Re: [OSL | CCIE_Security] ANY ONE ? strange issue :wired 802.1x windows through ipphone problem not directly!

Thu, 14 Nov 2013 07:10:56 -0800 

Phone must br registered


Sent from my Samsung Galaxy S®4



-------- Original message --------
From: jeremy co <jeremy.coo...@gmail.com>
Date: 11/14/2013 5:55 AM (GMT-08:00)
To: MERAJ Khalid <merajkha...@hotmail.com>,Cisco certification 
<ccie...@groupstudy.com>,ccie_security@onlinestudylist.com
Subject: Re: [OSL | CCIE_Security] ANY ONE ? strange issue :wired 802.1x 
windows through ipphone problem not directly!


What about the ipphone problem I have?

If I connect it through ipphone ,it doesnt work anymore.  Have you ever faced 
this issue before ?

Does IPphone needs to be registered to CUCME to pass the 802.1x  to PC ?


On Thu, Nov 14, 2013 at 5:47 AM, jeremy co 
<jeremy.coo...@gmail.com<mailto:jeremy.coo...@gmail.com>> wrote:
Meraj,

Adding this ACL solved the problem. but my IOS is 15.

interestingly I removed the ACL and its still working. is that a bug ?



On Thu, Nov 14, 2013 at 5:31 AM, MERAJ Khalid 
<merajkha...@hotmail.com<mailto:merajkha...@hotmail.com>> wrote:

have you created the acl's  on the switch ?


Define Local (Default) ACLs on the Switch

Enable these functions on older switches (with Cisco IOS software releases 
earlier than 12.2(55)SE) to ensure Cisco ISE is able to perform the dynamic ACL 
updates required for authentication and authorization by entering the following 
commands:

ip access-list extended ACL-ALLOW


 permit ip any any


!


ip access-list extended ACL-DEFAULT


  remark DHCP


  permit udp any eq bootpc any eq bootps


  remark DNS


  permit udp any any eq domain


  remark Ping


  permit icmp any any


  remark Ping


  permit icmp any any


  remark PXE / TFTP


  permit udp any any eq tftp


  remark Allow HTTP/S to ISE and WebAuth portal


  permit tcp any host <Cisco_ISE_IP_address> eq www


  permit tcp any host <Cisco_ISE_IP_address> eq 443


  permit tcp any host <Cisco_ISE_IP_address> eq 8443


  permit tcp any host <Cisco_ISE_IP_address> eq 8905


  permit udp any host <Cisco_ISE_IP_address> eq 8905


  permit udp any host <Cisco_ISE_IP_address> eq 8906


  permit tcp any host <Cisco_ISE_IP_address> eq 8080


  permit udp any host <Cisco_ISE_IP_address> eq 9996


remark Drop all the rest


  deny   ip any any log

________________________________
Date: Thu, 14 Nov 2013 05:00:22 -0800
From: jeremy.coo...@gmail.com<mailto:jeremy.coo...@gmail.com>
To: ccie...@groupstudy.com<mailto:ccie...@groupstudy.com>; 
ccie_security@onlinestudylist.com<mailto:ccie_security@onlinestudylist.com>; 
pio...@ipexpert.com<mailto:pio...@ipexpert.com>; 
jay.mcmic...@yahoo.com<mailto:jay.mcmic...@yahoo.com>

Subject: [OSL | CCIE_Security] ANY ONE ? strange issue :wired 802.1x windows 
through ipphone problem not directly!

Hi,


If I plug pc directly to sw it works fine. but if I put it through ipphone ,it 
doesnt work.

phone authenticate via mab just fine and then I get below error.
%AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client


aaa new-model
!
!
aaa authentication login default local
aaa authentication dot1x default group radius
aaa authorization network default group radius
!
!
!
!
!
aaa server radius dynamic-author
 client 100.0.0.10
 server-key cisco123

!
!
ip device tracking

!
dot1x system-auth-control

!
!
interface GigabitEthernet1/0/5
 switchport mode access
 switchport voice vlan 9
 logging event spanning-tree
 authentication host-mode multi-auth
 authentication order mab dot1x
 authentication priority dot1x mab
 authentication port-control auto
 mab
 dot1x pae authenticator
 spanning-tree portfast

interface Vlan1
 ip address 100.0.0.3 255.255.255.0
!
!
ip radius source-interface Vlan1
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server host 100.0.0.10 auth-port 1812 acct-port 1813 key cisco123
radius-server vsa send accounting
radius-server vsa send authentication
!

