ICX 6430 Mac-Auth / Dot1x Issues / SW: Version 08.0.30uT311

Frenchsysnetadm — Thu, 10 Nov 2022 14:03:10 GMT

Hi, i'm trying to configure a switch to work with Dot1x and Mac-authentication, on the same interface.

But i've been having an issue, it only works half way!

Currently, most our users are connected behind a Sangoma S500 IP Phone. And everything works fine (phone calls & data).

But we'd like to make our infrastructure more secure, and prevent anyone to just plug their equipment into our network.

Up until now, what we have done is configure a printer radius profile, and a Sangoma radius profile, with MAC authentication (login/password is the MAC of the printer/Phone), and corresponding vlans in the radius profiles, 113-printers, 99-phones, 120-userdata.

On the switch, we've activated Mac-authentication on the port the printer is connected to, and it works fine

Here's the issue. When Mac-authentication & Dot1x is activated on the same interface, and a sangoma phone is connected to it, with a laptop connected to the sangoma; the laptop gets authenticated with Dot1x and put into the corresponding vlan 120.

The Sangoma phone gets put in vlan 99, which is the correct vlan. But we can't actually make calls. somehow, the voice traffic is stopped.

What's more, when we deactivate "no dot1x port-control auto" on the interface, the laptop loses its authentication, but the phone can make calls.

We need both the laptop and the phone to work together, as they did when mac-auth & dot1x was not activated.

I'm not familiar with that technology, so i'm sure the problem must be between the seat and the keyboard ^^

Do you guys have any thoughts on what's going on ?

I'll add that, although Sangoma phones have the capacity to do Dot1x by adding a login/password in the settings, we just would like to authenticate them via MAC, for practical reasons, and do everything remotely from the radius and switches.

But again, i'm not familiar with this technology, so i'm not sure what are the dos and donts.

Below, you will find the current conf on our test switch.

Current configuration:
!
ver 08.0.30uT311
!
stack unit 1
module 1 icx6430-24-port-management-module
module 2 icx6430-sfp-4port-4g-module
!
!
!
!
vlan 1 name DEFAULT-VLAN by port
!
vlan 2 by port
!
vlan 99 name TELEPHONIE by port
tagged ethe 1/1/2 ethe 1/1/4 to 1/1/5 ethe 1/1/11 to 1/1/12 ethe 1/1/24
!
vlan 112 name MANAGEMENT by port
tagged ethe 1/1/12 ethe 1/1/24
!
vlan 113 name PRINTERS by port
!
vlan 120 name STAFF by port
tagged ethe 1/1/2 ethe 1/1/10 ethe 1/1/12 ethe 1/1/24
!
vlan 401 name STUDENTS by port
tagged ethe 1/1/11 ethe 1/1/24
!
vlan 666 name VLAN666 by port
untagged ethe 1/1/3
!
!
!
!
authentication
auth-order mac-auth dot1x
auth-default-vlan 666
restricted-vlan 401
auth-fail-action restricted-vlan
no filter-strict-security enable
re-authentication
dot1x enable
dot1x enable ethe 1/1/4 to 1/1/5 ethe 1/1/10 to 1/1/11
dot1x guest-vlan 401
mac-authentication enable
mac-authentication enable ethe 1/1/4 to 1/1/5 ethe 1/1/7
mac-authentication dot1x-override
!
aaa authentication web-server default local
aaa authentication dot1x default radius
aaa authentication login default local
aaa authentication login privilege-mode
enable aaa console
hostname TEST
ip address X.X.X.X 255.255.255.0
no ip dhcp-client enable
ip default-gateway X.X.X.X
!
username test password ..................
radius-server host X.X.X.X auth-port 1812 acct-port 1813 default key XXXX dot1x
!
!
interface ethernet 1/1/2
dual-mode 120
!
interface ethernet 1/1/4
dot1x port-control auto
!
interface ethernet 1/1/5
dot1x port-control auto
!
interface ethernet 1/1/11
dot1x port-control auto
!
interface ethernet 1/1/12
dual-mode 120
!
!
!
!
lldp med network-policy application voice tagged vlan 99 priority 5 dscp 46 ports ethe 1/1/11
lldp run
!
!
!
!
end

TEST# sh mac-auth sess bri
--------------------------------------------------------------------------------------------
Port Number of Number of Number of Untagged Dynamic
Attempted Users Authorized Users Denied Users VLAN Type Port ACL
--------------------------------------------------------------------------------------------
1/1/4 0 0 0 Auth-Default-VLAN No
1/1/5 2 1 1 Radius-VLAN No
1/1/7 0 0 0 Auth-Default-VLAN No

TEST# sh dot1x sess bri
-------------------------------------------------------------------------------------------------
Port Number of Number of Number of Untagged Dynamic Dynamic
Users Authorized Users Denied Users VLAN Type PORT ACL MAC-Filt
--------------------------------------------------------------------------------------- ---------
1/1/4 0 0 0 Auth-Default-VLAN No No
1/1/5 2 1 1 Radius-VLAN No No
1/1/10 0 0 0 Auth-Default-VLAN No No
1/1/11 0 0 0 Auth-Default-VLAN No No

