We help IT Professionals succeed at work.
Get Started

Multi-Domain authentication with non-cisco phones

1,316 Views
Last Modified: 2015-04-03
Dear all,

I am currently using Dot1x to authenticate my users on the domain through an NPS server. My switchport implementation is the following:
interface GigabitEthernet1/0/X
 switchport mode access
 switchport voice vlan 100
 no logging event link-status
 authentication control-direction in
 authentication event server dead action authorize vlan 300
 authentication event no-response action authorize vlan 1023
 authentication host-mode multi-domain
 authentication order mab dot1x
 authentication port-control auto
 authentication violation restrict
 mab eap
 snmp trap mac-notification change added
 snmp trap mac-notification change removed
 dot1x pae authenticator
 dot1x timeout tx-period 10
 flowcontrol receive desired
 storm-control broadcast level 0.50 0.40
 storm-control multicast level 0.50 0.40
 spanning-tree portfast

Users are authenticated with no problem. the final implementation needs the AASTRA telephones to be connected to the switchport and then PCs to be connected to the telephones. The telephones are discovered through LLDP but then do not authenticate on the network.
The Authentication implementation is as follows: the telephone should not authenticate on Vlan 100 (voice vlan) and the user through the PC port of the telephone device to authenticate through Dot1x.

While the telephone is set with no authentication the NPS server is sending EAPOL packets to the device for authentication with the following debug:

Mar 24 2015 12:19:39.449 EET: @@@ dot1x_auth Gi1/0/19: auth_authenticating -> auth_authc_result
Mar 24 2015 12:19:39.449 EET: dot1x-sm(Gi1/0/19): 0x810007EC:auth_authenticating_exit called
Mar 24 2015 12:19:39.455 EET: dot1x-sm(Gi1/0/19): 0x810007EC:auth_authc_result_enter called
Mar 24 2015 12:19:39.455 EET: %DOT1X-5-FAIL: Authentication failed for client (0008.5d44.e338) on Interface Gi1/0/19 AuditSessionID 0A97140700004BD4E7BF7913
Mar 24 2015 12:19:39.455 EET: dot1x-ev(Gi1/0/19): Sending event (2) to Auth Mgr for 0008.5d44.e338
Mar 24 2015 12:19:39.455 EET: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (0008.5d44.e338) on Interface Gi1/0/19 AuditSessionID 0A97140700004BD4E7BF7913
Mar 24 2015 12:19:39.455 EET: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (0008.5d44.e338) on Interface Gi1/0/19 AuditSessionID 0A97140700004BD4E7BF7913
Mar 24 2015 12:19:39.455 EET: dot1x-redundancy: State for client  0008.5d44.e338 successfully retrieved
Mar 24 2015 12:19:39.455 EET: dot1x-ev(Gi1/0/19): Received Authz fail for the client  0x810007EC (0008.5d44.e338)
Mar 24 2015 12:19:39.455 EET: dot1x-sm(Gi1/0/19): Posting_AUTHZ_FAIL on Client 0x810007EC
Mar 24 2015 12:19:39.455 EET:     dot1x_auth Gi1/0/19: during state auth_authc_result, got event 22(authzFail)

has anyone came across such an implementation problem?
Comment
Watch Question
Systems and Network Administrator
Commented:
This problem has been solved!
Unlock 1 Answer and 4 Comments.
See Answer
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE