Multi-Domain authentication with non-cisco phones

Dear all,

I am currently using Dot1x to authenticate my users on the domain through an NPS server. My switchport implementation is the following:
interface GigabitEthernet1/0/X
 switchport mode access
 switchport voice vlan 100
 no logging event link-status
 authentication control-direction in
 authentication event server dead action authorize vlan 300
 authentication event no-response action authorize vlan 1023
 authentication host-mode multi-domain
 authentication order mab dot1x
 authentication port-control auto
 authentication violation restrict
 mab eap
 snmp trap mac-notification change added
 snmp trap mac-notification change removed
 dot1x pae authenticator
 dot1x timeout tx-period 10
 flowcontrol receive desired
 storm-control broadcast level 0.50 0.40
 storm-control multicast level 0.50 0.40
 spanning-tree portfast

Users are authenticated with no problem. the final implementation needs the AASTRA telephones to be connected to the switchport and then PCs to be connected to the telephones. The telephones are discovered through LLDP but then do not authenticate on the network.
The Authentication implementation is as follows: the telephone should not authenticate on Vlan 100 (voice vlan) and the user through the PC port of the telephone device to authenticate through Dot1x.

While the telephone is set with no authentication the NPS server is sending EAPOL packets to the device for authentication with the following debug:

Mar 24 2015 12:19:39.449 EET: @@@ dot1x_auth Gi1/0/19: auth_authenticating -> auth_authc_result
Mar 24 2015 12:19:39.449 EET: dot1x-sm(Gi1/0/19): 0x810007EC:auth_authenticating_exit called
Mar 24 2015 12:19:39.455 EET: dot1x-sm(Gi1/0/19): 0x810007EC:auth_authc_result_enter called
Mar 24 2015 12:19:39.455 EET: %DOT1X-5-FAIL: Authentication failed for client (0008.5d44.e338) on Interface Gi1/0/19 AuditSessionID 0A97140700004BD4E7BF7913
Mar 24 2015 12:19:39.455 EET: dot1x-ev(Gi1/0/19): Sending event (2) to Auth Mgr for 0008.5d44.e338
Mar 24 2015 12:19:39.455 EET: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (0008.5d44.e338) on Interface Gi1/0/19 AuditSessionID 0A97140700004BD4E7BF7913
Mar 24 2015 12:19:39.455 EET: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (0008.5d44.e338) on Interface Gi1/0/19 AuditSessionID 0A97140700004BD4E7BF7913
Mar 24 2015 12:19:39.455 EET: dot1x-redundancy: State for client  0008.5d44.e338 successfully retrieved
Mar 24 2015 12:19:39.455 EET: dot1x-ev(Gi1/0/19): Received Authz fail for the client  0x810007EC (0008.5d44.e338)
Mar 24 2015 12:19:39.455 EET: dot1x-sm(Gi1/0/19): Posting_AUTHZ_FAIL on Client 0x810007EC
Mar 24 2015 12:19:39.455 EET:     dot1x_auth Gi1/0/19: during state auth_authc_result, got event 22(authzFail)

has anyone came across such an implementation problem?
Christoforos AcadjiotisSystems and Network AdministratorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

eeRootCommented:
Are the phones authenticating by mab or dot1x?  Can you post screenshots of the authentication and authorization statements that should be allowing the phones on?
0
Christoforos AcadjiotisSystems and Network AdministratorAuthor Commented:
Update! The phones authenticate through MAB and a connection with the PBX and DHCP has been established. The telephone got updates and an IP address. I'm getting closer! The problem was a misconfiguration on the NPS server at the VSA string implementation.

the problem now is that whatever PC I connect to the PC port of the Mitel Telephone does not attempt a Dot1x authentication so the switchport turns to the guest VLAN. My current switchport is the following:
interface GigabitEthernet1/0/19
 description Dot1x KM office test link
 switchport mode access
 switchport voice vlan 100
 no logging event link-status
 authentication control-direction in
 authentication event server dead action authorize vlan 300
 authentication event no-response action authorize vlan 1023
 authentication host-mode multi-domain
 authentication order dot1x mab
 authentication port-control auto
 mab eap
 dot1x pae authenticator
 flowcontrol receive desired
 storm-control broadcast level 0.50 0.40
 storm-control multicast level 0.50 0.40
 spanning-tree portfast

the results of the authentication sessions for that switchport is the following:
cy1-b2-c2960-7#show authentication sessions inter gi 1/0/19
            Interface:  GigabitEthernet1/0/19
          MAC Address:  Unknown
           IP Address:  Unknown
            User-Name:  UNRESPONSIVE
               Status:  Authz Success
               Domain:  DATA
       Oper host mode:  multi-host
     Oper control dir:  in
        Authorized By:  Guest Vlan
          Vlan Policy:  1023
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  0A971407000000CD000ACF9B
      Acct Session ID:  0x000000CF
               Handle:  0xA20000CE

