taylowa
asked on
Dot1X Denying Access to Cisco IP Phones
We had a network person leave us and we started doing Dot1X and we have some phones that are just going DenyAccess and we have no idea why. Any help would be great.
Craig Beck
Can you post a log from a successful and failed event in your RADIUS server, please? Also, post the access policy so we can see what the conditions/constraints are.
ASKER
Thank you for the reply.
I don't know if I have any that are connecting. We were only testing it in our department and most of them we have had to disable the feature because we didn't know how to fix.
Access_Policy.pdf
DenyAcces_Phone.pdf
I don't know if I have any that are connecting. We were only testing it in our department and most of them we have had to disable the feature because we didn't know how to fix.
Access_Policy.pdf
DenyAcces_Phone.pdf
Thanks.
The authorization rule is using a condition based on the profiler correctly classifying the phone as a Cisco IP Phone. It looks like the profiler doesn't have enough info to successfully determine that the phone is a Cisco IP phone. Can you confirm that you have CDP enabled on the switches?
Can you show the profiler policy that matches the phone to the endpoint identity group, please?
The authorization rule is using a condition based on the profiler correctly classifying the phone as a Cisco IP Phone. It looks like the profiler doesn't have enough info to successfully determine that the phone is a Cisco IP phone. Can you confirm that you have CDP enabled on the switches?
Can you show the profiler policy that matches the phone to the endpoint identity group, please?
You use the same switch for data and voice?
Auto-classifying VoIP phone shoukd be auto-assigned to the voice vlan.
Look at the port list/MAC address and exempt the ports with phones from being subjected to the 802.1x
Auto-classifying VoIP phone shoukd be auto-assigned to the voice vlan.
Look at the port list/MAC address and exempt the ports with phones from being subjected to the 802.1x
Look at the port list/MAC address and exempt the ports with phones from being subjected to the 802.1x
This isn’t a good idea if devices connect to the phone switchport.
We can see in the ISE policy that the voice-domain is assigned upon successful authorisation, so the profiler obviously isn’t profiling the device correctly.
It seems an implementation of the 802.1x is rushed as it is not ready to authorize the phones.
You address the issue why the phones are not being authorized, then continue with the deployment.
Many switches that are used for VOIP should auto-assign a VLAN based on the MAC address bypassing the need for the 802.1x
but that depends on whether that is an option when 802.1x is enabled switch wide.
You address the issue why the phones are not being authorized, then continue with the deployment.
Many switches that are used for VOIP should auto-assign a VLAN based on the MAC address bypassing the need for the 802.1x
but that depends on whether that is an option when 802.1x is enabled switch wide.
This is not the way to do it really unless you have no other choice. When you implement 802.1x, any devices that support it should use it. If phones support 802.1x, do it. If not, do MAB (with profiling if you can).
I've done hundreds of deployments. I've never come across an enterprise-grade phone that doesn't support 802.1x. Where possible I've used it, either with the manufacturer-installed device certificate, a certificate from the customer's PKI, or with user/pass credentials. Assigning the voice VLAN is a simple av-pair attribute pushed via RADIUS server to the switch. The switchport must have the voice vlan assigned for this to work. The switch doesn't auto-assign the VLAN.
I've done hundreds of deployments. I've never come across an enterprise-grade phone that doesn't support 802.1x. Where possible I've used it, either with the manufacturer-installed device certificate, a certificate from the customer's PKI, or with user/pass credentials. Assigning the voice VLAN is a simple av-pair attribute pushed via RADIUS server to the switch. The switchport must have the voice vlan assigned for this to work. The switch doesn't auto-assign the VLAN.
Cisco switches have a MAC prefix table that if the devices matches, it will automatically get the voice VLAN.
Cisco switches have a MAC prefix table that if the devices matches, it will automatically get the voice VLAN.
That's news to me. What they usually do is use macros to determine what a device is, using CDP or LLDP, then apply a template based on capabilities. There is no MAC prefix table that I am aware of.
The mechanism, process the switch does it in this scenario does not apply when 802.1x was enabled.
My read is to get it to operate while they can workout the issue and implement their desired result.
My read is to get it to operate while they can workout the issue and implement their desired result.
ASKER
Can you tell me where to find these two answers? Remember, I'm a NEWB to this information.
Can you confirm that you have CDP enabled on the switches?
Can you show the profiler policy that matches the phone to the endpoint identity group, please?
Can you confirm that you have CDP enabled on the switches?
Can you show the profiler policy that matches the phone to the endpoint identity group, please?
usually they come with that option enabled if it is
Let's try to clear things up.
Are you working on an existing setup on which you enabled 802.1x or trying to solve something that work but broke shortly agter the departure of the networking person?
What switches are you using? Check whether you gave an internal CA that issues certificates to make sure the CA certificate has not expired preventing issuing new certificates... Using the certificate authority administrative tool you can renew the CA certificate if needed.
Detail are you trying to deploy new phones?
Let's try to clear things up.
Are you working on an existing setup on which you enabled 802.1x or trying to solve something that work but broke shortly agter the departure of the networking person?
What switches are you using? Check whether you gave an internal CA that issues certificates to make sure the CA certificate has not expired preventing issuing new certificates... Using the certificate authority administrative tool you can renew the CA certificate if needed.
Detail are you trying to deploy new phones?
As I've already said, the switches do not do anything here - it is all the RADIUS server, which is Cisco ISE in this case. The policy is clear in that ISE is profiling the phone using CDP/LLDP attributes then telling the switch to enable the device on the Voice VLAN. The policy uses MAB so it is a simple flow in terms of authentication/authorization.
@taylowa, can you post the following switch outputs:
@taylowa, can you post the following switch outputs:
show run | inc dot1x
show run int <interface_where_phone_connects>
show authen sess int <interface_where_phone_connects> detail
show run | sec radius
show run | sec aaa
show aaa server
show cdp
I think the Cisco-ip-phones shoukd be excluded from having the Wired_802.1X_MAB policy apply to them unless and until, the phone 892.1x certificate handler and manage be is setup.
Or other the Cisco-ip phone authorization before the imposition of the Wired_802.1X_MAB
Or other the Cisco-ip phone authorization before the imposition of the Wired_802.1X_MAB
ASKER
Some One, here are the outputs you asked. Thanks for your help. Arnold, thanks for your input as well. This was working for a little time and broke after he left. We were testing it in our area before rolling it out across campus. We are using Cisco Switches (right now mostly 2960X). We aren't trying to deploy new phones using Dot1X yet, but if we can get all this fixed then we will move outside our department.
1. show run | inc dot1x
aaa authentication dot1x default group ISE
dot1x system-auth-control
dot1x critical eapol
match method dot1x
match result-type method dot1x authoritative
match method dot1x
match result-type method dot1x agent-not-found
10 authenticate using dot1x retries 2 retry-time 0 priority 10
10 terminate dot1x
10 terminate dot1x
10 terminate dot1x
20 authenticate using dot1x retries 2 retry-time 0 priority 10
dot1x pae authenticator
dot1x timeout tx-period 2
dot1x pae authenticator
dot1x timeout tx-period 2
dot1x pae authenticator
dot1x timeout tx-period 2
dot1x pae authenticator
dot1x timeout tx-period 2
dot1x pae authenticator
dot1x timeout tx-period 2
dot1x pae authenticator
dot1x timeout tx-period 2
dot1x pae authenticator
dot1x timeout tx-period 2
dot1x pae authenticator
dot1x timeout tx-period 2
dot1x pae authenticator
dot1x timeout tx-period 2
dot1x pae authenticator
dot1x timeout tx-period 2
dot1x pae authenticator
dot1x timeout tx-period 2
2. show run int <interface_where_phone_connects>
Current configuration : 528 bytes
!
interface GigabitEthernet2/0/41
description Emergency Phone
switchport access vlan 26
switchport mode access
switchport voice vlan 263
ip access-group IPV4_PRE_AUTH_ACL in
authentication timer reauthenticate server
access-session closed
access-session port-control auto
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 2
spanning-tree portfast
spanning-tree bpduguard enable
service-policy type control subscriber DOT1X
end
3. show authen sess int <interface_where_phone_connects> detail
This command isn't working on my 2960X Stack. I don't see it in the list when I do show ? either.
4. show run | sec radius
aaa group server radius WCC-RAD
server name MNNPS01
server name MNNPS02
ip radius source-interface Vlan26
aaa group server radius ISE
server name ISE01
ip radius source-interface Vlan26
aaa server radius dynamic-author
client 10.22.0.60 server-key *OURKEY*
ip radius source-interface Vlan26
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail mac-only
radius-server dead-criteria time 10 tries 3
radius server MNNPS01
address ipv4 10.20.200.13 auth-port 1645 acct-port 1646
key *OURSECRETKEY*
radius server MNNPS02
address ipv4 10.20.200.14 auth-port 1645 acct-port 1646
key *OURSECRETKEY*
radius server ISE01
address ipv4 10.22.0.60 auth-port 1812 acct-port 1813
automate-tester username ISE-TEST ignore-acct-port probe-on
key *OURKEY*
5. show run | sec aaa
aaa new-model
aaa group server radius WCC-RAD
server name MNNPS01
server name MNNPS02
ip radius source-interface Vlan26
aaa group server radius ISE
server name ISE01
ip radius source-interface Vlan26
aaa authentication login default group ISE local
aaa authentication dot1x default group ISE
aaa authorization exec default group ISE local
aaa authorization network default group ISE
aaa accounting update newinfo periodic 2880
aaa accounting identity default start-stop group ISE
aaa server radius dynamic-author
client 10.22.0.60 server-key *OURKEY*
aaa session-id common
match result-type aaa-timeout
match result-type aaa-timeout
event aaa-available match-all
10 class IN_CRITICAL_VLAN do-until-failure
10 clear-session
20 class NOT_IN_CRITICAL_VLAN do-until-failure
10 resume reauthentication
6. show aaa server
RADIUS: id 1, priority 1, host 10.20.200.13, auth-port 1645, acct-port 1646
State: current UP, duration 4294967s, previous duration 0s
Dead: total time 0s, count 0
Quarantined: No
Authen: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Author: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Account: request 0, timeouts 0, failover 0, retransmission 0
Request: start 0, interim 0, stop 0
Response: start 0, interim 0, stop 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Elapsed time since counters last cleared: 14w4d16h17m
Estimated Outstanding Access Transactions: 0
Estimated Outstanding Accounting Transactions: 0
Estimated Throttled Access Transactions: 0
Estimated Throttled Accounting Transactions: 0
Maximum Throttled Transactions: access 0, accounting 0
Requests per minute past 24 hours:
high - 15 hours, 16 minutes ago: 0
low - 15 hours, 16 minutes ago: 0
average: 0
RADIUS: id 2, priority 2, host 10.20.200.14, auth-port 1645, acct-port 1646
State: current UP, duration 4294967s, previous duration 0s
Dead: total time 0s, count 0
Quarantined: No
Authen: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Author: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Account: request 0, timeouts 0, failover 0, retransmission 0
Request: start 0, interim 0, stop 0
Response: start 0, interim 0, stop 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Elapsed time since counters last cleared: 14w4d16h17m
Estimated Outstanding Access Transactions: 0
Estimated Outstanding Accounting Transactions: 0
Estimated Throttled Access Transactions: 0
Estimated Throttled Accounting Transactions: 0
Maximum Throttled Transactions: access 0, accounting 0
Requests per minute past 24 hours:
high - 15 hours, 16 minutes ago: 0
low - 15 hours, 16 minutes ago: 0
average: 0
RADIUS: id 3, priority 3, host 10.22.0.60, auth-port 1812, acct-port 1813
State: current UP, duration 4294967s, previous duration 66s
Dead: total time 66s, count 0
Quarantined: No
Authen: request 892755, timeouts 8, failover 0, retransmission 8
Response: accept 1165, reject 891002, challenge 580
Response: unexpected 0, server error 0, incorrect 0, time 17ms
Transaction: success 892747, failure 0
Throttled: transaction 0, timeout 0, failure 0
Author: request 70, timeouts 0, failover 0, retransmission 0
Response: accept 70, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 5ms
Transaction: success 70, failure 0
Throttled: transaction 0, timeout 0, failure 0
Account: request 218, timeouts 35, failover 0, retransmission 35
Request: start 76, interim 0, stop 75
Response: start 76, interim 0, stop 75
Response: unexpected 1, server error 0, incorrect 0, time 635ms
Transaction: success 183, failure 0
Throttled: transaction 0, timeout 0, failure 0
Elapsed time since counters last cleared: 14w4d16h17m
Estimated Outstanding Access Transactions: 0
Estimated Outstanding Accounting Transactions: 0
Estimated Throttled Access Transactions: 0
Estimated Throttled Accounting Transactions: 0
Maximum Throttled Transactions: access 0, accounting 0
Requests per minute past 24 hours:
high - 2 hours, 16 minutes ago: 18
low - 14 hours, 37 minutes ago: 4
average: 5
7. show cdp
Global CDP information:
Sending CDP packets every 60 seconds
Sending a holdtime value of 180 seconds
Sending CDPv2 advertisements is enabled
1. show run | inc dot1x
aaa authentication dot1x default group ISE
dot1x system-auth-control
dot1x critical eapol
match method dot1x
match result-type method dot1x authoritative
match method dot1x
match result-type method dot1x agent-not-found
10 authenticate using dot1x retries 2 retry-time 0 priority 10
10 terminate dot1x
10 terminate dot1x
10 terminate dot1x
20 authenticate using dot1x retries 2 retry-time 0 priority 10
dot1x pae authenticator
dot1x timeout tx-period 2
dot1x pae authenticator
dot1x timeout tx-period 2
dot1x pae authenticator
dot1x timeout tx-period 2
dot1x pae authenticator
dot1x timeout tx-period 2
dot1x pae authenticator
dot1x timeout tx-period 2
dot1x pae authenticator
dot1x timeout tx-period 2
dot1x pae authenticator
dot1x timeout tx-period 2
dot1x pae authenticator
dot1x timeout tx-period 2
dot1x pae authenticator
dot1x timeout tx-period 2
dot1x pae authenticator
dot1x timeout tx-period 2
dot1x pae authenticator
dot1x timeout tx-period 2
2. show run int <interface_where_phone_connects>
Current configuration : 528 bytes
!
interface GigabitEthernet2/0/41
description Emergency Phone
switchport access vlan 26
switchport mode access
switchport voice vlan 263
ip access-group IPV4_PRE_AUTH_ACL in
authentication timer reauthenticate server
access-session closed
access-session port-control auto
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 2
spanning-tree portfast
spanning-tree bpduguard enable
service-policy type control subscriber DOT1X
end
3. show authen sess int <interface_where_phone_connects> detail
This command isn't working on my 2960X Stack. I don't see it in the list when I do show ? either.
4. show run | sec radius
aaa group server radius WCC-RAD
server name MNNPS01
server name MNNPS02
ip radius source-interface Vlan26
aaa group server radius ISE
server name ISE01
ip radius source-interface Vlan26
aaa server radius dynamic-author
client 10.22.0.60 server-key *OURKEY*
ip radius source-interface Vlan26
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail mac-only
radius-server dead-criteria time 10 tries 3
radius server MNNPS01
address ipv4 10.20.200.13 auth-port 1645 acct-port 1646
key *OURSECRETKEY*
radius server MNNPS02
address ipv4 10.20.200.14 auth-port 1645 acct-port 1646
key *OURSECRETKEY*
radius server ISE01
address ipv4 10.22.0.60 auth-port 1812 acct-port 1813
automate-tester username ISE-TEST ignore-acct-port probe-on
key *OURKEY*
5. show run | sec aaa
aaa new-model
aaa group server radius WCC-RAD
server name MNNPS01
server name MNNPS02
ip radius source-interface Vlan26
aaa group server radius ISE
server name ISE01
ip radius source-interface Vlan26
aaa authentication login default group ISE local
aaa authentication dot1x default group ISE
aaa authorization exec default group ISE local
aaa authorization network default group ISE
aaa accounting update newinfo periodic 2880
aaa accounting identity default start-stop group ISE
aaa server radius dynamic-author
client 10.22.0.60 server-key *OURKEY*
aaa session-id common
match result-type aaa-timeout
match result-type aaa-timeout
event aaa-available match-all
10 class IN_CRITICAL_VLAN do-until-failure
10 clear-session
20 class NOT_IN_CRITICAL_VLAN do-until-failure
10 resume reauthentication
6. show aaa server
RADIUS: id 1, priority 1, host 10.20.200.13, auth-port 1645, acct-port 1646
State: current UP, duration 4294967s, previous duration 0s
Dead: total time 0s, count 0
Quarantined: No
Authen: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Author: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Account: request 0, timeouts 0, failover 0, retransmission 0
Request: start 0, interim 0, stop 0
Response: start 0, interim 0, stop 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Elapsed time since counters last cleared: 14w4d16h17m
Estimated Outstanding Access Transactions: 0
Estimated Outstanding Accounting Transactions: 0
Estimated Throttled Access Transactions: 0
Estimated Throttled Accounting Transactions: 0
Maximum Throttled Transactions: access 0, accounting 0
Requests per minute past 24 hours:
high - 15 hours, 16 minutes ago: 0
low - 15 hours, 16 minutes ago: 0
average: 0
RADIUS: id 2, priority 2, host 10.20.200.14, auth-port 1645, acct-port 1646
State: current UP, duration 4294967s, previous duration 0s
Dead: total time 0s, count 0
Quarantined: No
Authen: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Author: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Account: request 0, timeouts 0, failover 0, retransmission 0
Request: start 0, interim 0, stop 0
Response: start 0, interim 0, stop 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Elapsed time since counters last cleared: 14w4d16h17m
Estimated Outstanding Access Transactions: 0
Estimated Outstanding Accounting Transactions: 0
Estimated Throttled Access Transactions: 0
Estimated Throttled Accounting Transactions: 0
Maximum Throttled Transactions: access 0, accounting 0
Requests per minute past 24 hours:
high - 15 hours, 16 minutes ago: 0
low - 15 hours, 16 minutes ago: 0
average: 0
RADIUS: id 3, priority 3, host 10.22.0.60, auth-port 1812, acct-port 1813
State: current UP, duration 4294967s, previous duration 66s
Dead: total time 66s, count 0
Quarantined: No
Authen: request 892755, timeouts 8, failover 0, retransmission 8
Response: accept 1165, reject 891002, challenge 580
Response: unexpected 0, server error 0, incorrect 0, time 17ms
Transaction: success 892747, failure 0
Throttled: transaction 0, timeout 0, failure 0
Author: request 70, timeouts 0, failover 0, retransmission 0
Response: accept 70, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 5ms
Transaction: success 70, failure 0
Throttled: transaction 0, timeout 0, failure 0
Account: request 218, timeouts 35, failover 0, retransmission 35
Request: start 76, interim 0, stop 75
Response: start 76, interim 0, stop 75
Response: unexpected 1, server error 0, incorrect 0, time 635ms
Transaction: success 183, failure 0
Throttled: transaction 0, timeout 0, failure 0
Elapsed time since counters last cleared: 14w4d16h17m
Estimated Outstanding Access Transactions: 0
Estimated Outstanding Accounting Transactions: 0
Estimated Throttled Access Transactions: 0
Estimated Throttled Accounting Transactions: 0
Maximum Throttled Transactions: access 0, accounting 0
Requests per minute past 24 hours:
high - 2 hours, 16 minutes ago: 18
low - 14 hours, 37 minutes ago: 4
average: 5
7. show cdp
Global CDP information:
Sending CDP packets every 60 seconds
Sending a holdtime value of 180 seconds
Sending CDPv2 advertisements is enabled
Do you have config backups in a way that you can compare the current to the last one saved?
Let's try this.
Existing phones continue to work, but new ones are not
You should look at the Cisco-ip-phone group and add the new phones MAC address to this group.
Let's try this.
Existing phones continue to work, but new ones are not
You should look at the Cisco-ip-phone group and add the new phones MAC address to this group.
Thanks for the outputs.
Can you do the following on the switch, then connect a phone and post the output for 2 minutes of logs, please?..
Can you do the following on the switch, then connect a phone and post the output for 2 minutes of logs, please?..
term mon
debug aaaASKER
Thanks for the quick reply. The Debug AAA needs something else, it said incomplete command
ASKER
One of the phones in question is 00:12:7F:D0:C8:21 but we have others as well.
Apr 19 10:58:59.381: %MAB-5-FAIL: Authentication failed for client (e8ed.f3ab.cc43) on Interface Gi1/0/47 AuditSessionID 0A1A0004000004F10A7D911B
Apr 19 10:59:02.449: %MAB-5-FAIL: Authentication failed for client (0012.7fd0.c821) on Interface Gi2/0/41 AuditSessionID 0A1A0004000004C4F6C6988F
Apr 19 10:59:02.460: %MAB-5-FAIL: Authentication failed for client (501c.b00c.41a7) on Interface Gi1/0/40 AuditSessionID 0A1A0004000001BA93817AF6
Apr 19 10:59:05.515: %DOT1X-5-FAIL: Authentication failed for client (e8ed.f3ab.cc43) on Interface Gi1/0/47 AuditSessionID 0A1A0004000004F10A7D911B
Apr 19 10:59:05.532: %MAB-5-FAIL: Authentication failed for client (e8ed.f3ab.cc43) on Interface Gi1/0/47 AuditSessionID 0A1A0004000004F10A7D911B
Apr 19 10:59:08.594: %DOT1X-5-FAIL: Authentication failed for client (0012.7fd0.c821) on Interface Gi2/0/41 AuditSessionID 0A1A0004000004C4F6C6988F
Apr 19 10:59:08.594: %DOT1X-5-FAIL: Authentication failed for client (501c.b00c.41a7) on Interface Gi1/0/40 AuditSessionID 0A1A0004000001BA93817AF6
Apr 19 10:59:08.615: %MAB-5-FAIL: Authentication failed for client (0012.7fd0.c821) on Interface Gi2/0/41 AuditSessionID 0A1A0004000004C4F6C6988F
Apr 19 10:59:08.619: %MAB-5-FAIL: Authentication failed for client (501c.b00c.41a7) on Interface Gi1/0/40 AuditSessionID 0A1A0004000001BA93817AF6
Apr 19 10:59:59.961: %MAB-5-FAIL: Authentication failed for client (e8ed.f3ab.cc43) on Interface Gi1/0/47 AuditSessionID 0A1A0004000004F10A7D911B
Apr 19 11:00:03.051: %MAB-5-FAIL: Authentication failed for client (501c.b00c.41a7) on Interface Gi1/0/40 AuditSessionID 0A1A0004000001BA93817AF6
Apr 19 11:00:03.069: %MAB-5-FAIL: Authentication failed for client (0012.7fd0.c821) on Interface Gi2/0/41 AuditSessionID 0A1A0004000004C4F6C6988F
Apr 19 11:00:06.113: %DOT1X-5-FAIL: Authentication failed for client (e8ed.f3ab.cc43) on Interface Gi1/0/47 AuditSessionID 0A1A0004000004F10A7D911B
Apr 19 11:00:06.131: %MAB-5-FAIL: Authentication failed for client (e8ed.f3ab.cc43) on Interface Gi1/0/47 AuditSessionID 0A1A0004000004F10A7D911B
Apr 19 11:00:09.196: %DOT1X-5-FAIL: Authentication failed for client (0012.7fd0.c821) on Interface Gi2/0/41 AuditSessionID 0A1A0004000004C4F6C6988F
Apr 19 11:00:09.196: %DOT1X-5-FAIL: Authentication failed for client (501c.b00c.41a7) on Interface Gi1/0/40 AuditSessionID 0A1A0004000001BA93817AF6
Apr 19 11:00:09.217: %MAB-5-FAIL: Authentication failed for client (501c.b00c.41a7) on Interface Gi1/0/40 AuditSessionID 0A1A0004000001BA93817AF6
Apr 19 11:00:09.252: %MAB-5-FAIL: Authentication failed for client (0012.7fd0.c821) on Interface Gi2/0/41 AuditSessionID 0A1A0004000004C4F6C6988F
Apr 19 11:00:54.946: %PM-4-ERR_RECOVER: Attempting to recover from bpduguard err-disable state on Gi1/0/14
Apr 19 11:00:59.854: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/14, changed state to up
Apr 19 11:01:00.570: %MAB-5-FAIL: Authentication failed for client (e8ed.f3ab.cc43) on Interface Gi1/0/47 AuditSessionID 0A1A0004000004F10A7D911B
Apr 19 11:01:00.857: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/14, changed state to up
Apr 19 11:01:02.870: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port Gi1/0/14 with BPDU Guard enabled. Disabling port.
Apr 19 11:01:02.870: %PM-4-ERR_DISABLE: bpduguard error detected on Gi1/0/14, putting Gi1/0/14 in err-disable state
Apr 19 11:01:03.653: %MAB-5-FAIL: Authentication failed for client (501c.b00c.41a7) on Interface Gi1/0/40 AuditSessionID 0A1A0004000001BA93817AF6
Apr 19 11:01:03.664: %MAB-5-FAIL: Authentication failed for client (0012.7fd0.c821) on Interface Gi2/0/41 AuditSessionID 0A1A0004000004C4F6C6988F
Apr 19 11:01:03.877: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/14, changed state to down
Apr 19 11:01:04.876: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/14, changed state to down
Apr 19 11:01:06.753: %DOT1X-5-FAIL: Authentication failed for client (e8ed.f3ab.cc43) on Interface Gi1/0/47 AuditSessionID 0A1A0004000004F10A7D911B
Apr 19 11:01:06.771: %MAB-5-FAIL: Authentication failed for client (e8ed.f3ab.cc43) on Interface Gi1/0/47 AuditSessionID 0A1A0004000004F10A7D911B
Apr 19 11:01:09.819: %DOT1X-5-FAIL: Authentication failed for client (501c.b00c.41a7) on Interface Gi1/0/40 AuditSessionID 0A1A0004000001BA93817AF6
Apr 19 11:01:09.819: %DOT1X-5-FAIL: Authentication failed for client (0012.7fd0.c821) on Interface Gi2/0/41 AuditSessionID 0A1A0004000004C4F6C6988F
Apr 19 11:01:09.826: %MAB-5-FAIL: Authentication failed for client (501c.b00c.41a7) on Interface Gi1/0/40 AuditSessionID 0A1A0004000001BA93817AF6
Apr 19 11:01:09.850: %MAB-5-FAIL: Authentication failed for client (0012.7fd0.c821) on Interface Gi2/0/41 AuditSessionID 0A1A0004000004C4F6C6988
Apr 19 10:58:59.381: %MAB-5-FAIL: Authentication failed for client (e8ed.f3ab.cc43) on Interface Gi1/0/47 AuditSessionID 0A1A0004000004F10A7D911B
Apr 19 10:59:02.449: %MAB-5-FAIL: Authentication failed for client (0012.7fd0.c821) on Interface Gi2/0/41 AuditSessionID 0A1A0004000004C4F6C6988F
Apr 19 10:59:02.460: %MAB-5-FAIL: Authentication failed for client (501c.b00c.41a7) on Interface Gi1/0/40 AuditSessionID 0A1A0004000001BA93817AF6
Apr 19 10:59:05.515: %DOT1X-5-FAIL: Authentication failed for client (e8ed.f3ab.cc43) on Interface Gi1/0/47 AuditSessionID 0A1A0004000004F10A7D911B
Apr 19 10:59:05.532: %MAB-5-FAIL: Authentication failed for client (e8ed.f3ab.cc43) on Interface Gi1/0/47 AuditSessionID 0A1A0004000004F10A7D911B
Apr 19 10:59:08.594: %DOT1X-5-FAIL: Authentication failed for client (0012.7fd0.c821) on Interface Gi2/0/41 AuditSessionID 0A1A0004000004C4F6C6988F
Apr 19 10:59:08.594: %DOT1X-5-FAIL: Authentication failed for client (501c.b00c.41a7) on Interface Gi1/0/40 AuditSessionID 0A1A0004000001BA93817AF6
Apr 19 10:59:08.615: %MAB-5-FAIL: Authentication failed for client (0012.7fd0.c821) on Interface Gi2/0/41 AuditSessionID 0A1A0004000004C4F6C6988F
Apr 19 10:59:08.619: %MAB-5-FAIL: Authentication failed for client (501c.b00c.41a7) on Interface Gi1/0/40 AuditSessionID 0A1A0004000001BA93817AF6
Apr 19 10:59:59.961: %MAB-5-FAIL: Authentication failed for client (e8ed.f3ab.cc43) on Interface Gi1/0/47 AuditSessionID 0A1A0004000004F10A7D911B
Apr 19 11:00:03.051: %MAB-5-FAIL: Authentication failed for client (501c.b00c.41a7) on Interface Gi1/0/40 AuditSessionID 0A1A0004000001BA93817AF6
Apr 19 11:00:03.069: %MAB-5-FAIL: Authentication failed for client (0012.7fd0.c821) on Interface Gi2/0/41 AuditSessionID 0A1A0004000004C4F6C6988F
Apr 19 11:00:06.113: %DOT1X-5-FAIL: Authentication failed for client (e8ed.f3ab.cc43) on Interface Gi1/0/47 AuditSessionID 0A1A0004000004F10A7D911B
Apr 19 11:00:06.131: %MAB-5-FAIL: Authentication failed for client (e8ed.f3ab.cc43) on Interface Gi1/0/47 AuditSessionID 0A1A0004000004F10A7D911B
Apr 19 11:00:09.196: %DOT1X-5-FAIL: Authentication failed for client (0012.7fd0.c821) on Interface Gi2/0/41 AuditSessionID 0A1A0004000004C4F6C6988F
Apr 19 11:00:09.196: %DOT1X-5-FAIL: Authentication failed for client (501c.b00c.41a7) on Interface Gi1/0/40 AuditSessionID 0A1A0004000001BA93817AF6
Apr 19 11:00:09.217: %MAB-5-FAIL: Authentication failed for client (501c.b00c.41a7) on Interface Gi1/0/40 AuditSessionID 0A1A0004000001BA93817AF6
Apr 19 11:00:09.252: %MAB-5-FAIL: Authentication failed for client (0012.7fd0.c821) on Interface Gi2/0/41 AuditSessionID 0A1A0004000004C4F6C6988F
Apr 19 11:00:54.946: %PM-4-ERR_RECOVER: Attempting to recover from bpduguard err-disable state on Gi1/0/14
Apr 19 11:00:59.854: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/14, changed state to up
Apr 19 11:01:00.570: %MAB-5-FAIL: Authentication failed for client (e8ed.f3ab.cc43) on Interface Gi1/0/47 AuditSessionID 0A1A0004000004F10A7D911B
Apr 19 11:01:00.857: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/14, changed state to up
Apr 19 11:01:02.870: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port Gi1/0/14 with BPDU Guard enabled. Disabling port.
Apr 19 11:01:02.870: %PM-4-ERR_DISABLE: bpduguard error detected on Gi1/0/14, putting Gi1/0/14 in err-disable state
Apr 19 11:01:03.653: %MAB-5-FAIL: Authentication failed for client (501c.b00c.41a7) on Interface Gi1/0/40 AuditSessionID 0A1A0004000001BA93817AF6
Apr 19 11:01:03.664: %MAB-5-FAIL: Authentication failed for client (0012.7fd0.c821) on Interface Gi2/0/41 AuditSessionID 0A1A0004000004C4F6C6988F
Apr 19 11:01:03.877: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/14, changed state to down
Apr 19 11:01:04.876: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/14, changed state to down
Apr 19 11:01:06.753: %DOT1X-5-FAIL: Authentication failed for client (e8ed.f3ab.cc43) on Interface Gi1/0/47 AuditSessionID 0A1A0004000004F10A7D911B
Apr 19 11:01:06.771: %MAB-5-FAIL: Authentication failed for client (e8ed.f3ab.cc43) on Interface Gi1/0/47 AuditSessionID 0A1A0004000004F10A7D911B
Apr 19 11:01:09.819: %DOT1X-5-FAIL: Authentication failed for client (501c.b00c.41a7) on Interface Gi1/0/40 AuditSessionID 0A1A0004000001BA93817AF6
Apr 19 11:01:09.819: %DOT1X-5-FAIL: Authentication failed for client (0012.7fd0.c821) on Interface Gi2/0/41 AuditSessionID 0A1A0004000004C4F6C6988F
Apr 19 11:01:09.826: %MAB-5-FAIL: Authentication failed for client (501c.b00c.41a7) on Interface Gi1/0/40 AuditSessionID 0A1A0004000001BA93817AF6
Apr 19 11:01:09.850: %MAB-5-FAIL: Authentication failed for client (0012.7fd0.c821) on Interface Gi2/0/41 AuditSessionID 0A1A0004000004C4F6C6988
Check the NPS does it have mac addresses from other phones that are working?
Get the MAc address of a working phone and see whether you can locate it on the NPS side against which AAA is running or check whether it is granted an exemption by sheer fact that it is a phone and is part of the cisco-ip-phone exclusion list.
IMHO, match one that works with one that does not and see why and what settings differ....
Get the MAc address of a working phone and see whether you can locate it on the NPS side against which AAA is running or check whether it is granted an exemption by sheer fact that it is a phone and is part of the cisco-ip-phone exclusion list.
IMHO, match one that works with one that does not and see why and what settings differ....
ASKER
We don't have many, so I can't find one that is working. :(
Thanks for the suggestion
Thanks for the suggestion
in your access policy, could you exclude devices not part of the CISCO-ip-phone
not equal to CISCO-ip-phone?
In Wired_802.1X_MAB if you can exclude the phones from being subjected to this requirement?
not equal to CISCO-ip-phone?
In Wired_802.1X_MAB if you can exclude the phones from being subjected to this requirement?
I.e. was the uptime on the ISE/Switches such that they were rebooted after the person left. i.e. the configs were running and were not committed.
ASKER
The server does look to have rebooted since he left (back in November and the time running is 14 weeks).
Are you suggesting that we need to change the Wired_MAB_Cisco-IP-Phone (under Wired_802.1X_MAB) to say "Not Equals" the Cisco_IP_Phones instead of it Equals?
Are you suggesting that we need to change the Wired_MAB_Cisco-IP-Phone (under Wired_802.1X_MAB) to say "Not Equals" the Cisco_IP_Phones instead of it Equals?
I am trying to see if it is possible to exclude the phones from the 802.1X requirement
Wired_802.1X_MAB
which is applied as an all encompassing of every cisco managed device
It is listed in the chain of authorization with 24 hits but not sure what or how it is affected.
my thought is if you exclude the Cisco-ip-phones from the
can you tftp out/backup the running and the saved config and then compare them to see if they are the same or they are different.
when did this issue began? i.e. what transpired between when it was working and when it stopped working.
My approach would be to solve the issue with the phones first.
Wired_802.1X_MAB
which is applied as an all encompassing of every cisco managed device
It is listed in the chain of authorization with 24 hits but not sure what or how it is affected.
my thought is if you exclude the Cisco-ip-phones from the
can you tftp out/backup the running and the saved config and then compare them to see if they are the same or they are different.
when did this issue began? i.e. what transpired between when it was working and when it stopped working.
My approach would be to solve the issue with the phones first.
My approach would be to solve the issue with the phones first.Excluding phones from the authentication process won't achieve that.
Check the NPS does it have mac addresses from other phones that are working?This is being authenticated via ISE, not NPS.
in your access policy, could you exclude devices not part of the CISCO-ip-phoneDoesn't matter - the phones aren't hitting that policy so it's irrelevant. This is the issue. We need phones to hit this issue in order to authorize correctly.
not equal to CISCO-ip-phone?
@taylowa, can you post the output from...
sho run | sec policy-map type control subscriberThe aaa debug should enable everything with the command I gave. Instead can you try this and post the output over a 2 min period from the time you connect a phone, please?..
debug aaa events
debug aaa podAlso, I saw this in the logs...
Apr 19 11:01:00.857: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/14, changed state to up
Apr 19 11:01:02.870: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port Gi1/0/14 with BPDU Guard enabled. Disabling port.
Can you remove bpduguard from ports where a phone connects? This is causing the ports to err-disable.
ASKER
I have found the issue! Every group has been emptied out some reason. Could this has been done on a server restart or something?
ASKER
My admin account doesn't have the access to see the groups, so I had to log in with the default admin account and I was able to see the groups were empty. I kept looking for a group and couldn't ever find it under my name.
usually, the a corruption if happens is in whole, not in part.
Did the recent change the former employees, account was termed?
There might have been a process that was being used to manage.populate groups.....
Did the recent change the former employees, account was termed?
There might have been a process that was being used to manage.populate groups.....
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you so much for all your help!
Here is the purge policy. How would phones (and other devices) get lost for 30+ days to get purged though?
I just added another phone to the group and it registered with my call manager! :)
purge_report.jpg
Here is the purge policy. How would phones (and other devices) get lost for 30+ days to get purged though?
I just added another phone to the group and it registered with my call manager! :)
purge_report.jpg
It appears there is no session timeout configured. This means a phone could be connected indefinitely and never need to periodically reauthenticate. If RADIUS accounting isn't sending periodic updates to ISE the session would be deleted after 5 days, then 25 days after that ISE would delete the MAC address as it never saw it in a session packet again. You should configure periodic accounting updates on the switches to fix this, or configure a reauthentication timer in the authorization profile for the phones, or on the switchport using the authentication periodic command.
ASKER
Thank you for the information. Which do you recommend as the best option? I found the information about the switchport command but I want the best way to do it. Right now we are testing it out in our department (everything on campus isn't configured yet) so it maybe best to do it on a switchport but what is the true best practice?
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-cr-book/sec-cr-a3.html#wp6785181440
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-cr-book/sec-cr-a3.html#wp6785181440
ASKER
Also, our ports had this configured so shouldn't it do what we need?
authentication timer reauthenticate server
authentication timer reauthenticate server
ASKER
On the switch overall, would this be a good command?
aaa account update newinfo periodic 1440
Wouldn't this do the check-in once a day?
Could it mess up anything if we aren't fully Dot1X ready on that switch?
aaa account update newinfo periodic 1440
Wouldn't this do the check-in once a day?
Could it mess up anything if we aren't fully Dot1X ready on that switch?
The authentication timer reauthenticate server command tells the switch to use the reauthentication timer set by the RADIUS server, although the default authorization profile in ISE for your phones doesn't have a timer set. You can change this, but using the periodic authentication command (aaa account update newinfo periodic 1440) will tell ISE whether the device is still connected and update the endpoint attribute in the ISE database, so that's enough.
ASKER
Thank you so much for the help. I'll do the aaa account update newinfo periodic 1440 on the switch as a whole.