802.1X Switch port is amber when only IP Phone is connected
Written by Stefan on . Modified on . Posted in Blog. Tags: #cisco #network #security
During my lab for Cisco 802.1X wired network authentication, I realized that a switch port LED on my 3750G is amber when only a Cisco IP Phone is connected. The IP Phone does (for now) a simple mab (MAC Authentication Bypass), the downstream device (laptop) does dot1x authentication.
I started with some basic 802.1X configuration on the Cisco switch to figure out how dot1x and mab is behaving in a typical office scenario where IP Phones with downstream clients (laptops) are connected to a switch port. My configuration looks like this:
interface Gi1/0/2 !---other-config--- switchport access vlan [nnn] switchport mode access switchport voice vlan [nnn] authentication host-mode multi-auth authentication order dot1x mab authentication priority dot1x mab authentication port-control auto mab dot1x pae authenticator spanning-tree portfast
2. The problem: User removes laptop
Typically a user removes the laptop connected to the IP Phone’s Gigabit Ethernet port, goes somewhere else and - boom - the LED is amber which indicates some type of network issue on this port. However the IP Phone is authenticated with mab and works perfectly.
The show authentication session interface gi1/0/2 command displays that everything looks fine. But of course as network engineer I want to have only greenLED on the switches to see that everything is working fine ;) This is the output of the show authentication session command:
Interface: GigabitEthernet1/0/2 MAC Address: nnnn.nnnn.nnnn IP Address: n.n.n.n User-Name: nnnnnnnn Status: Authz Success Domain: VOICE Security Policy: Should Secure Security Status: Unsecure Oper host mode: multi-auth Oper control dir: both Authorized By: Authentication Server Vlan Policy: N/A Session timeout: N/A Idle timeout: N/A Common Session ID: nnnnnnnnnnnnnnnnnnn Acct Session ID: nnnnnnnnnnn Handle: nnnnnnnn Runnable methods list: Method State dot1x Failed over mab Authc Success
3. The solution: authentication control-direction in
I stumbled upon this excellent article CiscoZine: 802.1X Deployment Guide: Interface configuration where authentication control-direction in is set on the interface. This line is typically used for Wake-On-LAN. From Cisco’s 802.1X documentation:
both sets the port as bidirectional which means the port cannot receive packets from or send packets to the host (This is the default)
in sets the port as unidirectional which means the port can send packets to host but cannot receive packets from the host
At the moment (it’s anyway too late) I have no idea why this setting for WOL is impacting the LED on the switch port in relation to 802.1X and IP phone without downstream client. But it does the trick ;)
My switch port configuration now looks like this:
interface Gi1/0/2 !---other-config--- switchport access vlan [nnn] switchport mode access switchport voice vlan [nnn ! ! The magic line ! authentication control-direction in authentication host-mode multi-auth authentication order dot1x mab authentication priority dot1x mab authentication port-control auto mab dot1x pae authenticator spanning-tree portfast
Eventually this might be helpful when encountering the same issue.