Runnable methods list:
       Method   State
       dot1x    Failed over
       mab      Failed over

----------------------------------------
            Interface:  GigabitEthernet1/0/19
          MAC Address:  0008.5d44.e338
           IP Address:  Unknown
            User-Name:  00085d44e338
               Status:  Authz Success
               Domain:  VOICE
       Oper host mode:  multi-domain
     Oper control dir:  in
        Authorized By:  Authentication Server
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  0A9714070000000C00025412
      Acct Session ID:  0x0000000D
               Handle:  0x2600000D

Runnable methods list:
       Method   State
       dot1x    Not run

       mab      Authc Success
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Christoforos AcadjiotisSystems and Network AdministratorAuthor Commented:
Please have a look at the following debugging. The PC connceceted to the PC port of the Mitel telephone eventually fails to VLAN 1023 (guest Vlan).

Mar 26 2015 11:33:37.679 EET: dot1x-sm(Gi1/0/19): Posting EAP_REQ for 0xD7000020
Mar 26 2015 11:33:37.679 EET:     dot1x_auth_bend Gi1/0/19: during state auth_bend_request, got event 7(eapReq)
Mar 26 2015 11:33:37.679 EET: @@@ dot1x_auth_bend Gi1/0/19: auth_bend_request -> auth_bend_request
Mar 26 2015 11:33:37.679 EET: dot1x-sm(Gi1/0/19): 0xD7000020:auth_bend_request_request_action called
Mar 26 2015 11:33:37.679 EET: dot1x-sm(Gi1/0/19): 0xD7000020:auth_bend_request_enter called
Mar 26 2015 11:33:37.679 EET: dot1x-ev(Gi1/0/19): Sending EAPOL packet to 0050.b67c.0c14
Mar 26 2015 11:33:37.679 EET: dot1x-ev(Gi1/0/19): Role determination not required
cy1-b2-c2960-7#
Mar 26 2015 11:33:37.679 EET: dot1x-registry:registry:dot1x_ether_macaddr called
Mar 26 2015 11:33:37.679 EET: dot1x-ev(Gi1/0/19): Sending out EAPOL packet
Mar 26 2015 11:33:37.679 EET: EAPOL pak dump Tx
Mar 26 2015 11:33:37.679 EET: EAPOL Version: 0x3  type: 0x0  length: 0x0005
Mar 26 2015 11:33:37.679 EET: EAP code: 0x1  id: 0x1  length: 0x0005 type: 0x1 
Mar 26 2015 11:33:37.679 EET: dot1x-packet(Gi1/0/19): EAPOL packet sent to client 0xD7000020 (0050.b67c.0c14)
cy1-b2-c2960-7#
Mar 26 2015 11:34:08.608 EET: dot1x-sm(Gi1/0/19): Posting EAP_REQ for 0xD7000020
Mar 26 2015 11:34:08.608 EET:     dot1x_auth_bend Gi1/0/19: during state auth_bend_request, got event 7(eapReq)
Mar 26 2015 11:34:08.608 EET: @@@ dot1x_auth_bend Gi1/0/19: auth_bend_request -> auth_bend_request
Mar 26 2015 11:34:08.608 EET: dot1x-sm(Gi1/0/19): 0xD7000020:auth_bend_request_request_action called
Mar 26 2015 11:34:08.608 EET: dot1x-sm(Gi1/0/19): 0xD7000020:auth_bend_request_enter called
Mar 26 2015 11:34:08.608 EET: dot1x-ev(Gi1/0/19): Sending EAPOL packet to 0050.b67c.0c14
Mar 26 2015 11:34:08.608 EET: dot1x-ev(Gi1/0/19): Role determination not required
cy1-b2-c2960-7#
Mar 26 2015 11:34:08.608 EET: dot1x-registry:registry:dot1x_ether_macaddr called
Mar 26 2015 11:34:08.608 EET: dot1x-ev(Gi1/0/19): Sending out EAPOL packet
Mar 26 2015 11:34:08.608 EET: EAPOL pak dump Tx
Mar 26 2015 11:34:08.608 EET: EAPOL Version: 0x3  type: 0x0  length: 0x0005
Mar 26 2015 11:34:08.608 EET: EAP code: 0x1  id: 0x1  length: 0x0005 type: 0x1 
Mar 26 2015 11:34:08.608 EET: dot1x-packet(Gi1/0/19): EAPOL packet sent to client 0xD7000020 (0050.b67c.0c14)
Mar 26 2015 11:34:39.489 EET: dot1x-ev(Gi1/0/19): Received an EAP Timeout
Mar 26 2015 11:34:39.489 EET: dot1x-sm(Gi1/0/19): Posting EAP_TIMEOUT for 0xD7000020
Mar 26 2015 11:34:39.489 EET:     dot1x_auth_bend Gi1/0/19: during state auth_bend_request, got event 12(eapTimeout)
Mar 26 2015 11:34:39.489 EET: @@@ dot1x_auth_bend Gi1/0/19: auth_bend_request -> auth_bend_timeout
Mar 26 2015 11:34:39.489 EET: dot1x-sm(Gi1/0/19): 0xD7000020:auth_bend_timeout_enter called
Mar 26 2015 11:34:39.489 EET: dot1x-sm(Gi1/0/19): 0xD7000020:auth_bend_request_timeout_action called
Mar 26 2015 11:34:39.489 EET:     dot1x_auth_bend Gi1/0/19: idle during state auth_bend_timeout
Mar 26 2015 11:34:39.489 EET: @@@ dot1x_auth_bend Gi1/0/19: auth_bend_timeout -> auth_bend_idle
Mar 26 2015 11:34:39.489 EET: dot1x-sm(Gi1/0/19): 0xD7000020:auth_bend_idle_enter called
Mar 26 2015 11:34:39.489 EET: dot1x-sm(Gi1/0/19): Posting AUTH_TIMEOUT on Client 0xD7000020
Mar 26 2015 11:34:39.489 EET:     dot1x_auth Gi1/0/19: during state auth_authenticating, got event 14(authTimeout)
Mar 26 2015 11:34:39.489 EET: @@@ dot1x_auth Gi1/0/19: auth_authenticating -> auth_authc_result
Mar 26 2015 11:34:39.489 EET: dot1x-sm(Gi1/0/19): 0xD7000020:auth_authenticating_exit called
Mar 26 2015 11:34:39.489 EET: dot1x-sm(Gi1/0/19): 0xD7000020:auth_authc_result_enter called
Mar 26 2015 11:34:39.489 EET: %DOT1X-5-FAIL: Authentication failed for client (0050.b67c.0c14) on Interface Gi1/0/19 AuditSessionID 0A971407000008620301DC58
Mar 26 2015 11:34:39.489 EET: dot1x-ev(Gi1/0/19): Sending event (2) to Auth Mgr for 0050.b67c.0c14
Mar 26 2015 11:34:39.489 EET: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (0050.b67c.0c14) on Interface Gi1/0/19 AuditSessionID 0A971407000008620301DC58
Mar 26 2015 11:34:39.489 EET: dot1x-ev(Gi1/0/19): Received Authz fail for the client  0xD7000020 (0050.b67c.0c14)
Mar 26 2015 11:34:39.489 EET: dot1x-ev(Gi1/0/19): Deleting client 0xD7000020 (0050.b67c.0c14)
Mar 26 2015 11:34:39.489 EET: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (0050.b67c.0c14) on Interface Gi1/0/19 AuditSessionID 0A971407000008620301DC58
Mar 26 2015 11:34:39.495 EET: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (0050.b67c.0c14) on Interface Gi1/0/19 AuditSessionID 0A971407000008620301DC58
Mar 26 2015 11:34:39.495 EET: %AUTHMGR-5-VLANASSIGN: VLAN 1023 assigned to Interface Gi1/0/19 AuditSessionID 0A971407000008620301DC58
Mar 26 2015 11:34:39.510 EET: dot1x-sm(Gi1/0/19): Posting_AUTHZ_FAIL on Client 0xD7000020
Mar 26 2015 11:34:39.510 EET:     dot1x_auth Gi1/0/19: during state auth_authc_result, got event 22(authzFail)
Mar 26 2015 11:34:39.510 EET: @@@ dot1x_auth Gi1/0/19: auth_authc_result -> auth_held
Mar 26 2015 11:34:39.510 EET: dot1x-ev:Delete auth client (0xD7000020) message
Mar 26 2015 11:34:39.510 EET: dot1x-ev:Auth client ctx destroyed
Mar 26 2015 11:34:39.510 EET: dot1x-ev:Aborted posting message to authenticator state machine: Invalid client
cy1-b2-c2960-7#show authentication sessions interface gio 
Mar 26 2015 11:34:39.794 EET: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (Unknown MAC) on Interface Gi1/0/19 AuditSessionID 0A971407000008620301DC58
0
Christoforos AcadjiotisSystems and Network AdministratorAuthor Commented:
The solution to the task at hand was a bad entry on the NPS server. The VSA string was mistyped based on bad information.
The correct format for the Vendor Specific Attribute is "device-traffic-class=voice"
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
IP Telephony

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.