Phone must br registered
Sent from my Samsung Galaxy S®4 -------- Original message -------- From: jeremy co <jeremy.coo...@gmail.com> Date: 11/14/2013 5:55 AM (GMT-08:00) To: MERAJ Khalid <merajkha...@hotmail.com>,Cisco certification <ccie...@groupstudy.com>,ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] ANY ONE ? strange issue :wired 802.1x windows through ipphone problem not directly! What about the ipphone problem I have? If I connect it through ipphone ,it doesnt work anymore. Have you ever faced this issue before ? Does IPphone needs to be registered to CUCME to pass the 802.1x to PC ? On Thu, Nov 14, 2013 at 5:47 AM, jeremy co <jeremy.coo...@gmail.com<mailto:jeremy.coo...@gmail.com>> wrote: Meraj, Adding this ACL solved the problem. but my IOS is 15. interestingly I removed the ACL and its still working. is that a bug ? On Thu, Nov 14, 2013 at 5:31 AM, MERAJ Khalid <merajkha...@hotmail.com<mailto:merajkha...@hotmail.com>> wrote: have you created the acl's on the switch ? Define Local (Default) ACLs on the Switch Enable these functions on older switches (with Cisco IOS software releases earlier than 12.2(55)SE) to ensure Cisco ISE is able to perform the dynamic ACL updates required for authentication and authorization by entering the following commands: ip access-list extended ACL-ALLOW permit ip any any ! ip access-list extended ACL-DEFAULT remark DHCP permit udp any eq bootpc any eq bootps remark DNS permit udp any any eq domain remark Ping permit icmp any any remark Ping permit icmp any any remark PXE / TFTP permit udp any any eq tftp remark Allow HTTP/S to ISE and WebAuth portal permit tcp any host <Cisco_ISE_IP_address> eq www permit tcp any host <Cisco_ISE_IP_address> eq 443 permit tcp any host <Cisco_ISE_IP_address> eq 8443 permit tcp any host <Cisco_ISE_IP_address> eq 8905 permit udp any host <Cisco_ISE_IP_address> eq 8905 permit udp any host <Cisco_ISE_IP_address> eq 8906 permit tcp any host <Cisco_ISE_IP_address> eq 8080 permit udp any host <Cisco_ISE_IP_address> eq 9996 remark Drop all the rest deny ip any any log ________________________________ Date: Thu, 14 Nov 2013 05:00:22 -0800 From: jeremy.coo...@gmail.com<mailto:jeremy.coo...@gmail.com> To: ccie...@groupstudy.com<mailto:ccie...@groupstudy.com>; ccie_security@onlinestudylist.com<mailto:ccie_security@onlinestudylist.com>; pio...@ipexpert.com<mailto:pio...@ipexpert.com>; jay.mcmic...@yahoo.com<mailto:jay.mcmic...@yahoo.com> Subject: [OSL | CCIE_Security] ANY ONE ? strange issue :wired 802.1x windows through ipphone problem not directly! Hi, If I plug pc directly to sw it works fine. but if I put it through ipphone ,it doesnt work. phone authenticate via mab just fine and then I get below error. %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client aaa new-model ! ! aaa authentication login default local aaa authentication dot1x default group radius aaa authorization network default group radius ! ! ! ! ! aaa server radius dynamic-author client 100.0.0.10 server-key cisco123 ! ! ip device tracking ! dot1x system-auth-control ! ! interface GigabitEthernet1/0/5 switchport mode access switchport voice vlan 9 logging event spanning-tree authentication host-mode multi-auth authentication order mab dot1x authentication priority dot1x mab authentication port-control auto mab dot1x pae authenticator spanning-tree portfast interface Vlan1 ip address 100.0.0.3 255.255.255.0 ! ! ip radius source-interface Vlan1 ! radius-server attribute 6 on-for-login-auth radius-server attribute 8 include-in-access-req radius-server attribute 25 access-request include radius-server host 100.0.0.10 auth-port 1812 acct-port 1813 key cisco123 radius-server vsa send accounting radius-server vsa send authentication ! SW1#$ sh authentication sessions int f1/0/5 Interface: FastEthernet1/0/5 MAC Address: 48f8.b32b.24a3 IP Address: Unknown User-Name: 48f8b32b24a3 Status: Running Domain: DATA Security Policy: Should Secure Security Status: Unsecure Oper host mode: multi-auth Oper control dir: both Session timeout: N/A Idle timeout: N/A Common Session ID: 640000010000000E01DFBAEC Acct Session ID: 0x00000011 Handle: 0x0D00000E Runnable methods list: Method State dot1x Running ---------------------------------------- Interface: FastEthernet1/0/5 MAC Address: 000f.2340.71cb IP Address: Unknown User-Name: 00-0F-23-40-71-CB Status: Authz Success Domain: VOICE Security Policy: Should Secure Security Status: Unsecure Oper host mode: multi-auth Oper control dir: both Authorized By: Authentication Server ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-51134bb2 Session timeout: N/A Idle timeout: N/A Common Session ID: 640000010000000F01DFD428 Acct Session ID: 0x00000012 Handle: 0x8C00000F Runnable methods list: Method State dot1x Failed over eventually it times out. My suspision is it never pass 802.1x to the PC. ----------------------------------------------------------------------------------------------------------------- %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (48f8.b32b.24a3) on Interface Fa1/0/5 AuditSessionID 640000010000000E01DFBAEC dot1x-ev(Fa1/0/5): Received Authz fail for the client 0x660000A7 (48f8.b32b.24a3) dot1x-ev(Fa1/0/5): Deleting client 0x660000A7 (48f8.b32b.24a3) %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (48f8.b32b.24a3) on Interface Fa1/0/5 AuditSessionID 640000010000000E01DFBAEC %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (48f8.b32b.24a3) on Interface Fa1/0/5 AuditSessionID 640000010000000E01DFBAEC %AUTHMGR-5-FAIL: Authorization failed for client (48f8.b32b.24a3) on Interface Fa1/0/5 AuditSessionID 640000010000000E01DFBAEC dot1x-ev:Delete auth client (0x660000A7) message dot1x-ev:Auth client ctx destroyed dot1x-ev:Aborted posting message to authenticator state machine: Invalid client SW1#$ dot1x-ev(Fa1/0/5): Couldn't find the supplicant in the list dot1x-ev(Fa1/0/5): Sending create new context event to EAP for 0xED0000A8 (48f8.b32b.24a3) dot1x-ev(Fa1/0/5): Created a client entry (0xED0000A8) dot1x-ev(Fa1/0/5): Dot1x authentication started for 0xED0000A8 (48f8.b32b.24a3) %AUTHMGR-5-START: Starting 'dot1x' for client (48f8.b32b.24a3) on Interface Fa1/0/5 AuditSessionID 640000010000000E01DFBAEC SW1#$ dot1x-ev(Fa1/0/5): Sending EAPOL packet to 48f8.b32b.24a3 dot1x-ev(Fa1/0/5): Role determination not required dot1x-ev(Fa1/0/5): Sending out EAPOL packet _______________________________________________ Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: iPexpert on YouTube: www.youtube.com/ipexpertinc<http://www.youtube.com/ipexpertinc>
_______________________________________________ Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: iPexpert on YouTube: www.youtube.com/ipexpertinc