topic I have run into this issue in Network Access Control

MAB/802.1x and Alkatel IP Phones

Gaj Ana — Mon, 11 Mar 2019 04:37:44 GMT

Hi All

We have a distributed deployment where Alkatel ip-touch phones are authentictaed via MAB. Alkatel ip touch phones has 802.1x enabled by default and the phone tries eapol first and then switch authenticates via MAB which is fine. Once authenticated its working as expected. The issue is the phone keeps on periodic retry after x amount of minutes for 802.1x again which triggers the phone to reboot again and goes via the whole process. This interupts the voice. We could disable 802.1x but its per phone basis. Has anyone came across this issue and found a way to diable globally via the call manager etcc. or any workarounf from ISE/switch side?

Thanks

I have run into this issue

Tarik Admani — Fri, 11 Apr 2014 16:59:07 GMT

I have run into this issue before, there is a command on the switch port so that if authentication fails to use the next-method. Can you post the output of your port settings and the version and type of switch you are using?

Thanks

Tarik

Hi Tarik, Thanks for the

Gaj Ana — Sat, 12 Apr 2014 06:07:39 GMT

Hi Tarik,

Thanks for the reply, please find below the switch port config lines, its a 370x switch, IPbase and universalon 15.2-1.E1 image

Note- Since the 8021x is enabled by default the phone initially tries 802.1x and after failing , the switch goes to the next auth method which is MAB which is successful. The issue is the phone again initiales a 802.1x packet after some time and the whole process starts again and because 8021x is failed the phone reboots again. I think this is the way this type of phone work and we cannot do much unless disable 802.1x or install the Alkatel CA certs in the ISE cert store?

Interface gi x/y

switchport access vlan xx

switchport mode access
switchport voice vlan yy

ip access-group ACL_ALLOW in
authentication event fail action next-method
authentication event server dead action reinitialize vlan xx

authentication event server dead action authorize voice
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto

authentication timer reauthenticate server
authentication violation restrict
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast

I have a couple of questions

Tarik Admani — Sat, 12 Apr 2014 07:06:59 GMT

I have a couple of questions regarding the behavior of the phone.

In most cases endpoints will not prompt re-authentication (computing devices are an exception), unless a timer on the switchport or a link event prompts re-authentication which you can start by running a show authentication sessions interface xxx details.

If the phones are performing eap-tls then your best option would be to use that feature as opposed on relying on strictly profiling.

thanks,

Hi Tarik,The dot1x debugs in

Gaj Ana — Sun, 13 Apr 2014 05:34:44 GMT

Hi Tarik,

The dot1x debugs in switch showed after certain time switch receives a reauth packet "Apr 8 04:40:24.194: dot1x-packet:[xxxx.yyyy.zzzz, Gi1/0/1] queuing an EAPOL pkt on Auth Q" from the endpoint and the whole process starts again. The endpoint reboots itself once it sees a 8021x failure. "Show auth sess int x/y details" shows MAB as the successfull auth method until the re-request for 802x comes from the endpoint.

Regarding the timers as mentioned in the switch port config above , the port rely on the radius server (ie ISE) "authentication timer reauthenticate server" for the reauth timer and I assume this will be the session time when the device initially connects.

Regs

Hi, May i ask what alcatel

christoulakis — Mon, 21 Apr 2014 19:41:32 GMT

Hi,

May i ask what alcatel model do you have, because i'm facing a similar problem with them you can see my posts on the forum

regards

HiThese are ip touch 4068,

Gaj Ana — Tue, 22 Apr 2014 01:17:34 GMT

These are ip touch 4068, 4028 phones. I tried testing with Alkatel Enterprise root CA and manufacturing certs installed in ISE cert store but still "unknown CA error" showed up. Further Wire-shark capture for dot1x showed in "client hello" the certs presented by the phones are signed by a issuer "Wired Phones". Trying to get this and test it again.

Regs

For my understanding the

christoulakis — Tue, 22 Apr 2014 19:38:07 GMT

For my understanding the phone works fine via MAB, the problem appears with dot1x, right?

Have you tried to tested except EAP/TLS with the next and only available option EAP/MD5 and see if you will face a similar behavior? that will be interesting test.

I have come to a venturous conclusion that some devices mostly Printers and IP phones if they do not find ISE they blocked and cannot talk with anything else, as a result they continuously reboot. In contrast PCs/ workstations if failed they can Login despite the failed messages that will apearead on your ISE console.

