802.1X Switch port is amber when only IP Phone is connected
Table of contents
802.1X labing
During my lab for Cisco 802.1X wired network authentication, I realized that a switch port LED on my 3750G is amber when only a Cisco IP Phone is connected. The IP Phone does (for now) a simple mab (MAC Authentication Bypass), the downstream device (laptop) does dot1x authentication.
I started with some basic 802.1X configuration on the Cisco switch to figure out how dot1x and mab is behaving in a typical office scenario where IP Phones with downstream clients (laptops) are connected to a switch port. My configuration looks like this:
interface Gi1/0/2
!---other-config---
switchport access vlan [nnn]
switchport mode access
switchport voice vlan [nnn]
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
mab
dot1x pae authenticator
spanning-tree portfast
The problem: User removes laptop
Typically a user removes the laptop connected to the IP Phone’s Gigabit Ethernet port, goes somewhere else and - boom - the LED is amber which indicates some type of network issue on this port. However the IP Phone is authenticated with mab and works perfectly.
The show authentication session interface gi1/0/2 command displays that everything looks fine. But of course as network engineer I want to have only greenLED on the switches to see that everything is working fine ;) This is the output of the show authentication session command:
Interface: GigabitEthernet1/0/2
MAC Address: nnnn.nnnn.nnnn
IP Address: n.n.n.n
User-Name: nnnnnnnn
Status: Authz Success
Domain: VOICE
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
Session timeout: N/A
Idle timeout: N/A
Common Session ID: nnnnnnnnnnnnnnnnnnn
Acct Session ID: nnnnnnnnnnn
Handle: nnnnnnnn
Runnable methods list:
Method State
dot1x Failed over
mab Authc Success
The solution: authentication control-direction in
I stumbled upon this excellent article CiscoZine: 802.1X Deployment Guide: Interface configuration where authentication control-direction in is set on the interface. This line is typically used for Wake-On-LAN. From Cisco’s 802.1X documentation:
both sets the port as bidirectional which means the port cannot receive packets from or send packets to the host (This is the default)
in sets the port as unidirectional which means the port can send packets to host but cannot receive packets from the host
At the moment (it’s anyway too late) I have no idea why this setting for WOL is impacting the LED on the switch port in relation to 802.1X and IP phone without downstream client. But it does the trick ;)
My switch port configuration now looks like this:
interface Gi1/0/2
!---other-config---
switchport access vlan [nnn]
switchport mode access
switchport voice vlan [nnn
!
! The magic line
!
authentication control-direction in
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
mab
dot1x pae authenticator
spanning-tree portfast
Eventually this might be helpful when encountering the same issue.