Wired Intelligent Edge

 View Only
Back to discussions
Expand all | Collapse all

Dot1x authentication won't trigger after mac-auth of IP Phones on 5130 EI

This thread has been viewed 2 times

  • 1.  Dot1x authentication won't trigger after mac-auth of IP Phones on 5130 EI

    Posted Oct 03, 2017 12:31 PM

    Hi,

    I'm facing an issue while setting up Clearpass Wired NAC.

    I can authenticate IP phones with Mac-Auth successfully.

    I can authenticate Windows PC with 802.1x successfully.

    But if a Windows PC is connected behind an IP Phone, the IP phone authenticates successfully, but the PC keeps on trying to authenticate with Mac-Auth instead of triggering a dot1x authentication.

    Important precision (maybe): IP phones uses vlan tagging.

     

    Config is:

     

     

    dot1x authentication-method eap
    dot1x timer supp-timeout 10
    dot1x timer tx-period 10

     

     mac-authentication domain clearpass

     

    port-security enable
    port-security mac-move permit

     

    interface GigabitEthernet2/0/8
    port link-type hybrid
    port hybrid vlan 101 tagged
    port hybrid vlan 1 untagged
    undo voice-vlan mode auto
    voice-vlan 101 enable
    mac-vlan enable
    stp edged-port
    poe enable
    undo dot1x handshake
    dot1x mandatory-domain clearpass
    dot1x max-user 10
    undo dot1x multicast-trigger
    dot1x re-authenticate
    dot1x unicast-trigger
    dot1x re-authenticate server-unreachable keep-online
    mac-authentication max-user 10
    mac-authentication domain clearpass
    mac-authentication timer auth-delay 15
    mac-authentication re-authenticate server-unreachable keep-online
    mac-authentication critical vlan 1
    mac-authentication critical-voice-vlan
    mac-authentication host-mode multi-vlan
    undo mac-authentication offline-detect enable
    mac-authentication parallel-with-dot1x
    mac-authentication re-authenticate
    port-security max-mac-count 10
    port-security port-mode userlogin-secure-or-mac-ext

     

    Logs:

     

     

    %Oct 3 15:37:58:556 2017 RDC-BAS-1 MACA/6/MACA_LOGIN_FAILURE: -Slot=2; -IfName=GigabitEthernet2/0/8-MACAddr=f430-b9ad-97ce-VLANID=1-Username=f430b9ad97ce-UsernameFormat=MAC address; User failed MAC authentication. Reason:[Authentication process failed.]
    %Oct 3 15:37:36:572 2017 RDC-BAS-1 MACA/6/MACA_LOGIN_FAILURE: -Slot=2; -IfName=GigabitEthernet2/0/8-MACAddr=f430-b9ad-97ce-VLANID=1-Username=f430b9ad97ce-UsernameFormat=MAC address; User failed MAC authentication. Reason:[Authentication process failed.]
    %Oct 3 15:35:35:580 2017 RDC-BAS-1 MACA/6/MACA_LOGIN_SUCC: -Slot=2; -IfName=GigabitEthernet2/0/8-MACAddr=0008-5d8e-84de-AccessVLANID=101-AuthorizationVLANID=101-Username=00085d8e84de-UsernameFormat=MAC address; User passed MAC authentication and came online.
    %Oct 3 15:35:16:259 2017 RDC-BAS-1 IFNET/5/LINK_UPDOWN: Line protocol on the interface GigabitEthernet2/0/8 is up.
    %Oct 3 15:35:16:241 2017 RDC-BAS-1 IFNET/3/PHY_UPDOWN: GigabitEthernet2/0/8 link status is up.

     

    Any ideas ?

     

    Thanks in advance



  • 2.  RE: Dot1x authentication won't trigger after mac-auth of IP Phones on 5130 EI
    Best Answer

    Posted Oct 09, 2017 09:14 AM

    It appeared that the IP phone is filtering the EAP frames from the PC.

    Thanks wireshark !

    Port Config must be ok 



Related Content