10-07-2006 04:14 AM - edited 03-10-2019 02:46 PM
hi,
i have setup 802.1x MS IAS. All seems to work fine when i am using a plain pc connection to switch but the moment IP phone is involved i start facing issues.
I am using cisco 3750 switch with version 12.2(25)SEB4
dhcp server is on windows which is on a different network i.e. 10.50.1.9
dhcp relay agent is defined on firewall subinterces
All works when phone is not involved. BTW i am using Nortel IP phone
when the phone is plugged and cable is throug the phone, i provide the user name and credentials and also when i say show vlan on switch i can see i am aprt of corrent vlan but i do not get an ip address.
This is the error i get on switch when is said debug radius:
pls find two attachments of debug dot1x events and radius.
pls help
Regards
AI
10-07-2006 05:38 AM
This topology will not work on a port configured for 802.1X. The Nortel phone has no way to access the network. Also, is the Nortel phone briding the 1X control traffic to/from the switch.client anyway?
10-07-2006 09:56 PM
Hi,
yes the phone is bridging the traffic. Can you explain in technical why this will not work?
10-08-2006 06:06 AM
The phone won't work b/c it doesn't have a 1x supplicant.
The PC "should work" if the phone is passing EAPOL to the switch.
Although remember the MAC of the PC is locked into the switchport. Typically, part of the security provided by 802.1x is based on the assumption that the switch port is not connected to a hub-based shared Ethernet segment. If not, an unauthenticated hub/switch could be used to gain access for other unauthorized systems. So, by default, a switchport running 802.1x is able to deny access to any such "piggybacked" ports (or for any other machines on the wire). And remember what happens if the authenticated PC unplugs from the phone. Does the phone inform the network of this to tear down the active security session?
Hope this helps,
10-09-2006 09:34 AM
Hmmm, I have tested this in a lab and it works fine.... with a big caveat that makes it not almost not worth doing.
To get it to work make sure that IAS allows EAP-MD5 as an authenication method as that is the only method the IP phone supports. Also the switch port needs to use 802.1x multi-host mode since the port will see more then 1 MAC address (the IP phone plus the PC).
Let me know exactly which Nortel IP phone you have and I can tell you how to get it working.
Now for the caveat: The 802.1x spec does not any any way, shape, or form address what to do when multiple devices try to access an 802.1x-controlled port. What this means is that once the Nortel IP phone (and the 200x series phones does have a supplicant)authenticates a port, the port is active and ANYTHING plugged into the phones PC port will work. Now if the PC has 802.1x enabled it may try to reauthenticate the port and if it fails the port may be unauthenticated, but there is no way to force a device plugged into the IP phones PC port to use 802.1x. What this means is that without using port security or some other administratively intense means, any IP phone data port can be used by anybody using any device to access the network once the IP phone authenticates the port.
If the whole point of 802.1x is to secure your ports in an relatively administrativley easy way, throwing a Nortel IP phone into the mix sinks that faster then the Edmund Fitzgerald.
PS: Someone PLEASE tell me I am wrong about the IP phones PC port. I really need to get this working myself.
10-09-2006 10:35 PM
The phone model is below:
Nortel IP Phone 2004
Model: NTDU92
10-10-2006 03:37 AM
1) Make sure IAS allows EAP-MD5 as an authentication method (I am using ACS so I can't help you much there)
2) Make sure there is an account in AD for whatever user/password combo you have the phone trying to authenticate on. If possible, use GPO's/User rights to NOT allow this user to login
3) run "dot1x host-mode multi-host" on the access port. This will allow the port to see multiple MACS on the port and not shut down. As already stated this really hoses 802.1x since as soon as a phone authenticates the port is active and any device can use the PC port on the phone. See my other post for more information on how Cisco is looking at fixing this.
Let me know if that helps.
10-10-2006 01:03 PM
Remember if you plug in a phone running 1X to a 1X port, and it works, AND you also have multi-host mode enabled, then any PC that plugs into the phone will be granted access ("for free") implicitly.
Would recommend discussing roadmap items with your account team.
Hope this helps,
10-09-2006 11:23 AM
Ah, I didn't know you had a phone with a 1X supplicant on it ;-).
If so, this is the only avail (non-default) option avail today on the switch you're testing with. See my last reply on how it works by default. With multi-host mode though, 802.1X is used to "enable the port" only with no other restrictions being placed on it. Analogy would be like walking into a building with a valid badge, but leaving the door propped open behind you.
The rest of your comments WRT the 1X-spec, the security implications of the current multi-host mode, etc. are pretty well-founded.
From a spec perspective, it's similar to evaluating 802.1X in a Wireless-LAN WITHOUT the use of encryption. Mind you, there's potentially only 2 devices on the wire here instead of 200, the threat model's different, so may be your risk assessment, but the technology use is about the same today.
Hope this helps,
10-10-2006 03:22 AM
I found a link to an "Ask the Expert" post that addresses these issues.
Basically this fall Cisco is going to release a feature on their switches that will allow multiple authentications per port per vlan. I presume that what they are doing is requiring each MAC address to aquire a seperate authentication. This will solve most or all of the problems associated with 802.1x w/ VOIP. They also mention that Cisco IP phones above the 7960 get an 802.1x supplicant late this year or early next year.
-
Posted by: ksilva - CCIE - Sep 8, 2006, 8:31pm PST
When might we see 802.1x(Port Based Network Access Control) capabilities rolled out to the standard 79XX phones, or is this something not on the roadmap at this time?
-------------------------------------------
Posted by: tsherman - CISCO SYSTEMS - Sep 8, 2006, 9:07pm PST
You will see 802.1x on the phones this late 4th qtr or early 1st qtr next year. The 802.1x supplicant will only be phones above the 7960. The firmware load for the phones is planned to be 8.3.1. A design guide to deploy the phones is planned to be released as the same time as the supplicant.
------------------------------------------
Posted by: kleo - Sep 12, 2006, 8:22am PST
So does this mean that the data switch will have to support multiple authentication (multiple dot1x-hosts on a port and every host is authenticated separately) on at aux/voice port ? Without using cdp ?
-----------------------------------------
Posted by: tsherman - CISCO SYSTEMS - Sep 12, 2006, 10:56am PST
Yes, if you are going to authenticate the phone and a PC plugged into a phone both of the devices will have to authenticate to the port per vlan. This feature is coming out on Cisco switches this fall to allow multiple authentications per port per vlan so this will be possible.
On the subject of CDP, the CDP will be allowed to pass between the phone and the switch so the phone can get the information it needs to determine which VLAN on the port is the voice VLAN. Once the phone has that information, it will attempt to authenticate into the voice vlan on the port of the switch.
06-06-2007 08:47 PM
Hello,
I have been looking at this topic and have a query similar to one adil had : I'm planning to connect a nortel IP Phone on one of the ports enabled for 802.1x... i do not want to connect any PC behind the phone. I want the phone to work, as usual, making calls outside. As I see with the existing configurations on the switch, the nortel ip phone connectivity is configured as a data VLAN and not the voice VLAN.. so, will this affect the working of the phone when dot1x is enabled ??
Can someone clarify on this?
Raj
06-06-2007 09:28 PM
hi Raj,
make sure you are using cisco switch ios Version 12.2(35)SE2
it wont be an issue if you use the phone with voice vlan
configure port as following
(config-if)= switchport mode access
switchport voice vlan 6
dot1x pae authenticator
dot1x port-control auto
dot1x host-mode multi-domain
spanning-tree portfast
Make sure you configure a separate policy on your radius for ip phone with creating an account for your ip phone. Add this account to a group. Create a policy on radius for this ip phone group and add the Cisco-AV attribute= device-traffic-class=voice with vendon Cisco
also make sure you are using the latest firware on ip phone, we are using i2004 phones 0604DAS fw as has lost of fixes
In this way your phone also will authenticate on radius
let me know if you need further clarification
Adil
06-06-2007 09:47 PM
Hello adil
thanks for the response. I do not want the IP phones to authenticate via 802.1x. I just need to make sure they arent affected, by enabling dot1x on the port !!! I can also disable dot1x, but it becomes tough managing the ports, since as a default template, we will be enabling dot1x on all ports. with voice vlans configured, will the phone work fine, without any issues ? no dot1x supplicant on phone nor any PC connected to the phone :) pretty simple, but needed to confirm !!!!
