I'm trying to use 802.1x to authenticate clients on my network with dynamic VLAN assignment from RADIUS. We have IP-Phones(powered by PoE) that only supports EAP-MD5, and we would rather use MAB(it also uses LLDP-MED for some settings) to authenticate the phones using the MAC-range from the phones vendor. The following scenario works perfect:
- Connect the phone and let it boot up(takes a while) and authenticate with MAB.
- Connect a computer in the phones data-port and let it authenticate with 802.1x(or fail and reach guest-vlan)
However, the following scenario doesn't work:
- The computer is already connected to the phone
- The phone is then connected to the switch
What happends now is that the computer is authenticated using 802.1x before the phone boots up and get's authenticated with MAB. When the phone is ready, it's authenticated with MAB and everything works. However, after a short period(let's say a minute), using debug authentication all
, we see a "NEW LL MAC: phones mac" message(which is weird since the mac has already been MAB-authenticated), and then we are unable to contact the phone using ping. When I check show mac address-table
it has now moved the mac from Port Gi 0/12
to Port Drop
. However, if I check show mab interface Gi 0/12
or show authentication sessions
it lists the phones-mac as mab auth sucess
.
Can anyone explain why the first scenario works, and not the second?
The switch is a 3560E PoE 24p with IOS 12.2.58SE2Sample of the switch-config.:
network-policy profile 1
voice vlan 90
!
interface GigabitEthernet0/12
switchport mode access
network-policy 1
authentication control-direction in
authentication event fail retry 1 action authorize vlan 60
authentication event server dead action authorize vlan 60
authentication event no-response action authorize vlan 60
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority mab dot1x
authentication port-control auto
authentication periodic
authentication violation replace
mab
dot1x pae authenticator
dot1x timeout tx-period 5
dot1x max-reauth-req 1
spanning-tree portfast
!
Btw, when we tried authenticating the phones using 802.1x too (EAP-MD5), there are NO problems in any of the scenarios. However, we want to use MAB instead of 802.1x to avoid the requirement of configuring the phones with a username and password.
Best Answer
Have you tried adding "no cdp enable" to that interface? I had this issue once and that resolved it.