2015 11:34:39.489 EET: dot1x-ev(Gi1/0/19): Sending event (2) to Auth Mgr for 0050.b67c.0c14
Mar 26 2015 11:34:39.489 EET: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (0050.b67c.0c14) on Interface Gi1/0/19 AuditSessionID 0A971407000008620301DC58
Mar 26 2015 11:34:39.489 EET: dot1x-ev(Gi1/0/19): Received Authz fail for the client 0xD7000020 (0050.b67c.0c14)
Mar 26 2015 11:34:39.489 EET: dot1x-ev(Gi1/0/19): Deleting client 0xD7000020 (0050.b67c.0c14)
Mar 26 2015 11:34:39.489 EET: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (0050.b67c.0c14) on Interface Gi1/0/19 AuditSessionID 0A971407000008620301DC58
Mar 26 2015 11:34:39.495 EET: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (0050.b67c.0c14) on Interface Gi1/0/19 AuditSessionID 0A971407000008620301DC58
Mar 26 2015 11:34:39.495 EET: %AUTHMGR-5-VLANASSIGN: VLAN 1023 assigned to Interface Gi1/0/19 AuditSessionID 0A971407000008620301DC58
Mar 26 2015 11:34:39.510 EET: dot1x-sm(Gi1/0/19): Posting_AUTHZ_FAIL on Client 0xD7000020
Mar 26 2015 11:34:39.510 EET: dot1x_auth Gi1/0/19: during state auth_authc_result, got event 22(authzFail)
Mar 26 2015 11:34:39.510 EET: @@@ dot1x_auth Gi1/0/19: auth_authc_result -> auth_held
Mar 26 2015 11:34:39.510 EET: dot1x-ev:Delete auth client (0xD7000020) message
Mar 26 2015 11:34:39.510 EET: dot1x-ev:Auth client ctx destroyed
Mar 26 2015 11:34:39.510 EET: dot1x-ev:Aborted posting message to authenticator state machine: Invalid client
cy1-b2-c2960-7#show authentication sessions interface gio
Mar 26 2015 11:34:39.794 EET: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (Unknown MAC) on Interface Gi1/0/19 AuditSessionID 0A971407000008620301DC58
The solution to the task at hand was a bad entry on the NPS server. The VSA string was mistyped based on bad information.
The correct format for the Vendor Specific Attribute is "device-traffic-class=voic
The correct format for the Vendor Specific Attribute is "device-traffic-class=voic
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
IP Telephony
From novice to tech pro — start learning today.
Question has a verified solution.
Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.
Have a better answer? Share it in a comment.
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with premium.
Start your 7-day free trial.