Raj
06-06-2007 10:11 PM
yes you can,
the ios version which i referred has something called MAB (macc address bypass)
please read below:
The following new features are available with Cisco IOS Software Release 12.2(35)SE for enterprise Ethernet switches:
Multi Domain Authentication (MDA)?MDA provides enhanced security for IP phone deployments. This allows an IP phone (Cisco or third-party) and a single host behind the IP phone to independently authenticate using 802.1x. Using this method, a switch can place the host in the data VLAN and IP phone in the voice VLAN, though they appear on the same switch port. Data VLAN can be downloaded from the authentication, authorization, and accounting (AAA) server. For non-802.1x devices, MAC Authentication Bypass (MAB) can be used as the fallback to authenticate using the MAC address of the device. For non-802.1x deployments, MAB can be used to authenticate both IP phones and hosts.
what you can do is add the manufacturer code and configure MAB
you can get them from this site:
http://standards.ieee.org/regauth/oui/index.shtml
Adil
05-16-2008 06:41 PM
Hi Adil,
I'm testing with a Catalyst 3560 running IOS version 12.2(44)SE2.
I have a Nortel-LG IP phone which does not have 802.1x supplicant.
I tried configuring MDA on the switchport and use MAB to authenticate the phone.
My questions:
1. In the ACS, I created a group for the IP phone and specify "device-traffic-class=voice" as the cisco-av-pair. Is this what I should be doing for a non-Cisco phone?
2. I know the phone's MAC address is 00-40-5A-17-C6-30. I created a user 00405a17c630 (password is also 00405a17c630) and assign it to the IP phone group I created above. Is this correct?
My testing wasn't successful. I got the following output:
Switch#sh dot1x int f0/48 de
Dot1x Info for FastEthernet0/48
-----------------------------------
PAE = AUTHENTICATOR
PortControl = AUTO
ControlDirection = Both
HostMode = MULTI_DOMAIN
Violation Mode = PROTECT
ReAuthentication = Disabled
QuietPeriod = 60
ServerTimeout = 30
SuppTimeout = 30
ReAuthPeriod = 3600 (Locally configured)
ReAuthMax = 2
MaxReq = 2
TxPeriod = 30
RateLimitPeriod = 0
Mac-Auth-Bypass = Enabled
Inactivity Timeout = None
Guest-Vlan = 999
Dot1x Authenticator Client List
-------------------------------
Domain = UNKNOWN
Supplicant = 0040.5a17.c630
Auth SM State = AUTHENTICATING
Auth BEND SM State = REQUEST
Port Status = UNAUTHORIZED
Authentication Method = Dot1x
Domain = UNKNOWN
Port Status = UNAUTHORIZED
My switch config is as follows:
!
aaa new-model
aaa authentication dot1x default group radius
!
dot1x system-auth-control
!
radius-server host 1.1.1.1 auth-port 1645 acct-port 1646 key cisco123
radius-server source-ports 1645-1646
radius-server vsa send authentication
!
interface FastEthernet0/48
description *** 802.1x Test Port ***
switchport access vlan 70
switchport mode access
switchport voice vlan 71
no snmp trap link-status
dot1x mac-auth-bypass
dot1x pae authenticator
dot1x port-control auto
dot1x host-mode multi-domain
dot1x violation-mode protect
dot1x guest-vlan 999
spanning-tree portfast
!
In the ACS' Failed Attempts logs, I saw entries for:
User-Name = 00405a17c630
Group-Name = IP_Phone_Test_Group
Caller-ID = 00-40-5A-17-C6-30
Authen-Failure-Code = Internal error
ACS version is 4.1.
what am I missing? Please advise.
Thank you.
B.Rgds,
Lim TS
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: