802.1X Switch port is amber when only IP Phone is connected

Table of contents

  1. 802.1X labing
  2. The problem: User removes laptop
  3. The solution: authentication control-direction in

802.1X labing

During my lab for Cisco 802.1X wired network authentication, I realized that a switch port LED on my 3750G is amber when only a Cisco IP Phone is connected. The IP Phone does (for now) a simple mab (MAC Authentication Bypass), the downstream device (laptop) does dot1x authentication.

802.1X LED amber with IP Phone only, but phone works

I started with some basic 802.1X configuration on the Cisco switch to figure out how dot1x and mab is behaving in a typical office scenario where IP Phones with downstream clients (laptops) are connected to a switch port. My configuration looks like this:


    interface Gi1/0/2
      !---other-config---
      switchport access vlan [nnn]
      switchport mode access
      switchport voice vlan [nnn]
      authentication host-mode multi-auth
      authentication order dot1x mab
      authentication priority dot1x mab
      authentication port-control auto
      mab
      dot1x pae authenticator
      spanning-tree portfast

The problem: User removes laptop

Typically a user removes the laptop connected to the IP Phone’s Gigabit Ethernet port, goes somewhere else and - boom - the LED is amber which indicates some type of network issue on this port. However the IP Phone is authenticated with mab and works perfectly.

The show authentication session interface gi1/0/2 command displays that everything looks fine. But of course as network engineer I want to have only greenLED on the switches to see that everything is working fine ;) This is the output of the show authentication session command:


    Interface:  GigabitEthernet1/0/2
    MAC Address:  nnnn.nnnn.nnnn
    IP Address:  n.n.n.n
    User-Name:  nnnnnnnn
    Status:  Authz Success
    Domain:  VOICE
    Security Policy:  Should Secure
    Security Status:  Unsecure
    Oper host mode:  multi-auth
    Oper control dir:  both
    Authorized By:  Authentication Server
    Vlan Policy:  N/A
    Session timeout:  N/A
    Idle timeout:  N/A
    Common Session ID:  nnnnnnnnnnnnnnnnnnn
    Acct Session ID:  nnnnnnnnnnn
    Handle:  nnnnnnnn

    Runnable methods list:
    Method   State
    dot1x    Failed over
    mab      Authc Success

The solution: authentication control-direction in

I stumbled upon this excellent article CiscoZine: 802.1X Deployment Guide: Interface configuration where authentication control-direction in is set on the interface. This line is typically used for Wake-On-LAN. From Cisco’s 802.1X documentation:

  • both sets the port as bidirectional which means the port cannot receive packets from or send packets to the host (This is the default)

  • in sets the port as unidirectional which means the port can send packets to host but cannot receive packets from the host

At the moment (it’s anyway too late) I have no idea why this setting for WOL is impacting the LED on the switch port in relation to 802.1X and IP phone without downstream client. But it does the trick ;)

My switch port configuration now looks like this:


    interface Gi1/0/2
      !---other-config---
      switchport access vlan [nnn]
      switchport mode access
      switchport voice vlan [nnn
      !
      ! The magic line
      !
      authentication control-direction in
      authentication host-mode multi-auth
      authentication order dot1x mab
      authentication priority dot1x mab
      authentication port-control auto
      mab
      dot1x pae authenticator
      spanning-tree portfast

802.1X LED green with IP Phone only after auth control-dir in

Eventually this might be helpful when encountering the same issue.