Hi,
I'm facing an issue while setting up Clearpass Wired NAC.
I can authenticate IP phones with Mac-Auth successfully.
I can authenticate Windows PC with 802.1x successfully.
But if a Windows PC is connected behind an IP Phone, the IP phone authenticates successfully, but the PC keeps on trying to authenticate with Mac-Auth instead of triggering a dot1x authentication.
Important precision (maybe): IP phones uses vlan tagging.
Config is:
dot1x authentication-method eap
dot1x timer supp-timeout 10
dot1x timer tx-period 10
mac-authentication domain clearpass
port-security enable
port-security mac-move permit
interface GigabitEthernet2/0/8
port link-type hybrid
port hybrid vlan 101 tagged
port hybrid vlan 1 untagged
undo voice-vlan mode auto
voice-vlan 101 enable
mac-vlan enable
stp edged-port
poe enable
undo dot1x handshake
dot1x mandatory-domain clearpass
dot1x max-user 10
undo dot1x multicast-trigger
dot1x re-authenticate
dot1x unicast-trigger
dot1x re-authenticate server-unreachable keep-online
mac-authentication max-user 10
mac-authentication domain clearpass
mac-authentication timer auth-delay 15
mac-authentication re-authenticate server-unreachable keep-online
mac-authentication critical vlan 1
mac-authentication critical-voice-vlan
mac-authentication host-mode multi-vlan
undo mac-authentication offline-detect enable
mac-authentication parallel-with-dot1x
mac-authentication re-authenticate
port-security max-mac-count 10
port-security port-mode userlogin-secure-or-mac-ext
Logs:
%Oct 3 15:37:58:556 2017 RDC-BAS-1 MACA/6/MACA_LOGIN_FAILURE: -Slot=2; -IfName=GigabitEthernet2/0/8-MACAddr=f430-b9ad-97ce-VLANID=1-Username=f430b9ad97ce-UsernameFormat=MAC address; User failed MAC authentication. Reason:[Authentication process failed.]
%Oct 3 15:37:36:572 2017 RDC-BAS-1 MACA/6/MACA_LOGIN_FAILURE: -Slot=2; -IfName=GigabitEthernet2/0/8-MACAddr=f430-b9ad-97ce-VLANID=1-Username=f430b9ad97ce-UsernameFormat=MAC address; User failed MAC authentication. Reason:[Authentication process failed.]
%Oct 3 15:35:35:580 2017 RDC-BAS-1 MACA/6/MACA_LOGIN_SUCC: -Slot=2; -IfName=GigabitEthernet2/0/8-MACAddr=0008-5d8e-84de-AccessVLANID=101-AuthorizationVLANID=101-Username=00085d8e84de-UsernameFormat=MAC address; User passed MAC authentication and came online.
%Oct 3 15:35:16:259 2017 RDC-BAS-1 IFNET/5/LINK_UPDOWN: Line protocol on the interface GigabitEthernet2/0/8 is up.
%Oct 3 15:35:16:241 2017 RDC-BAS-1 IFNET/3/PHY_UPDOWN: GigabitEthernet2/0/8 link status is up.
Any ideas ?
Thanks in advance