SW1#$                                sh authentication sessions int f1/0/5
            Interface:  FastEthernet1/0/5
          MAC Address:  48f8.b32b.24a3
           IP Address:  Unknown
            User-Name:  48f8b32b24a3
               Status:  Running
               Domain:  DATA
      Security Policy:  Should Secure
      Security Status:  Unsecure
       Oper host mode:  multi-auth
     Oper control dir:  both
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  640000010000000E01DFBAEC
      Acct Session ID:  0x00000011
               Handle:  0x0D00000E

Runnable methods list:
       Method   State
       dot1x    Running

----------------------------------------
            Interface:  FastEthernet1/0/5
          MAC Address:  000f.2340.71cb

           IP Address:  Unknown
            User-Name:  00-0F-23-40-71-CB
               Status:  Authz Success
               Domain:  VOICE
      Security Policy:  Should Secure
      Security Status:  Unsecure
       Oper host mode:  multi-auth
     Oper control dir:  both
        Authorized By:  Authentication Server
              ACS ACL:  xACSACLx-IP-PERMIT_ALL_TRAFFIC-51134bb2
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  640000010000000F01DFD428
      Acct Session ID:  0x00000012
               Handle:  0x8C00000F

Runnable methods list:
       Method   State
       dot1x    Failed over


eventually it times out. My suspision is it never pass 802.1x to the PC.
-----------------------------------------------------------------------------------------------------------------
%AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client 
(48f8.b32b.24a3) on Interface Fa1/0/5 AuditSessionID 640000010000000E01DFBAEC
dot1x-ev(Fa1/0/5): Received Authz fail for the client  0x660000A7 
(48f8.b32b.24a3)
dot1x-ev(Fa1/0/5): Deleting client 0x660000A7 (48f8.b32b.24a3)
%AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (48f8.b32b.24a3) on 
Interface Fa1/0/5 AuditSessionID 640000010000000E01DFBAEC
%AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client 
(48f8.b32b.24a3) on Interface Fa1/0/5 AuditSessionID 640000010000000E01DFBAEC
%AUTHMGR-5-FAIL: Authorization failed for client (48f8.b32b.24a3) on Interface 
Fa1/0/5 AuditSessionID 640000010000000E01DFBAEC
dot1x-ev:Delete auth client (0x660000A7) message
dot1x-ev:Auth client ctx destroyed
dot1x-ev:Aborted posting message to authenticator state machine: Invalid client
SW1#$
dot1x-ev(Fa1/0/5): Couldn't find the supplicant in the list
dot1x-ev(Fa1/0/5): Sending create new context event to EAP for 0xED0000A8 
(48f8.b32b.24a3)
dot1x-ev(Fa1/0/5): Created a client entry (0xED0000A8)
dot1x-ev(Fa1/0/5): Dot1x authentication started for 0xED0000A8 (48f8.b32b.24a3)
%AUTHMGR-5-START: Starting 'dot1x' for client (48f8.b32b.24a3) on Interface 
Fa1/0/5 AuditSessionID 640000010000000E01DFBAEC
SW1#$
dot1x-ev(Fa1/0/5): Sending EAPOL packet to 48f8.b32b.24a3
dot1x-ev(Fa1/0/5): Role determination not required
dot1x-ev(Fa1/0/5): Sending out EAPOL packet




_______________________________________________ Free CCIE R&S, Collaboration, 
Data Center, Wireless & Security Videos :: iPexpert on YouTube: 
www.youtube.com/ipexpertinc<http://www.youtube.com/ipexpertinc>



_______________________________________________
Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos ::

iPexpert on YouTube: www.youtube.com/ipexpertinc

Reply via email to