cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4099
Views
10
Helpful
8
Replies

IP Phone And MAB\802.1x Scenario

Alex Pfeil
Level 7
Level 7

We have some IP phones that have 802.1x enabled by default. We are deploying 802.1x and planned on using MAB for the phones.  Is there a way to configure the switch to only complete MAB for the phone? We do not want to have to turn 802.1x off on the phone.  When the phone boots up currently, it is displaying an 802.1x authentication screen.

 

Any thoughts?

3 Accepted Solutions

Accepted Solutions

mnagired
Cisco Employee
Cisco Employee

Hello Alex,

 

Couple of options..

 

1. CUCM has an option(individual or bulk) to disable dot1x on Phone.. Refer to Step 22 in ISE Authorization Policy for MIC Authentication section
2. Switch by default doesn't Dot1x first and then fallback to MAB..
    1. Adjust default timers for dot1x, so dot1x times out and falls back to MAB.
    2. With IBNS1.0 type configurations, change the authentication order to MAB,Dot1x if you ok with the order or processing.
    3. With IBNS 2.0 policy, do MAB first so Phones gets authenticated without any delay and PC's behind gets dot1x  

         authenticated matching 2nd policy below

    event session-started match-all
        10 class always do-until-failure
            10 authenticate using MAB priority 10
    ......
    event agent-found match-all
          10 class always do-until-failure
          10 terminate mab
          20 authenticate using dot1x priority 10

 

View solution in original post

Damien Miller
VIP Alumni
VIP Alumni
Are the phones centrally managed so that you only have to push a new setting to disable dot1x on the phones?

When the phones hit ISE, do they use any default authentication such as sending a preinstalled certificate or username?

View solution in original post

Hi Alex,

Recommended is below for normal deployment.. 21 sec

dot1x timeout tx-period 7
dot1x max-reauth-req 3

You could try, refer to IP Telephony for 802.1X Design Guide link below..

dot1x timeout tx-period 3
dot1x max-reauth-req 3

https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.html#pgfId-389992 

View solution in original post

8 Replies 8

Jason Kunst
Cisco Employee
Cisco Employee
Have you looked at the wired guide under http://cs.co/ise-guides It lists the commands for the port. Disable dot1x on that port.

Cisco ISE Secure Wired Access Prescriptive Deployment Guide<>

We could also have computers behind the phone that need to run 802.1x.

Then there is nothing to assist you. Dot1x either runs on the port or it doesn’t.

mnagired
Cisco Employee
Cisco Employee

Hello Alex,

 

Couple of options..

 

1. CUCM has an option(individual or bulk) to disable dot1x on Phone.. Refer to Step 22 in ISE Authorization Policy for MIC Authentication section
2. Switch by default doesn't Dot1x first and then fallback to MAB..
    1. Adjust default timers for dot1x, so dot1x times out and falls back to MAB.
    2. With IBNS1.0 type configurations, change the authentication order to MAB,Dot1x if you ok with the order or processing.
    3. With IBNS 2.0 policy, do MAB first so Phones gets authenticated without any delay and PC's behind gets dot1x  

         authenticated matching 2nd policy below

    event session-started match-all
        10 class always do-until-failure
            10 authenticate using MAB priority 10
    ......
    event agent-found match-all
          10 class always do-until-failure
          10 terminate mab
          20 authenticate using dot1x priority 10

 

What would be the best setting to change the timers so that 802.1x times out?

Hi Alex,

Recommended is below for normal deployment.. 21 sec

dot1x timeout tx-period 7
dot1x max-reauth-req 3

You could try, refer to IP Telephony for 802.1X Design Guide link below..

dot1x timeout tx-period 3
dot1x max-reauth-req 3

https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.html#pgfId-389992 

Damien Miller
VIP Alumni
VIP Alumni
Are the phones centrally managed so that you only have to push a new setting to disable dot1x on the phones?

When the phones hit ISE, do they use any default authentication such as sending a preinstalled certificate or username?

We were able to turn 802.1x off on the phones with a configuration on the server. Crisis averted. Thanks to everyone who replied.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: