Wired Intelligent Edge

last person joined: yesterday 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Back to discussions
Expand all | Collapse all

Dot1x authentication won't trigger after mac-auth of IP Phones on 5130 EI

This thread has been viewed 1 times

  • 1.  Dot1x authentication won't trigger after mac-auth of IP Phones on 5130 EI

    Posted Oct 03, 2017 12:31 PM

    Hi,

    I'm facing an issue while setting up Clearpass Wired NAC.

    I can authenticate IP phones with Mac-Auth successfully.

    I can authenticate Windows PC with 802.1x successfully.

    But if a Windows PC is connected behind an IP Phone, the IP phone authenticates successfully, but the PC keeps on trying to authenticate with Mac-Auth instead of triggering a dot1x authentication.

    Important precision (maybe): IP phones uses vlan tagging.

     

    Config is:

     

     

    dot1x authentication-method eap
    dot1x timer supp-timeout 10
    dot1x timer tx-period 10

     

     mac-authentication domain clearpass

     

    port-security enable
    port-security mac-move permit

     

    interface GigabitEthernet2/0/8
    port link-type hybrid
    port hybrid vlan 101 tagged
    port hybrid vlan 1 untagged
    undo voice-vlan mode auto
    voice-vlan 101 enable
    mac-vlan enable
    stp edged-port
    poe enable
    undo dot1x handshake
    dot1x mandatory-domain clearpass
    dot1x max-user 10
    undo dot1x multicast-trigger
    dot1x re-authenticate
    dot1x unicast-trigger
    dot1x re-authenticate server-unreachable keep-online
    mac-authentication max-user 10
    mac-authentication domain clearpass
    mac-authentication timer auth-delay 15
    mac-authentication re-authenticate server-unreachable keep-online
    mac-authentication critical vlan 1
    mac-authentication critical-voice-vlan
    mac-authentication host-mode multi-vlan
    undo mac-authentication offline-detect enable
    mac-authentication parallel-with-dot1x
    mac-authentication re-authenticate
    port-security max-mac-count 10
    port-security port-mode userlogin-secure-or-mac-ext

     

    Logs:

     

     

    %Oct 3 15:37:58:556 2017 RDC-BAS-1 MACA/6/MACA_LOGIN_FAILURE: -Slot=2; -IfName=GigabitEthernet2/0/8-MACAddr=f430-b9ad-97ce-VLANID=1-Username=f430b9ad97ce-UsernameFormat=MAC address; User failed MAC authentication. Reason:[Authentication process failed.]
    %Oct 3 15:37:36:572 2017 RDC-BAS-1 MACA/6/MACA_LOGIN_FAILURE: -Slot=2; -IfName=GigabitEthernet2/0/8-MACAddr=f430-b9ad-97ce-VLANID=1-Username=f430b9ad97ce-UsernameFormat=MAC address; User failed MAC authentication. Reason:[Authentication process failed.]
    %Oct 3 15:35:35:580 2017 RDC-BAS-1 MACA/6/MACA_LOGIN_SUCC: -Slot=2; -IfName=GigabitEthernet2/0/8-MACAddr=0008-5d8e-84de-AccessVLANID=101-AuthorizationVLANID=101-Username=00085d8e84de-UsernameFormat=MAC address; User passed MAC authentication and came online.
    %Oct 3 15:35:16:259 2017 RDC-BAS-1 IFNET/5/LINK_UPDOWN: Line protocol on the interface GigabitEthernet2/0/8 is up.
    %Oct 3 15:35:16:241 2017 RDC-BAS-1 IFNET/3/PHY_UPDOWN: GigabitEthernet2/0/8 link status is up.

     

    Any ideas ?

     

    Thanks in advance



  • 2.  RE: Dot1x authentication won't trigger after mac-auth of IP Phones on 5130 EI
    Best Answer

    Posted Oct 09, 2017 09:14 AM

    It appeared that the IP phone is filtering the EAP frames from the PC.

    Thanks wireshark !

    Port Config must be ok