cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

425
Views
10
Helpful
8
Replies
Highlighted
Contributor

IP Phone And MAB\802.1x Scenario

We have some IP phones that have 802.1x enabled by default. We are deploying 802.1x and planned on using MAB for the phones.  Is there a way to configure the switch to only complete MAB for the phone? We do not want to have to turn 802.1x off on the phone.  When the phone boots up currently, it is displaying an 802.1x authentication screen.

 

Any thoughts?

Everyone's tags (6)
3 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: IP Phone And MAB\802.1x Scenario

Hello Alex,

 

Couple of options..

 

1. CUCM has an option(individual or bulk) to disable dot1x on Phone.. Refer to Step 22 in ISE Authorization Policy for MIC Authentication section
2. Switch by default doesn't Dot1x first and then fallback to MAB..
    1. Adjust default timers for dot1x, so dot1x times out and falls back to MAB.
    2. With IBNS1.0 type configurations, change the authentication order to MAB,Dot1x if you ok with the order or processing.
    3. With IBNS 2.0 policy, do MAB first so Phones gets authenticated without any delay and PC's behind gets dot1x  

         authenticated matching 2nd policy below

    event session-started match-all
        10 class always do-until-failure
            10 authenticate using MAB priority 10
    ......
    event agent-found match-all
          10 class always do-until-failure
          10 terminate mab
          20 authenticate using dot1x priority 10

 

VIP Engager

Re: IP Phone And MAB\802.1x Scenario

Are the phones centrally managed so that you only have to push a new setting to disable dot1x on the phones?

When the phones hit ISE, do they use any default authentication such as sending a preinstalled certificate or username?
Cisco Employee

Re: IP Phone And MAB\802.1x Scenario

Hi Alex,

Recommended is below for normal deployment.. 21 sec

dot1x timeout tx-period 7
dot1x max-reauth-req 3

You could try, refer to IP Telephony for 802.1X Design Guide link below..

dot1x timeout tx-period 3
dot1x max-reauth-req 3

https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.html#pgfId-389992 

8 REPLIES 8
Cisco Employee

Re: IP Phone And MAB\802.1x Scenario

Have you looked at the wired guide under http://cs.co/ise-guides It lists the commands for the port. Disable dot1x on that port.

Cisco ISE Secure Wired Access Prescriptive Deployment Guide<>
Contributor

Re: IP Phone And MAB\802.1x Scenario

We could also have computers behind the phone that need to run 802.1x.

Cisco Employee

Re: IP Phone And MAB\802.1x Scenario

Then there is nothing to assist you. Dot1x either runs on the port or it doesn’t.
Cisco Employee

Re: IP Phone And MAB\802.1x Scenario

Hello Alex,

 

Couple of options..

 

1. CUCM has an option(individual or bulk) to disable dot1x on Phone.. Refer to Step 22 in ISE Authorization Policy for MIC Authentication section
2. Switch by default doesn't Dot1x first and then fallback to MAB..
    1. Adjust default timers for dot1x, so dot1x times out and falls back to MAB.
    2. With IBNS1.0 type configurations, change the authentication order to MAB,Dot1x if you ok with the order or processing.
    3. With IBNS 2.0 policy, do MAB first so Phones gets authenticated without any delay and PC's behind gets dot1x  

         authenticated matching 2nd policy below

    event session-started match-all
        10 class always do-until-failure
            10 authenticate using MAB priority 10
    ......
    event agent-found match-all
          10 class always do-until-failure
          10 terminate mab
          20 authenticate using dot1x priority 10

 

Contributor

Re: IP Phone And MAB\802.1x Scenario

What would be the best setting to change the timers so that 802.1x times out?

Cisco Employee

Re: IP Phone And MAB\802.1x Scenario

Hi Alex,

Recommended is below for normal deployment.. 21 sec

dot1x timeout tx-period 7
dot1x max-reauth-req 3

You could try, refer to IP Telephony for 802.1X Design Guide link below..

dot1x timeout tx-period 3
dot1x max-reauth-req 3

https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.html#pgfId-389992 

VIP Engager

Re: IP Phone And MAB\802.1x Scenario

Are the phones centrally managed so that you only have to push a new setting to disable dot1x on the phones?

When the phones hit ISE, do they use any default authentication such as sending a preinstalled certificate or username?
Contributor

Re: IP Phone And MAB\802.1x Scenario

We were able to turn 802.1x off on the phones with a configuration on the server. Crisis averted. Thanks to everyone who replied.