I am currently working on dot1x solution for wired users. Configuration we have is working fine for most of our use cases, except one. We have working solution for users that are connected to the network via IP phones. However, one group of those users are changing their working place quite often during the day (they work on shifts). Which is quite problem because IP phone reboots every time when one user disconnects laptopA and new user connects laptopB to the phone. I am not sure why change of device which is connected to the IP phone, prompts reboot of the phone.
I am using MAB as authentication for IP phones and dot1x for end stations.
Please see switchport configuration bellow.
Interface XXX
switchport mode access
switchport voice vlan xxx
authentication event fail action authorize vlan xxx
authentication event server dead action authorize vlan xxx
authentication event server dead action authorize voice
authentication event no-response action authorize vlan xxx
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer restart 10
authentication timer inactivity server dynamic
mab
dot1x pae authenticator
dot1x timeout server-timeout 30
dot1x timeout tx-period 3
dot1x max-req 3
dot1x max-reauth-req 5
spanning-tree portfast
Host-mode is multi-domain as you can see. Thus, I thought that IP phones which have been successfully authenticated do VOICE domain, don't have to re-authenticate every time DATA device behind phone is changed.
Example of successful authentication:
switchxxx#show authentication sessions | inc Gi1/0/37
Gi1/0/37 28d2.xxxx.xxx dot1x DATA Authz Success 0AF07F0F000004F5F45C4567
Gi1/0/37 0080.xxxx.xxxx mab VOICE Authz Success 0AF07F0F000004F7F45C6E86
It seems to me like switch removes all MAC addresses from CAM for particular interface, when computers are changed.
But this does not happen when dot1x is not configured on the port. In this case, IP phone doesn't reboot. It has to have something with dot1x.
Do you have any idea how to fix it?
Many thanks.
Dan
Best Answer
I have figured out that our Alcatels IP phones are not capable of sending EAPoL-Logoff messages on behalf of the data device, when phone detects that device has unplugged from behind the phone. Therefore, when users change devices, switch considers it as a security-volition and port is put to error-disabled.
I have added aditional attribute to our Radius server (RADIUS Attribute 28), in order to remove authenticated (data) session in case of inactivity.
It is working as expected, so far.
I have found all information here: https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.html#pgfId-389486