VoIP device authenticating via MAB and PC authenticating via dot1x

Hi,
I would like to understand this process a bit more and the authentication flow.  Using ClearPass (similar to ISE) as a RADIUS server.

PC authenticates successfully via dot1x (EAP-TLS) when plugged into jack.  However, when plugged in via VoIP, it fails.   Discovered that the pC is not able to auth via MAB because the MAC is not in the MAC Address table.   Once added MAC to MAC Address table, PC successfully authenticates via dot1x and MAB.

What is the relation to VoIP here?  If the PC can auth successfully via dot1x(EAP-TLS) on its own, what triggers the PC to roll over to MAB and fail?
fat catAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

nociSoftware EngineerCommented:
If a VOIP phone is inserted into the switch then there is dot1x between Phone & Switch.
When the PC is inserted into the Phone there is dot1x between the phone and the PC...
(IF the phone does do dot1x and is configured for it at all....).

One cannot use dot1x enabled on a device upstream of the edge switch to do the dot1x.
(When dot1x is communicated between edge device and connected endpoint, the endpoint is actualy NOT connected to the network at all.
It is the edge-switch that handles all network communication between itself and the RADIUS server, and it receives the intended configuration for the network setup from the RADIUS server, after authentication is successful.
During the authentication phase the connected endpoint device and the edge switch are talking in private.
(i.e. there is NOT communication between RADIUS and the connected (here PC) device directly).
kevinhsiehCommented:
The switch needs to be configured to allow multiple 802.1x authentications  on the physical port. That is not the default Cisco configuration. Some Cisco switches only allow a single 802.1x on the data access VLAN, and one more on the voice VLAN. Other switches all multiple 802.1x devices on the data VLAN, which would come into play if there was an unmanaged switch or VM host, for example.

In addition to correct switch configuration, the IP phone also needs proper configuration to allow 802.1x passthrough to the upstream switch, and behavior on how to tell the switch that the connected device is no longer connected and should be deauthenticated.
fat catAuthor Commented:
Thank you for the comments @noci and @kevinhsieh.  Really appreciate it....

@kevinhsieh @noci

So i guess i was looking for more what happens with the authentication flow.

-Switch is configured for mulit Auth
-PC is configured to do dot1x EAP-TLS . (machine/user certs)
-Phone is configured to do MAB (Phone attempt dot1x but will failover to mab - that is the setup we want)

So, noticed that the PC MAC was not in the MAC Auth dB so it would fail MAB.
--So basically, when PC was connected to the port/jack, it was successfully authenticating via EAP-TLS . (what we want it to do),
--but when we plugged it into the phone, it would try MAB and fail.   So when i added the PC MAC to the MAC Auth dB, it would successfully auth via phone.

So my question was to understand what happens with the flow here.  
-e.g, if the PC is able to do EAP-TLS directly connected to the port, why does it fail when it is behind the phone.
--does the phone re-trigger a auth ?
--the phone is meant to fail dot1x and failover to MAB, does this also make the PC do the same?
--it it is multi-auth domain, shouldn't each device act independatly when trying to authenticate ?  
--How does VoIP affect the PC's authentication?


Thanks guys, really appreciate the response.
Maximize Customer Retention with Superior Service

The IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more to help build customer satisfaction and retention.

nociSoftware EngineerCommented:
--does the phone re-trigger a auth ?
No...
--the phone is meant to fail dot1x and failover to MAB, does this also make the PC do the same?
On the Switch Yes.... unless the phone will do the dot1x.
--it it is multi-auth domain, shouldn't each device act independatly when trying to authenticate ?  
Yep the phone is one switch further...
--How does VoIP affect the PC's authentication?
It isn;t VOIP, it is the switch inside the Phone.


before dot1x:
[Radiusserver] <--------------->[Switch-Core].
[Switch-port]<---->[PC].
Switch port is disconnected from the switch core.

PC sends Auth request to switch port  (it's certificate etc.).
Switch port notifies Switch Core (on the same switch), switch core starts talking to the radius server, radius server answers OK or FAIL.
On FAIL the is the end.
On OK, the answer also contains the port config needed so it is setup. And the switch port is connected to the Switch-Core.
 and then PC can start communication on the network.
If the phone already is connected the Switch-port will not notice the auth request as it isn't in a disconnected state.

The Phone is now the edge device that would need to do the dot1x.... (if it can).

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
kevinhsiehCommented:
FYI, my phones do 802.1x. Devices connected through the phone do 802.1x or MAB properly.
fat catAuthor Commented:
Thank you both for your help.  Still a bit unclear but def helped me understand it better.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.