TEST# sh mac-auth sess all
----------------------------------------------------------------------------
Port MAC IP Vlan Auth ACL Age
Addr Addr State
----------------------------------------------------------------------------
1/1/5 842a.XXXX.XXXX N/A 120 No none Ena
1/1/5 0050.XXXX.XXXX N/A 99 Yes none S45

TEST# sh dot1x sess all
------------------------------------------------------------------------------------------------------
Port MAC IP User Vlan Auth ACL Age PAE
Addr Addr Name State State
------------------------------------------------------------------------------------------------------
1/1/5 842a.XXXX.XXXX N/A DOMAIN\u.sers 120 permit none Ena AUTHENTICATED
1/1/5 0050.XXXX.XXXX N/A N/A 99 blocked none H45 HELD

TEST# sh dot1x conf
PAE Capability : Authenticator Only
Status : Enabled
Auth Order : mac-auth dot1x
Default VLAN : 666
Auth VLAN Mode : Single Untagged Mode
Restricted VLAN : 401
Critical VLAN : Not configured
Guest VLAN : 401
Action on Auth failure : Move to Restricted VLAN (401)
MAC Session Aging : Enabled
Filter Strict Security : Disabled
Re-authentication : Enabled
Session max sw-age : 120 seconds
Session max hw-age : 70 seconds
Quiet-period : 60 seconds
TX-period : 30 seconds
Reauth-period : 3600 seconds
Supplicant-timeout : 30 seconds
Max Reauth requests : 2
Protocol Version : 1

TEST# sh int eth 1/1/5
GigabitEthernet1/1/5 is up, line protocol is up
Port up for 20 hour(s) 32 minute(s) 17 second(s)
Hardware is GigabitEthernet, address is 609c.XXXX.XXXX (bia 609c.XXXX.XXXX)
Configured speed auto, actual 100Mbit, configured duplex fdx, actual fdx
Configured mdi mode AUTO, actual MDI
Member of 2 L2 VLANs, port is tagged, port state is FORWARDING
BPDU guard is Disabled, ROOT protect is Disabled, Designated protect is Disabled
Link Error Dampening is Disabled
STP configured to ON, priority is level0, mac-learning is enabled
Flow Control is config enabled, oper enabled, negotiation disabled
Mirror disabled, Monitor disabled
Mac-notification is disabled
Not member of any active trunks
Not member of any configured trunks
No port name
Inter-Packet Gap (IPG) is 96 bit times
MTU 1500 bytes
300 second input rate: 504 bits/sec, 0 packets/sec, 0.00% utilization
300 second output rate: 1872 bits/sec, 3 packets/sec, 0.00% utilization
1410114 packets input, 775226560 bytes, 0 no buffer
Received 35555 broadcasts, 36942 multicasts, 1337617 unicasts
0 input errors, 0 CRC, 0 frame, 0 ignored
0 runts, 0 giants
2726534 packets output, 1341509092 bytes, 0 underruns
Transmitted 398920 broadcasts, 817239 multicasts, 1510375 unicasts
0 output errors, 0 collisions
Relay Agent Information option: Disabled

TEST# sh vlan eth 1/1/5
Total PORT-VLAN entries: 8
Maximum PORT-VLAN entries: 64

Legend: [Stk=Stack-Id, S=Slot]

PORT-VLAN 99, Name TELEPHONIE, Priority level0, Spanning tree On
Untagged Ports: None
Tagged Ports: (U1/M1) 2 4 5 11 12 24
Uplink Ports: None
DualMode Ports: None
Mac-Vlan Ports: None
Monitoring: Disabled
PORT-VLAN 666, Name VLAN666, Priority level0, Spanning tree On
Untagged Ports: (U1/M1) 3
Tagged Ports: None
Uplink Ports: None
DualMode Ports: None
Mac-Vlan Ports: (U1/M1) 4 5 7 10 11
Monitoring: Disabled

TEST# sh aaa
***** TACACS server not configured
Radius default key: ...
Radius retries: 3
Radius timeout: 3 seconds
Radius Server: IP=X.X.X.X Auth Port=1812 Acct Port=1813 Usage=any
Key=.....
opens=3709 closes=2261 timeouts=0 errors=0
packets in=3709 packets out=3710
IPv4 Radius Source address: IP=0.0.0.0 IPv6 Radius Source Address: IP=::

Re: ICX 6430 Mac-Auth / Dot1x Issues / SW: Version 08.0.30uT311

Frenchsysnetadm — Mon, 14 Nov 2022 19:26:32 GMT

Hi, i was able to solve the issue.

It turns out that, i assumed since the IP phones are connected first on the switch port, they had to be authenticated first. So i was systematically changing the order to "auth-order mac-auth dot1x".

But i tried changing the order on the interface to "auth-order dot1x mac-auth", and it worked.

We now have mac-authentication and dot1x working on the same interface, with both the iphone going to voice vlan 99, and laptops(user AD accounts) going to vlan 120, and we can make phone calls too.

Nowhere in all the docs i've read was it mentionned that this was the order ^^

Anyway, problem solved, at least for now.

topic ICX 6430 Mac-Auth / Dot1x Issues / SW: Version 08.0.30uT311 in ICX Switches

ICX 6430 Mac-Auth / Dot1x Issues / SW: Version 08.0.30uT311

Re: ICX 6430 Mac-Auth / Dot1x Issues / SW: Version 08.0.30uT311