Probably our cases have many similarities and are quiet difficult to analyzed, even from the experts 🙂

regards

T.C

yeh MAB works fine. I did not

Gaj Ana — Wed, 23 Apr 2014 13:06:15 GMT

yeh MAB works fine. I did not test MD5, for 8021x and MD5 the phone presents default user ALCIPT and i assume default password is "password" ???

The issue is since most phones are being deployed its hard to disable 8021x or activate MD5 on per phone basis, at the same time 8021x cannot be disable globally from the PBX manager. Therefore I'm trying with the default Alkatel certs.

if you goto the Alktel business portal, there are links to download the enterprise and Intermediate and and manufacturing certs but "Wired Phones" Intermediate cert is missing from the link 😞

Regs

Hi,I have the same issue. Did

mvolk — Fri, 30 Jan 2015 09:00:10 GMT

Hi,

I have the same issue. Did you have become it funktional with 802.1x an did you have become the right certificate for "Wired Phones"?

Regs and thanks for a reply

Marc

Hi Marc Yes, we got it

Gaj Ana — Sat, 31 Jan 2015 11:54:59 GMT

Hi Marc

Yes, we got it working. The certificates from the Alkatel business portal doesn't work as these are not the correct CA's signed the certificate of the phone. You have to obtain the correct CA "Wired Phones" from your Alkatel local vendor. You can also verify the CA by accessing the phone setup menu or by looking at the initial TLS hand-shake using wire-shark.

Please note- by using the default Alkatel certs it will be a one way TLS (ie server authenticates client). We only tested with 4028,4038,4068 ip-touch phones.

Hope this helps

Kind regards

HI G,thanks for your response

mvolk — Mon, 09 Feb 2015 17:55:10 GMT

HI G,

thanks for your response. Now I have received the wired phone certificate.

Which configuration on ISE I must exclict make to auth the phone now via the one way TLS?

Kind regards

Marc

Hi MarcGreat that you have

Gaj Ana — Tue, 10 Feb 2015 17:21:40 GMT

Hi Marc

Great that you have the certs.

ISE doesn't know about one way tls. In this scenario (one way tls) ise only authenticates the client. First import the wired phone cert in-to ise cert store and trust for tls.(tick check box). Create a certificate authentication profile (CAP) (with subject name as the attribute) to be used as the identity store in authentication policy. Create a identity source sequence with local and the above CAP as identity stores. The local identity store is required as these phones will first authenticate via MAB during initial boot and once 802.1x process starts they will re-authenticate via CAP. Then create a authentication policy with the above identity source sequence. This has to be after the MAB rule. Then create appropriate authorization policy.example you can use custom profiling conditions (if alkatel profiles are not available in ise) to profile and authorize the phone or some other means.

Hope this helps

regards

Hi G,so long time ago, but

mvolk — Wed, 15 Apr 2015 07:51:17 GMT

Hi G,

so long time ago, but now I had implemeted the solution for the alcatel phones and it works good.

I would be say now thans for your help!

regards

Marc

Re: Hi G,so long time ago, but

Erik Ingeberg — Thu, 02 Nov 2017 08:37:24 GMT

Hi, sorry to revive this old thread, but I have the same problem.

Is there any chance you could share the "Wired Phones" certificate if you managed to get hold of it?

Re: Hi G,so long time ago, but

STEVE ROWING — Thu, 28 Dec 2017 17:53:25 GMT

I also really need this certificate for the exact reasons outlined here. Can anybody tell me where i can get a hold of it?

My vendor is clueless and unable to supply it,

Thanks

Re: Hi G,so long time ago, but

Octavian Szolga — Fri, 14 Sep 2018 13:01:21 GMT

Hi,

Can somebody please share the "Wired Phones" CA cert?

Thanks,
Octavian

Re: Hi Marc Yes, we got it

Octavian Szolga — Sat, 15 Sep 2018 08:19:00 GMT

Re: Hi G,so long time ago, but

peter.matuska1 — Wed, 29 Mar 2023 08:04:47 GMT

did you get the certificate?

Re: MAB/802.1x and Alkatel IP Phones

Octavian Szolga — Wed, 29 Mar 2023 08:33:40 GMT

Hi,

Yes I did. Back then I exported the "Wired Phones" CA cert fom wireshark.

I don't have 'Alcatel Enterprise Solution' root CA though.

BR,

Octavian