Campus Switching and Routing

Reply
Highlighted
New Contributor

Dot1x authentication won't trigger after mac-auth of IP Phones on 5130 EI

Hi,

I'm facing an issue while setting up Clearpass Wired NAC.

I can authenticate IP phones with Mac-Auth successfully.

I can authenticate Windows PC with 802.1x successfully.

But if a Windows PC is connected behind an IP Phone, the IP phone authenticates successfully, but the PC keeps on trying to authenticate with Mac-Auth instead of triggering a dot1x authentication.

Important precision (maybe): IP phones uses vlan tagging.

 

Config is:

 

 

dot1x authentication-method eap
dot1x timer supp-timeout 10
dot1x timer tx-period 10

 

 mac-authentication domain clearpass

 

port-security enable
port-security mac-move permit

 

interface GigabitEthernet2/0/8
port link-type hybrid
port hybrid vlan 101 tagged
port hybrid vlan 1 untagged
undo voice-vlan mode auto
voice-vlan 101 enable
mac-vlan enable
stp edged-port
poe enable
undo dot1x handshake
dot1x mandatory-domain clearpass
dot1x max-user 10
undo dot1x multicast-trigger
dot1x re-authenticate
dot1x unicast-trigger
dot1x re-authenticate server-unreachable keep-online
mac-authentication max-user 10
mac-authentication domain clearpass
mac-authentication timer auth-delay 15
mac-authentication re-authenticate server-unreachable keep-online
mac-authentication critical vlan 1
mac-authentication critical-voice-vlan
mac-authentication host-mode multi-vlan
undo mac-authentication offline-detect enable
mac-authentication parallel-with-dot1x
mac-authentication re-authenticate
port-security max-mac-count 10
port-security port-mode userlogin-secure-or-mac-ext

 

Logs:

 

 

%Oct 3 15:37:58:556 2017 RDC-BAS-1 MACA/6/MACA_LOGIN_FAILURE: -Slot=2; -IfName=GigabitEthernet2/0/8-MACAddr=f430-b9ad-97ce-VLANID=1-Username=f430b9ad97ce-UsernameFormat=MAC address; User failed MAC authentication. Reason:[Authentication process failed.]
%Oct 3 15:37:36:572 2017 RDC-BAS-1 MACA/6/MACA_LOGIN_FAILURE: -Slot=2; -IfName=GigabitEthernet2/0/8-MACAddr=f430-b9ad-97ce-VLANID=1-Username=f430b9ad97ce-UsernameFormat=MAC address; User failed MAC authentication. Reason:[Authentication process failed.]
%Oct 3 15:35:35:580 2017 RDC-BAS-1 MACA/6/MACA_LOGIN_SUCC: -Slot=2; -IfName=GigabitEthernet2/0/8-MACAddr=0008-5d8e-84de-AccessVLANID=101-AuthorizationVLANID=101-Username=00085d8e84de-UsernameFormat=MAC address; User passed MAC authentication and came online.
%Oct 3 15:35:16:259 2017 RDC-BAS-1 IFNET/5/LINK_UPDOWN: Line protocol on the interface GigabitEthernet2/0/8 is up.
%Oct 3 15:35:16:241 2017 RDC-BAS-1 IFNET/3/PHY_UPDOWN: GigabitEthernet2/0/8 link status is up.

 

Any ideas ?

 

Thanks in advance

New Contributor

Re: Dot1x authentication won't trigger after mac-auth of IP Phones on 5130 EI

It appeared that the IP phone is filtering the EAP frames from the PC.

Thanks wireshark !

Port Config must be ok 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: