802.1x(ACS) with avaya phones

Hi All ,
We are implementing wired dot1x for our wired users with EAP-TLS. When I am connecting laptop it is getting authenticated and it is working fine. For Voip(Avaya) we are using MAB .When we connect VOIP , after 30 seconds ACS is giving Access-accept(auth success) . But Voip is stuck up in Bad router state and VOIP is not working. If I connect the laptop behind the voip it is getting authenticated and it is working fine eventhough voip is stuck up.
Is there a way we can reduce 802.1x auth timings , so that VOIP can register succesfully?
The switch interface config is ,
authentication event fail action next-method
authentication host-mode multi-auth
authentication order dot1x mab
authetication priority dot1x mab
authentication port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
Thanks,
Vijay

Hi,
i am using AVAYA as well in production. They support 802.1X.
Configure Voice VLAN on each Port.
Let ACS send the radius attribute device-traffic-class=voice under
Policy Elements/Authorization and Permissions/Network Access/Authorization Profiles VOICE VLAN
 and select Permission to join static.
A good guide: IP Telephony for 802.1X Design Guide
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.html
Regards Horst

Similar Messages

  • 802.1x MDA with Cisco 3750, ACS and Avaya phones

    Hello,
    What is the minimum software level on the C3750 to support the 'device type class=voice' AV-pair returned by ACS?  I found 12.2(35) introduced MDA, but also I found 12.2(40) required for dynamic voice VLAN on MDA ports. 
    What i observe is :
    - phone connects
    - phone is dot1x authenticated in data VLAN and gets its DHCP address there
    - DHCP advertises (option 242) the voice vlan id
    - phone reauthenticates in voice vlan
    - phone reacquires a new DHCP address, now in voice VLAN
    so far so good ... and we start using the phone
    - pc behind phone starts and enters credentials
    - pc authenticates ok (in data vlan)
    but 3750 shuts the port down per security violation ("new mac-address found").
    The mac-address of the phone stays in the data vlan's  mac table, despite the phone moved correctly to the voice vlan.  This macaddress excludes the 'new' pc mac-address, causing a shutdown of the port. 
    NB : "setting port-security max mac-addresses" to say 5 does not change anything to  this behavior.
    Can anybody give some hints?
    Tx.

    Searching further, I found that 12.2(40) requirement for dynamic voice VLAN on MDA ports only applies to dynamically provisioning the voice vlan ID by radius, applying the (65)tunnel (medium) type and (81) tunnel private groupid  attributes.  So, obviously, MDA support with 'static' voice vlan assignment by switchport configuration *should work* with our 12.2(35), *
    So, the question remains : why does the data VLAN keep an entry with the phone's MAC address in its MAC table?
    Tx.

  • MAB and 802.1x issues with IP-phone

    I'm trying to use 802.1x to authenticate clients on my network with dynamic VLAN assignment from RADIUS. We have IP-Phones(powered by PoE) that only supports EAP-MD5, and we would rather use MAB(it also uses LLDP-MED for some settings) to authenticate the phones using the MAC-range from the phones vendor. The following scenario works perfect:
    Connect the phone and let it boot up(takes a while) and authenticate with MAB.
    Connect a computer in the phones data-port and let it authenticate with 802.1x(or fail and reach guest-vlan)
    However, the following scenario doesn't work:
    The computer is already connected to the phone
    The phone is then connected to the switch
    What happends now is that the computer is authenticated using 802.1x before the phone boots up and get's authenticated with MAB. When the phone is ready, it's authenticated with MAB and everything works. However, after a short period(let's say a minute), using `debug authentication all`, we see a "NEW LL MAC: phones mac" message(which is weird since the mac has already been MAB-authenticated), and then we are unable to contact the phone using ping. When I check `show mac address-table` it has now moved the mac from `Port Gi 0/12` to `Port Drop`. However, if I check `show mab interface Gi 0/12` or `show authentication sessions` it lists the phones-mac as `mab auth sucess `.
    Can anyone explain why the first scenario works, and not the second?
    The switch is a 3560E PoE 24p with IOS 12.2.58SE2. Sample of the switch-config:
    network-policy profile 1
    voice vlan 90
    interface GigabitEthernet0/12
    switchport mode access
    network-policy 1
    authentication control-direction in
    authentication event fail retry 1 action authorize vlan 60
    authentication event server dead action authorize vlan 60
    authentication event no-response action authorize vlan 60
    authentication event server alive action reinitialize
    authentication host-mode multi-domain
    authentication order mab dot1x
    authentication priority mab dot1x
    authentication port-control auto
    authentication periodic
    authentication violation replace
    mab
    dot1x pae authenticator
    dot1x timeout tx-period 5
    dot1x max-reauth-req 1
    spanning-tree portfast
    Btw, when we tried authenticating the phones using 802.1x too (EAP-MD5), there are NO problems in any of the scenarios. However, we want to use MAB instead of 802.1x to avoid the requirement of configuring the phones with a username and password. The RADIUS response was the same when using 802.1x as it is with MAB for the phones (including device-traffic-class=voice AV-pair).

    Hey. Yes, as specified in the last sentence in my post, the phone is placed in the Voice Domain, and both RADIUS and LLDP-MED (network policy profile 1) specifies voice vlan as 90.
    The weird thing is that everything works fine if both use 802.1x, and that there is only a problem when phone(using MAB) already has the computer connected to it, when the phone is turned on(connected to PoE-switch). It must be because the computer boots up and authenticates first I think.
    The phones are Snom 821.

  • 802.1x with alcatel phone with cisco acs 5.0

    Hi All, can any one  has done the implementation of 802.1x with alcatel phone where pc will be behind the phone and cisco switch ports are configured as trunk. Trunk native vlan is data vlan for pc and trunk carrying voice vlan.
    when trunk mode is enabled I can not configure 802.1x on trunk interface. does any one help me to get rid of this situation..
    Thanks

    Hi,
    Did you find any solution?. Did you tried with the command switchport voice vlan?.
    Regards,
    Mauricio

  • L2 Roaming issue with Avaya wireless phone on WISM -V6.0.196.0

    Hello Friends,
    I am facing Layer2 roaming issue with Avaya Wirless phone 3620 which are configured WPA / Pre-shared key auth with a SSID1 and face a cut or delay in the voice.
    But when i use Cisco Wireless phones and try to roam between one LWAP to other i dont face a cut or delay in the vocie which are
    Configured with 802.1x +CCKM auth .
    Then i configured new SSID 3 with 802.1x+CCKM settings for  the new Avaya wireless module 3631 , but still face cut and delay while doing Layer 2 roaming.
    While i was using these AP in WDS mode i never faced this Layer 2 roaming issue with Avaya wireless phones.
    In  current WISM all the LWAPs are supporting properly to the Cisco phone and Wirelss laptop clients.
    I request you to please let me know how do i proceed further to solve the issue and please let me know if anybugs or incompatibilty for WISM with Avaya wireless phones.
    Appreciate your response.
    Regards,
    KA.

    Hello ,
    Can any body please respond to my above Query.
    Thanks,
    KA.

  • 802.1X with IP Phone is posible with Nortel??

    Hello,
    My Scenary is that I have configured 802.1X in Cisco Swithches C3750/C3560/C2960, I configured 802.1x in the all Switches, but i have 100 IP Phone Nortel with 2 ports one port connected to Switch and the other port connected to PC. I know that IP Phone Cisco work in the enviroment 802.1X, this feature i can configurate enable Radius (Cisco IOS/PIX 6.0) and in the group i have setup in the tab "[009\001] cisco-av-pairbut" put "device-traffic-class=voice" and in the tab IP Assignment i put "Assigned from AAA Client pool" in the case of Nortel how i do? is similar?? i have to setup in the "[009\001] cisco-av-pairbut" the same way??? and i've seen a configuration with cisco in the link:
    http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a00808abf2d.shtml#MDA
    and the other configuration with Avaya and Radius non cisco.
    Please help me with this issue.
    Best Regards
    Alvaro

    From the backend perspective, you can treat Nortel and cisco phones identically in this regard.
    The doc reference from before should work for any type of phone.
    Hope this helps,

  • Cisco ISE FlexAuth with 802.1X PCs and IP Phones as MAB multi-domain Q?

    Cisco ISE FlexAuth with 802.1X PCs and IP Phones as MAB multi-domain Q?
    Im trying to follow the trustsec 2.1 guide on IP Phones into LowImpact mode.
    I can get a PC on its own to authenticate via dot1x/tls
    I can get a Cisco IP Phone on its own to authenticate via MAB.
    When the two are on the same switchport, the phone will authenticate but not the PC.  ISE logs EAP timeouts.
    The switchport has the LowImpact port ACL of
    ip access-group ACL-DEFAULT in
    The IP Phone gets a dACL that allows it ok.
    I assume MAB phone and dot1x PC is supported?  Any ideas?
    Thanks in advance.

    The ISE log detailed steps are as follows:
    Steps
    11001  Received RADIUS Access-Request
    11017  RADIUS created a new session
    Evaluating Service Selection Policy
    15048  Queried PIP
    15048  Queried PIP
    15004  Matched rule
    11507  Extracted EAP-Response/Identity
    12300  Prepared EAP-Request proposing PEAP with challenge
    12625  Valid EAP-Key-Name attribute received
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    12501  Extracted EAP-Response/NAK requesting to use EAP-TLS instead
    12500  Prepared EAP-Request proposing EAP-TLS with challenge
    12625  Valid EAP-Key-Name attribute received
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    12502  Extracted EAP-Response containing EAP-TLS challenge-response and accepting EAP-TLS as negotiated
    12800  Extracted first TLS record; TLS handshake started
    12805  Extracted TLS ClientHello message
    12806  Prepared TLS ServerHello message
    12807  Prepared TLS Certificate message
    12809  Prepared TLS CertificateRequest message
    12505  Prepared EAP-Request with another EAP-TLS challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    12504  Extracted EAP-Response containing EAP-TLS challenge-response
    12505  Prepared EAP-Request with another EAP-TLS challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    12504  Extracted EAP-Response containing EAP-TLS challenge-response
    12505  Prepared EAP-Request with another EAP-TLS challenge
    11006  Returned RADIUS Access-Challenge
    5411  No response received during 120 seconds on last EAP message sent to the client

  • 802.1x authentication with ACS 4.1 for MAC OSX

    Hi,
    I simply wanted to know if it's possible to have 802.1x authentication with MAC OSx on ACS Plateform 4.1?
    If yes, what pre-required on ACS and MAC OSx? Methods of authentification which are recommended ?
    I'm sorry, but i don't find documents which show validated test on 802.1x implementation method on ACS 4.1 with MAC OSx supplicant.
    Thanks in advance
    Best regards
    Thanks

    Yes, Refer to the below DOC
    http://support.apple.com/kb/HT2717
    Port settings and ACS configuration remain the same as you do it for windows based clients

  • ACS with wireless 802.1x

    We have some AP1100 using 802.1x authentication with a ACS server, that is then looking up users on a windows domain, that is working fine.
    I would like to be able to have a specific group on the ACS that is then maped to a windows group, and when the wireless users try to get authenticated they are only allowed access if they belong to that group.
    In our situation the users could possibly belong to other groups on the ACS, but should not be authenticated when they are in those groups.
    just the one specific to the wireless.
    any ideas ?
    Arni

    You can implement it through NAR OR do dynamic vlan assignment for only one group, all others can fall into guest vlan or restricted vlan
    Following whitepapar can help with NAR:
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml
    Remember for wireless CLI/DNIS NAR work.
    ~Rohit

  • Avaya Phone in same VLAN as workstation

    Ok so here is my dilema, Avaya Phone with Docking station plugged in to it, dot1q passes the workstation fine, but hangs the phone. With out creating a voice vlan is there any way I can have the phone authenticat with mab, and the workstation with dot1q? I know the best solution is a re-design of the vlans, but thought I would throw this out to the group.
    Jeff

    Hi all,
    My problem is the oposite. I have a Siemens phone connected to a c2960. The phone will do MAC authentication.
    Connected to the phone I have a PC which authenticates using dot1x.
    The MAC authentication is successfull but the Siemens phone is placed on the DATA vlan instead of the VOICE vlan.
    At this point, for testing purposes I tried eliminating the dot1x configuration of the port. My current interface config is:
    interface GigabitEthernet0/13
    switchport access vlan 124
    switchport mode access
    switchport voice vlan 310
    authentication host-mode multi-domain
    authentication order mab
    authentication port-control auto
    authentication periodic
    authentication timer reauthenticate 300
    mab
    spanning-tree portfast
    end
    I'm using an ACS radius server which is returning the "device-traffic-class=voice" but still the  phone will always end up on the Data vlan.
    If no auth is configured the phone ends up in the voice vlan as expected.
    Any help here will be appreciated since all the config guides I've read untill now just present the above as the necessary config.
    Best Regards,
    Pedro

  • Compatibility question with Nortel phones

    Hello,
    I just introduced a Cisco SP200-48P switch into our Nortel environment. When I plug the phone into a POE port, the port is unresponsive (doesn't light up), and the Nortel phone doesn't power up.
    The data aspect of the port is fine, when I plug a computer into the switchport.
    Am I running into a compatibility issue with Nortel phones, or should they work just fine with the switch right out of the box.
    Thank you,
    John             

    Hi jdamone, please verify you're using a POE port. The left side of the port banks are POE. The right side are not. If the 1-12 and 25-36 would be POE on a 48 port switch. And yes, if the phone is 802.3af compliant, it should work out of the box, no problems. If you're connecting to the correct port and verified the wire and the phone is POE then the next step would be to upgrade the switch firmware to latest version.
    -Tom
    Please mark answered for helpful posts

  • Impossible to use mAb with Alcatel phone

    Hello
    I try to configure mab authentication with alcatel Phone "ipTouch".
    The radius is an ISE version 1.2.1
    It is impossible to autenticate with mab.
    On the Ise the error is:
        "Event  5434 Endpoint conducted several failed authentications of the same scenario"
        " Failure Reason  11514 Unexpectedly received empty TLS message; treating as a rejection by the client"
    On the switch the error message is:
    2960-09#
    Dec 15 11:13:50.090: %AUTHMGR-5-START: Starting 'mab' for client (0080.9fc8.a9eb) on Interface Gi1/0/11 AuditSessionID
    0A0A510A0000010A2E95860F
    Dec 15 11:13:50.125: %MAB-5-FAIL: Authentication failed for client (0080.9fc8.a9eb) on Interface Gi1/0/11 AuditSessionID
    0A0A510A0000010A2E95860F
    Dec 15 11:13:50.125: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (0080.9fc8.a9eb) on
    Interface Gi1/0/11 AuditSessionID 0A0A510A0000010A2E95860F
    Dec 15 11:13:50.125: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (0080.9fc8.a9eb) on Interface Gi1/0/11
    AuditSessionID 0A0A510A0000010A2E95860F
    2960-09#
    Dec 15 11:13:50.125: %AUTHMGR-5-START: Starting 'dot1x' for client (0080.9fc8.a9eb) on Interface Gi1/0/11 AuditSessionID
    0A0A510A0000010A2E95860F
    Here is the switch config
    +++++++++++++++++
    interface GigabitEthernet1/0/11
     description HOST PORT WITH AUTHENTICATION
     switchport access vlan 68
     switchport mode access
     switchport nonegotiate
     switchport voice vlan 78
     authentication event server dead action reinitialize vlan 68
     authentication event server dead action authorize voice
     authentication host-mode multi-auth
     authentication order mab dot1x
     authentication priority dot1x mab
     authentication port-control auto
     authentication periodic
     authentication timer restart 300
     authentication timer reauthenticate server
     authentication timer inactivity server
     mab
     dot1x pae authenticator
     dot1x timeout tx-period 5
     spanning-tree portfast
    end
    global switch config
    +++++++++++++++
    aaa new-model
    aaa authentication login default local group radius
    aaa authentication dot1x default group radius
    aaa authorization exec default local group radius
    aaa authorization network default group radius
    aaa accounting dot1x default start-stop group radius
    aaa server radius dynamic-author
     client 10.1.30.11 server-key 7 023201575A080B34080F
     client 10.1.30.12 server-key 7 122D001B430508116E6A
    dot1x system-auth-control
    dot1x critical eapol
    radius-server attribute 6 on-for-login-auth
    radius-server attribute 8 include-in-access-req
    radius-server attribute 25 access-request include
    radius-server dead-criteria time 1 tries 3
    radius-server host 10.1.30.11 auth-port 1812 acct-port 1813 key 7 0030160A55550F134B60
    radius-server host 10.1.30.12 auth-port 1812 acct-port 1813 key 7 0030160A55550F134B60
    radius-server deadtime 1
    radius-server vsa send accounting
    radius-server vsa send authentication
    Could you please help me.
    Michel Misonne

    Hi
    Yes the mac is in the Identity endpoint.
    During this night, the Phone reboot and now it is OK  !!!
    I do not know why ?
    I changed nothing !
    But here is the debug.
    Also the ise is configured with authentication protocol  Pap-Ascii = Enable
    and "Calling stat id"  and "Check pass" checked."
    The onfig of the phone is
    -Mac to login
    -MD5 profile = OFF
    -Tls Profile OFF
    Her is te debug. ( when it works well)
    conf t
    Enter configuration commands, one per line.  End with CNTL/Z.
    2960-09(config)#endshutdown int gigabitEthernet 1/0/11
    2960-09(config-if)#no shu
    2960-09(config-if)#no shutdown
    2960-09(config-if)#
    2960-09(config-if)#
    2960-09(config-if)#
    2960-09(config-if)#
    2960-09(config-if)#end
    2960-09#
    Dec 16 08:33:54.962: %ILPOWER-7-DETECT: Interface Gi1/0/11: Power Device detected: IEEE PD
    Dec 16 08:33:56.157: %ILPOWER-5-POWER_GRANTED: Interface Gi1/0/11: Power granted
    2960-09#
    2960-09#
    2960-09#
    2960-09#
    2960-09#
    2960-09#
    2960-09#
    Dec 16 08:33:56.241: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/11, changed state to down
    Dec 16 08:33:56.322: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (10.10.68.4)
    2960-09#
    Dec 16 08:34:02.924: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/11, changed state to up
    Dec 16 08:34:03.924: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/11, changed state to up
    2960-09#
    Dec 16 08:34:05.088: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/11, changed state to down
    2960-09#
    Dec 16 08:34:06.095: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/11, changed state to down
    2960-09#
    Dec 16 08:34:09.800: %AUTHMGR-5-START: Starting 'mab' for client (0080.9fc8.a9eb) on Interface Gi1/0/11 AuditSessionID 0A0A510A0000011E3329AE1E
    Dec 16 08:34:09.800: RADIUS/ENCODE(0000025F):Orig. component type = Dot1X
    Dec 16 08:34:09.804: RADIUS(0000025F): Config NAS IP: 0.0.0.0
    Dec 16 08:34:09.804: RADIUS(0000025F): Config NAS IPv6: ::
    Dec 16 08:34:09.804: RADIUS/ENCODE(0000025F): acct_session_id: 597
    Dec 16 08:34:09.804: RADIUS(0000025F): sending
    Dec 16 08:34:09.804: RADIUS/ENCODE: Best Local IP-Address 10.10.81.10 for Radius-Server 10.1.30.11
    Dec 16 08:34:09.804: RADIUS(0000025F): Sending a IPv4 Radius Packet
    Dec 16 08:34:09.804: RADIUS(0000025F): Send Access-Request to 10.1.30.11:1812 id 1645/198,len 249
    Dec 16 08:34:09.804: RADIUS:  authenticator D3 5F 99 C6 EE 9F 9F 96 - 7C 1B A1 B9 32 1C 78 61
    Dec 16 08:34:09.804: RADIUS:  User-Name           [1]   14  "00809fc8a9eb"
    Dec 16 08:34:09.804: RADIUS:  User-Password       [2]   18  *
    Dec 16 08:34:09.804: RADIUS:  Service-Type        [6]   6   Call Check                [10]
    Dec 16 08:34:09.804: RADIUS:  Vendor, Cisco       [26]  31 
    Dec 16 08:34:09.804: RADIUS:   Cisco AVpair       [1]   25  "service-type=Call Check"
    Dec 16 08:34:09.804: RADIUS:  Framed-IP-Address   [8]   6   10.10.78.250             
    Dec 16 08:34:09.804: RADIUS:  Framed-MTU          [12]  6   1500                     
    Dec 16 08:34:09.804: RADIUS:  Called-Station-Id   [30]  19  "F0-9E-63-E7-E1-8B"
    Dec 16 08:34:09.804: RADIUS:  Calling-Station-Id  [31]  19  "00-80-9F-C8-A9-EB"
    Dec 16 08:34:09.804: RADIUS:  Message-Authenticato[80]  18 
    Dec 16 08:34:09.804: RADIUS:   5F 60 06 35 54 F6 CB 60 3A D6 A9 87 92 F0 0D 70           [ _`5T`:p]
    Dec 16 08:34:09.804: RADIUS:  EAP-Key-Name        [102] 2   *
    Dec 16 08:34:09.804: RADIUS:  Vendor, Cisco       [26]  49 
    Dec 16 08:34:09.807: RADIUS:   Cisco AVpair       [1]   43  "audit-session-id=0A0A510A0000011E3329AE1E"
    Dec 16 08:34:09.807: RADIUS:  NAS-Port-Type       [61]  6   Ethernet                  [15]
    Dec 16 08:34:09.807: RADIUS:  NAS-Port            [5]   6   50111                    
    Dec 16 08:34:09.807: RADIUS:  NAS-Port-Id         [87]  23  "GigabitEthernet1/0/11"
    Dec 16 08:34:09.807: RADIUS:  NAS-IP-Address      [4]   6   10.10.81.10              
    Dec 16 08:34:09.807: RADIUS(0000025F): Started 5 sec timeout
    Dec 16 08:34:09.856: RADIUS: Received from id 1645/198 10.1.30.11:1812, Access-Accept, len 283
    Dec 16 08:34:09.856: RADIUS:  authenticator BC 72 21 F4 37 7D BE B1 - 03 A7 CE F3 3A DB EE DA
    Dec 16 08:34:09.856: RADIUS:  User-Name           [1]   14  "00809fc8a9eb"
    Dec 16 08:34:09.856: RADIUS:  State               [24]  40 
    Dec 16 08:34:09.856: RADIUS:   52 65 61 75 74 68 53 65 73 73 69 6F 6E 3A 30 41  [ReauthSession:0A]
    Dec 16 08:34:09.856: RADIUS:   30 41 35 31 30 41 30 30 30 30 30 31 31 45 33 33  [0A510A0000011E33]
    Dec 16 08:34:09.856: RADIUS:   32 39 41 45 31 45            [ 29AE1E]
    Dec 16 08:34:09.856: RADIUS:  Class               [25]  54 
    Dec 16 08:34:09.856: RADIUS:   43 41 43 53 3A 30 41 30 41 35 31 30 41 30 30 30  [CACS:0A0A510A000]
    Dec 16 08:34:09.859: RADIUS:   30 30 31 31 45 33 33 32 39 41 45 31 45 3A 6D 65  [0011E3329AE1E:me]
    Dec 16 08:34:09.859: RADIUS:   67 61 74 72 6F 6E 2F 32 30 37 35 39 38 39 38 34  [gatron/207598984]
    Dec 16 08:34:09.859: RADIUS:   2F 34 31 30              [ /410]
    Dec 16 08:34:09.859: RADIUS:  Message-Authenticato[80]  18 
    Dec 16 08:34:09.859: RADIUS:   51 E9 8C 07 61 A4 F0 02 0C DC DF 1F 25 BE 39 A3              [ Qa?9]
    Dec 16 08:34:09.859: RADIUS:  Vendor, Cisco       [26]  34 
    Dec 16 08:34:09.859: RADIUS:   Cisco AVpair       [1]   28  "device-traffic-class=voice"
    Dec 16 08:34:09.859: RADIUS:  Vendor, Cisco       [26]  75 
    Dec 16 08:34:09.859: RADIUS:   Cisco AVpair       [1]   69  "ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PERMIT_ALL_TRAFFIC-537cb1d6"
    Dec 16 08:34:09.859: RADIUS:  Vendor, Cisco       [26]  28 
    Dec 16 08:34:09.859: RADIUS:   Cisco AVpair       [1]   22  "profile-name=Unknown"
    Dec 16 08:34:09.859: RADIUS(0000025F): Received from id 1645/198
    Dec 16 08:34:09.859: RADIUS/DECODE: parse unknown cisco vsa "profile-name" - IGNORE
    Dec 16 08:34:09.859: %MAB-5-SUCCESS: Authentication successful for client (0080.9fc8.a9eb) on Interface Gi1/0/11 AuditSessionID 0A0A510A0000011E3329AE1E
    Dec 16 08:34:09.863: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (0080.9fc8.a9eb) on Interface Gi1/0/11 AuditSessionID 0A0A510A0000011E3329AE1E
    Dec 16 08:34:09.894: RADIUS/ENCODE(00000000):Orig. component type = Invalid
    Dec 16 08:34:09.894: RADIUS(00000000): Config NAS IP: 0.0.0.0
    Dec 16 08:34:09.898: RADIUS(00000000): sending
    Dec 16 08:34:09.957: RADIUS/ENCODE: Best Local IP-Address 10.10.81.10 for Radius-Server 10.1.30.11
    Dec 16 08:34:09.957: RADIUS(00000000): Sending a IPv4 Radius Packet
    Dec 16 08:34:09.957: RADIUS(00000000): Send Access-Request to 10.1.30.11:1812 id 1645/199,len 147
    Dec 16 08:34:09.957: RADIUS:  authenticator 1B D7 D2 13 EF 69 36 E2 - 87 4D A9 69 2A F7 29 4D
    Dec 16 08:34:09.957: RADIUS:  NAS-IP-Address      [4]   6   10.10.81.10              
    Dec 16 08:34:09.957: RADIUS:  User-Name           [1]   41  "#ACSACL#-IP-PERMIT_ALL_TRAFFIC-537cb1d6"
    Dec 16 08:34:09.957: RADIUS:  Vendor, Cisco       [26]  32 
    Dec 16 08:34:09.957: RADIUS:   Cisco AVpair       [1]   26  "aaa:service=ip_admission"
    Dec 16 08:34:09.961: RADIUS:  Vendor, Cisco       [26]  30 
    Dec 16 08:34:09.961: RADIUS:   Cisco AVpair       [1]   24  "aaa:event=acl-download"
    Dec 16 08:34:09.961: RADIUS:  Message-Authenticato[80]  18 
    Dec 16 08:34:09.961: RADIUS:   E7 15 BB FB 7B 5B 1A C4 50 FC E7 0E 10 AC 22 36             [ {[P"6]
    Dec 16 08:34:09.961: RADIUS(00000000): Started 5 sec timeout
    Dec 16 08:34:09.968: RADIUS: Received from id 1645/199 10.1.30.11:1812, Access-Accept, len 209
    Dec 16 08:34:09.968: RADIUS:  authenticator FA 03 DD C1 D2 87 6B 58 - 99 65 EE 96 FF D5 76 FD
    Dec 16 08:34:09.968: RADIUS:  User-Name           [1]   41  "#ACSACL#-IP-PERMIT_ALL_TRAFFIC-537cb1d6"
    Dec 16 08:34:09.968: RADIUS:  State               [24]  40 
    Dec 16 08:34:09.968: RADIUS:   52 65 61 75 74 68 53 65 73 73 69 6F 6E 3A 30 61  [ReauthSession:0a]
    Dec 16 08:34:09.971: RADIUS:   30 31 31 65 30 62 30 30 30 30 30 30 37 38 35 34  [011e0b0000007854]
    Dec 16 08:34:09.971: RADIUS:   38 46 45 45 38 31            [ 8FEE81]
    Dec 16 08:34:09.971: RADIUS:  Class               [25]  54 
    Dec 16 08:34:09.971: RADIUS:   43 41 43 53 3A 30 61 30 31 31 65 30 62 30 30 30  [CACS:0a011e0b000]
    Dec 16 08:34:09.971: RADIUS:   30 30 30 37 38 35 34 38 46 45 45 38 31 3A 6D 65  [00078548FEE81:me]
    Dec 16 08:34:09.971: RADIUS:   67 61 74 72 6F 6E 2F 32 30 37 35 39 38 39 38 34  [gatron/207598984]
    Dec 16 08:34:09.971: RADIUS:   2F 34 31 31              [ /411]
    Dec 16 08:34:09.971: RADIUS:  Message-Authenticato[80]  18 
    Dec 16 08:34:09.971: RADIUS:   A4 02 84 1E 1A 97 E9 E9 DE 46 93 D6 30 C4 52 99               [ F0R]
    Dec 16 08:34:09.971: RADIUS:  Vendor, Cisco       [26]  36 
    Dec 16 08:34:09.971: RADIUS:   Cisco AVpair       [1]   30  "ip:inacl#1=permit ip any any"
    Dec 16 08:34:09.971: RADIUS(00000000): Received from id 1645/199
    Dec 16 08:34:10.069: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0080.9fc8.a9eb) on Interface Gi1/0/11 AuditSessionID 0A0A510A0000011E3329AE1E
    Dec 16 08:34:10.069: RADIUS/ENCODE(0000025F):Orig. component type = Dot1X
    Dec 16 08:34:10.069: RADIUS(0000025F): Config NAS IP: 0.0.0.0
    Dec 16 08:34:10.069: RADIUS(0000025F): Config NAS IPv6: ::
    Dec 16 08:34:10.073: RADIUS(0000025F): sending
    Dec 16 08:34:10.073: RADIUS/ENCODE: Best Local IP-Address 10.10.81.10 for Radius-Server 10.1.30.11
    Dec 16 08:34:10.073: RADIUS(0000025F): Sending a IPv4 Radius Packet
    Dec 16 08:34:10.073: RADIUS(0000025F): Send Accounting-Request to 10.1.30.11:1813 id 1646/240,len 423
    Dec 16 08:34:10.073: RADIUS:  authenticator 6C 75 45 C7 B7 66 2F 4D - 04 01 C6 CE A5 16 68 9B
    Dec 16 08:34:10.073: RADIUS:  Acct-Session-Id     [44]  10  "00000255"
    Dec 16 08:34:10.073: RADIUS:  Calling-Station-Id  [31]  19  "00-80-9F-C8-A9-EB"
    Dec 16 08:34:10.073: RADIUS:  Vendor, Cisco       [26]  49 
    Dec 16 08:34:10.073: RADIUS:   Cisco AVpair       [1]   43  "audit-session-id=0A0A510A0000011E3329AE1E"
    Dec 16 08:34:10.073: RADIUS:  Framed-IP-Address   [8]   6   10.10.78.250             
    Dec 16 08:34:10.073: RADIUS:  User-Name           [1]   14  "00809fc8a9eb"
    Dec 16 08:34:10.073: RADIUS:  Vendor, Cisco       [26]  32 
    Dec 16 08:34:10.073: RADIUS:   Cisco AVpair       [1]   26  "connect-progress=Call Up"
    Dec 16 08:34:10.073: RADIUS:  Vendor, Cisco       [26]  21 
    Dec 16 08:34:10.073: RADIUS:   Cisco AVpair       [1]   15  "lldp-tlv=    "
    Dec 16 08:34:10.073: RADIUS:  Vendor, Cisco       [26]  25 
    Dec 16 08:34:10.073: RADIUS:   Cisco AVpair       [1]   19  "lldp-tlv=        "
    Dec 16 08:34:10.073: RADIUS:  Vendor, Cisco       [26]  23 
    Dec 16 08:34:10.073: RADIUS:   Cisco AVpair       [1]   17  "lldp-tlv=      "
    Dec 16 08:34:10.073: RADIUS:  Vendor, Cisco       [26]  28 
    Dec 16 08:34:10.073: RADIUS:  Vendor, Cisco       [26]  28 
    Dec 16 08:34:10.073: RADIUS:  Tunnel-Packets-Lost [86]  101 1852075890               
    Dec 16 08:34:10.076: RADIUS:  Nas-Identifier      [32]  32  "             
    Dec 16 08:34:10"
    Dec 16 08:34:10.076: data_left 15
    2960-09#
    Dec 16 08:34:10.076: RADIUS(0000025F): Started 5 sec timeout
    Dec 16 08:34:10.090: RADIUS: Received from id 1646/240 10.1.30.11:1813, Accounting-response, len 20
    Dec 16 08:34:10.090: RADIUS:  authenticator 91 9F CE 71 1C 4B 45 93 - 49 86 52 C8 C3 44 40 B8
    2960-09#
    Dec 16 08:34:11.485: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/11, changed state to up
    Dec 16 08:34:12.485: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/11, changed state to up
    2960-09#
    2960-09#
    2960-09#
    2960-09#
    2960-09#
    2960-09#
    2960-09#sh auth
    2960-09#sh authentication ses
    2960-09#sh authentication sessions int gi
    2960-09#sh authentication sessions int gigabitEthernet 1/ /0/11
                Interface:  GigabitEthernet1/0/11
              MAC Address:  0080.9fc8.a9eb
               IP Address:  10.10.78.250
                User-Name:  00809fc8a9eb
                   Status:  Authz Success
                   Domain:  VOICE
           Oper host mode:  multi-auth
         Oper control dir:  both
            Authorized By:  Authentication Server
                  ACS ACL:  xACSACLx-IP-PERMIT_ALL_TRAFFIC-537cb1d6
          Session timeout:  N/A
             Idle timeout:  N/A
        Common Session ID:  0A0A510A0000011E3329AE1E
          Acct Session ID:  0x00000255
                   Handle:  0x3600011F
    Runnable methods list:
           Method   State
           mab      Authc Success
           dot1x    Not run
    2960-09#

  • Scale 802.1X ACS in High Security Mode any Idea's?

    Scenario
    Platform ACS V 5.1.0.44
    Switch 4510R with 8 48 port modules (384 ports)
    802.1x authentication of the ports in High Security Mode (VLAN assignments required)
    Authentication Method Cert based eap-tls to machine
    we currently have 4 Data Vlans that users and assets drop into on this switch
    How do I scale this as I cant differentiate the cert to distribute the users across the 4 vlans in ACS?
    I think I can use unique Identity groups for the MAB of assets but the users has me really scratching my head.

    Looks like a Switching group has been looking at this as a possible answer for the stack switches but I cant configure vlan groups on 4510's
    and would theres no config guide on how to apply it in ACS 5.1 (use attrib 81 like we do for vlan assignment?)
    12.2(52)SE
    IEEE 802.1x User Distribution to allow deployments with multiple VLANs (for a group of users) to improve scalability of the network by load balancing users across different VLANs. Authorized users are assigned to the least populated VLAN in the group, assigned by RADIUS server.
    12.2(52)SE
    3750-E, 3560-E
    But then you get bit with even using VLAN assignments on large stacks
    •When IEEE 802.1x authentication with VLAN assignment is enabled, a CPUHOG message might appear if the switch is authenticating supplicants in a switch stack.
    The workaround is not use the VLAN assignment option. (CSCse22791)

  • Cisco 2960S FPS-L PoE switch with Avaya 9811g VOIP setup

    Hello,
    I am connecting a setup for data/voice connecting Catalyst 2960S-FPS-L PoE switch with Avaya 9811g series VOIP phone. As per my knowledge cisco switch works well with Cisco phone as it has got some builtin "Macros" and Intelligent PoE recognition when we connect device getting the details of another device through CDP. I understand I have to create data and voice vlan with QOS then enable trunking on the interface to other switch that is also 2960. Little confuse if is there any compatibility issues with Switch and Avaya phone regarding protocol/data/voice...?
    Do I have to do PoE config for each port on the each interface?
    any help or detail config will help.
    Thanks in advance.

    Hi I am back after good research. created two vlan data and voice with trunk on interface1/0/48 given below config..
    connection b/w 2960s FPS Switch and Avaya 9611g IP Phone.
    lldp/cdp is enable on switch
    So I created this config if some one can take a look .
    expert advise if something wrong?..
    I am only concern with Voice and PoE as voice is my priority. do i have to map something for voice quality?
    also if i create another Trunk port one allow voice other allow data both cable will go to switch will that be issue?
    interface....
    switchport access vlan x
    switchport mode access
    switchport nonegotiate
    switchport voice vlan xx
    srr-queue bandwidth share 10 10 60 20
    queue-set 2
    priority-queue out
    mls qos trust cos
    auto qos voip trust
    spanning-tree portfast
    interface ........
    switchport trunk allowed vlan x,x
    switchport mode trunk
    switchport nonegotiate
    srr-queue bandwidth share 10 10 60 20
    queue-set 2
    priority-queue out
    mls qos trust cos
    auto qos voip trust

  • Avaya Phone connected to Cisco 3560

    hi Guys,
    i need help on configuration of a port which is connected to avaya phone. the data vlan is 10 and voice vlan is 20.
    how the configuration will look like..
    is the port needs to be configured as trunk ?
    regards
    amit

    Hi Amit,
    I have not worked with Avaya IP Phones, but here are 3 threads with good switchport configs;
    http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Unified%20Communications%20and%20Video&topic=Video%20over%20IP&CommCmd=MB?cmd=pass_through&location=outline@^1@@.1dd98f89/0#selected_message
    http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Unified%20Communications%20and%20Video&topic=IP%20Telephony&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dde4d71
    http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Unified%20Communications%20and%20Video&topic=IP%20Telephony&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1ddfa2e7/1#selected_message
    Hope this helps!
    Rob

Maybe you are looking for

  • Help with Exporting Edited Version of Picture

    With iPhoto I an trying to edit (crop and adjust the color) of photographs. I have tried exporting the photo, but the cropping does not come over. Color changes come fine, but no cropping. HELP?!?!? Thanks. B2

  • Sys packages invalid

    in oracle 9i some sys packages become invalid give solution

  • 1616 screen goes black - Help please

    I have just bought a new Nokia 1616. I have worked through all the settings but cannot find the one to stop it turning the screen off after a few minutes of non-use.  The screen goes black and so you don't know if it is switched on or not.  Ideally I

  • Cancelation of purchase order

    hi mates When i try to cancel the purchase order the following errors are thrown by Sap System. 1  purchase order data still faulty 2 Enter reason for change for versiuon 3 Enter short text for version 4 Enter requester for version plz do give your v

  • Question on interface for FB50

    I am new to the ABAP world and a little confused on the interfacing of FB50. we currently have a ABAP process that reads a text file and submits the G/L data using FB01 and RFBIBL00. We would like to start using FB50 and I am reading that this is a e