Thursday, June 4, 2020

Cisco 3750G 8021x - Cisco Phone Fun

Hey guys,

Just bought ISE about two months ago and I'm running into issues with Cisco phones on 3750Gs. I put myself at a supported code base 12.2(55)SE11. The policy in ise works on 3850s and 9ks but not on my 3750s. I see the mac on both the voice vlan and the data vlan.

Vlan Mac Address Type Ports

---- ----------- -------- -----

230 0026.0bd8.d792 DYNAMIC Gi1/0/44

430 0026.0bd8.d792 STATIC Gi1/0/44

Interface config:

switchport access vlan 230 switchport mode access switchport voice vlan 430 ip access-group PreAuthAllowACL in authentication event fail action next-method authentication event server dead action authorize vlan 230 authentication event server dead action authorize voice authentication event server alive action reinitialize authentication host-mode multi-auth authentication open authentication order dot1x mab authentication priority dot1x mab authentication port-control auto authentication timer reauthenticate server mab dot1x pae authenticator spanning-tree portfast 

Radius configs on device:

aaa authentication dot1x default group radius aaa authorization network default group radius aaa accounting dot1x default start-stop group radius aaa server radius dynamic-author client 172.22.198.10 server-key 7 Password ! radius-server host 172.22.198.10 auth-port 1812 acct-port 1813 key 7 Password radius-server attribute 6 on-for-login-auth radius-server attribute 25 access-request include radius-server dead-criteria time 30 tries 3 ip radius source-interface vlan 230 ip access-list extended PreAuthAllowACL permit udp any eq bootpc any eq bootps permit udp any any eq domain permit udp any any eq tftp ! radius-server vsa send authentication radius-server vsa send accounting 

Show Auth sess int

 Interface: GigabitEthernet1/0/44 MAC Address: 0026.0bd8.d792 IP Address: Unknown User-Name: 00-26-0B-D8-D7-92 Status: Authz Success Domain: VOICE Security Policy: Should Secure Security Status: Unsecure Oper host mode: multi-domain Oper control dir: both Authorized By: Authentication Server ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-57f6b0d3 Session timeout: N/A Idle timeout: N/A Common Session ID: AC16E62A00000012044642E1 Acct Session ID: 0x00000178 Handle: 0xD3000012 Runnable methods list: Method State dot1x Failed over mab Authc Success 

ISE Auth Profile:

Access Type = ACCESS_ACCEPT DACL = PERMIT_ALL_TRAFFIC cisco-av-pair = device-traffic-class=voice 


No comments:

Post a Comment