Re: 802.1x and MS IAS and Nortel IP phone

bws · ‎10-07-2006

hi,

i have setup 802.1x MS IAS. All seems to work fine when i am using a plain pc connection to switch but the moment IP phone is involved i start facing issues.

I am using cisco 3750 switch with version 12.2(25)SEB4

dhcp server is on windows which is on a different network i.e. 10.50.1.9

dhcp relay agent is defined on firewall subinterces

All works when phone is not involved. BTW i am using Nortel IP phone

when the phone is plugged and cable is throug the phone, i provide the user name and credentials and also when i say show vlan on switch i can see i am aprt of corrent vlan but i do not get an ip address.

This is the error i get on switch when is said debug radius:

pls find two attachments of debug dot1x events and radius.

pls help

Regards

AI

jafrazie · ‎10-07-2006

This topology will not work on a port configured for 802.1X. The Nortel phone has no way to access the network. Also, is the Nortel phone briding the 1X control traffic to/from the switch.client anyway?

bws · ‎10-07-2006

Hi,

yes the phone is bridging the traffic. Can you explain in technical why this will not work?

jafrazie · ‎10-08-2006

The phone won't work b/c it doesn't have a 1x supplicant.

The PC "should work" if the phone is passing EAPOL to the switch.

Although remember the MAC of the PC is locked into the switchport. Typically, part of the security provided by 802.1x is based on the assumption that the switch port is not connected to a hub-based shared Ethernet segment. If not, an unauthenticated hub/switch could be used to gain access for other unauthorized systems. So, by default, a switchport running 802.1x is able to deny access to any such "piggybacked" ports (or for any other machines on the wire). And remember what happens if the authenticated PC unplugs from the phone. Does the phone inform the network of this to tear down the active security session?

Hope this helps,

Nathan Spitzer · ‎10-09-2006

Hmmm, I have tested this in a lab and it works fine.... with a big caveat that makes it not almost not worth doing.

To get it to work make sure that IAS allows EAP-MD5 as an authenication method as that is the only method the IP phone supports. Also the switch port needs to use 802.1x multi-host mode since the port will see more then 1 MAC address (the IP phone plus the PC).

Let me know exactly which Nortel IP phone you have and I can tell you how to get it working.

Now for the caveat: The 802.1x spec does not any any way, shape, or form address what to do when multiple devices try to access an 802.1x-controlled port. What this means is that once the Nortel IP phone (and the 200x series phones does have a supplicant)authenticates a port, the port is active and ANYTHING plugged into the phones PC port will work. Now if the PC has 802.1x enabled it may try to reauthenticate the port and if it fails the port may be unauthenticated, but there is no way to force a device plugged into the IP phones PC port to use 802.1x. What this means is that without using port security or some other administratively intense means, any IP phone data port can be used by anybody using any device to access the network once the IP phone authenticates the port.

If the whole point of 802.1x is to secure your ports in an relatively administrativley easy way, throwing a Nortel IP phone into the mix sinks that faster then the Edmund Fitzgerald.

PS: Someone PLEASE tell me I am wrong about the IP phones PC port. I really need to get this working myself.

bws · ‎10-09-2006

The phone model is below:

Nortel IP Phone 2004

Model: NTDU92

Nathan Spitzer · ‎10-10-2006

1) Make sure IAS allows EAP-MD5 as an authentication method (I am using ACS so I can't help you much there)

2) Make sure there is an account in AD for whatever user/password combo you have the phone trying to authenticate on. If possible, use GPO's/User rights to NOT allow this user to login

3) run "dot1x host-mode multi-host" on the access port. This will allow the port to see multiple MACS on the port and not shut down. As already stated this really hoses 802.1x since as soon as a phone authenticates the port is active and any device can use the PC port on the phone. See my other post for more information on how Cisco is looking at fixing this.

Let me know if that helps.

jafrazie · ‎10-10-2006

Remember if you plug in a phone running 1X to a 1X port, and it works, AND you also have multi-host mode enabled, then any PC that plugs into the phone will be granted access ("for free") implicitly.

Would recommend discussing roadmap items with your account team.

Hope this helps,

jafrazie · ‎10-09-2006

Ah, I didn't know you had a phone with a 1X supplicant on it ;-).

If so, this is the only avail (non-default) option avail today on the switch you're testing with. See my last reply on how it works by default. With multi-host mode though, 802.1X is used to "enable the port" only with no other restrictions being placed on it. Analogy would be like walking into a building with a valid badge, but leaving the door propped open behind you.

The rest of your comments WRT the 1X-spec, the security implications of the current multi-host mode, etc. are pretty well-founded.

From a spec perspective, it's similar to evaluating 802.1X in a Wireless-LAN WITHOUT the use of encryption. Mind you, there's potentially only 2 devices on the wire here instead of 200, the threat model's different, so may be your risk assessment, but the technology use is about the same today.

Hope this helps,

Nathan Spitzer · ‎10-10-2006

I found a link to an "Ask the Expert" post that addresses these issues.

Basically this fall Cisco is going to release a feature on their switches that will allow multiple authentications per port per vlan. I presume that what they are doing is requiring each MAC address to aquire a seperate authentication. This will solve most or all of the problems associated with 802.1x w/ VOIP. They also mention that Cisco IP phones above the 7960 get an 802.1x supplicant late this year or early next year.

-

Posted by: ksilva - CCIE - Sep 8, 2006, 8:31pm PST

When might we see 802.1x(Port Based Network Access Control) capabilities rolled out to the standard 79XX phones, or is this something not on the roadmap at this time?

-------------------------------------------

Posted by: tsherman - CISCO SYSTEMS - Sep 8, 2006, 9:07pm PST

You will see 802.1x on the phones this late 4th qtr or early 1st qtr next year. The 802.1x supplicant will only be phones above the 7960. The firmware load for the phones is planned to be 8.3.1. A design guide to deploy the phones is planned to be released as the same time as the supplicant.

------------------------------------------

Posted by: kleo - Sep 12, 2006, 8:22am PST

So does this mean that the data switch will have to support multiple authentication (multiple dot1x-hosts on a port and every host is authenticated separately) on at aux/voice port ? Without using cdp ?

-----------------------------------------

Posted by: tsherman - CISCO SYSTEMS - Sep 12, 2006, 10:56am PST

Yes, if you are going to authenticate the phone and a PC plugged into a phone both of the devices will have to authenticate to the port per vlan. This feature is coming out on Cisco switches this fall to allow multiple authentications per port per vlan so this will be possible.

On the subject of CDP, the CDP will be allowed to pass between the phone and the switch so the phone can get the information it needs to determine which VLAN on the port is the voice VLAN. Once the phone has that information, it will attempt to authenticate into the voice vlan on the port of the switch.

sachinraja · ‎06-06-2007

Hello,

I have been looking at this topic and have a query similar to one adil had : I'm planning to connect a nortel IP Phone on one of the ports enabled for 802.1x... i do not want to connect any PC behind the phone. I want the phone to work, as usual, making calls outside. As I see with the existing configurations on the switch, the nortel ip phone connectivity is configured as a data VLAN and not the voice VLAN.. so, will this affect the working of the phone when dot1x is enabled ??

Can someone clarify on this?

Raj

bws · ‎06-06-2007

hi Raj,

make sure you are using cisco switch ios Version 12.2(35)SE2

it wont be an issue if you use the phone with voice vlan

configure port as following

(config-if)= switchport mode access

switchport voice vlan 6

dot1x pae authenticator

dot1x port-control auto

dot1x host-mode multi-domain

spanning-tree portfast

Make sure you configure a separate policy on your radius for ip phone with creating an account for your ip phone. Add this account to a group. Create a policy on radius for this ip phone group and add the Cisco-AV attribute= device-traffic-class=voice with vendon Cisco

also make sure you are using the latest firware on ip phone, we are using i2004 phones 0604DAS fw as has lost of fixes

In this way your phone also will authenticate on radius

let me know if you need further clarification

Adil

sachinraja · ‎06-06-2007

Hello adil

thanks for the response. I do not want the IP phones to authenticate via 802.1x. I just need to make sure they arent affected, by enabling dot1x on the port !!! I can also disable dot1x, but it becomes tough managing the ports, since as a default template, we will be enabling dot1x on all ports. with voice vlans configured, will the phone work fine, without any issues ? no dot1x supplicant on phone nor any PC connected to the phone :) pretty simple, but needed to confirm !!!!

Raj

bws · ‎06-06-2007

yes you can,

the ios version which i referred has something called MAB (macc address bypass)

please read below:

The following new features are available with Cisco IOS Software Release 12.2(35)SE for enterprise Ethernet switches:

Multi Domain Authentication (MDA)?MDA provides enhanced security for IP phone deployments. This allows an IP phone (Cisco or third-party) and a single host behind the IP phone to independently authenticate using 802.1x. Using this method, a switch can place the host in the data VLAN and IP phone in the voice VLAN, though they appear on the same switch port. Data VLAN can be downloaded from the authentication, authorization, and accounting (AAA) server. For non-802.1x devices, MAC Authentication Bypass (MAB) can be used as the fallback to authenticate using the MAC address of the device. For non-802.1x deployments, MAB can be used to authenticate both IP phones and hosts.

what you can do is add the manufacturer code and configure MAB

you can get them from this site:

http://standards.ieee.org/regauth/oui/index.shtml

Adil

limtohsoon · ‎05-16-2008

Hi Adil,

I'm testing with a Catalyst 3560 running IOS version 12.2(44)SE2.

I have a Nortel-LG IP phone which does not have 802.1x supplicant.

I tried configuring MDA on the switchport and use MAB to authenticate the phone.

My questions:

1. In the ACS, I created a group for the IP phone and specify "device-traffic-class=voice" as the cisco-av-pair. Is this what I should be doing for a non-Cisco phone?

2. I know the phone's MAC address is 00-40-5A-17-C6-30. I created a user 00405a17c630 (password is also 00405a17c630) and assign it to the IP phone group I created above. Is this correct?

My testing wasn't successful. I got the following output:

Switch#sh dot1x int f0/48 de

Dot1x Info for FastEthernet0/48

-----------------------------------

PAE = AUTHENTICATOR

PortControl = AUTO

ControlDirection = Both

HostMode = MULTI_DOMAIN

Violation Mode = PROTECT

ReAuthentication = Disabled

QuietPeriod = 60

ServerTimeout = 30

SuppTimeout = 30

ReAuthPeriod = 3600 (Locally configured)

ReAuthMax = 2

MaxReq = 2

TxPeriod = 30

RateLimitPeriod = 0

Mac-Auth-Bypass = Enabled

Inactivity Timeout = None

Guest-Vlan = 999

Dot1x Authenticator Client List

-------------------------------

Domain = UNKNOWN

Supplicant = 0040.5a17.c630

Auth SM State = AUTHENTICATING

Auth BEND SM State = REQUEST

Port Status = UNAUTHORIZED

Authentication Method = Dot1x

Domain = UNKNOWN

Port Status = UNAUTHORIZED

My switch config is as follows:

!

aaa new-model

aaa authentication dot1x default group radius

!

dot1x system-auth-control

!

radius-server host 1.1.1.1 auth-port 1645 acct-port 1646 key cisco123

radius-server source-ports 1645-1646

radius-server vsa send authentication

!

interface FastEthernet0/48

description *** 802.1x Test Port ***

switchport access vlan 70

switchport mode access

switchport voice vlan 71

no snmp trap link-status

dot1x mac-auth-bypass

dot1x pae authenticator

dot1x port-control auto

dot1x host-mode multi-domain

dot1x violation-mode protect

dot1x guest-vlan 999

spanning-tree portfast

!

In the ACS' Failed Attempts logs, I saw entries for:

User-Name = 00405a17c630

Group-Name = IP_Phone_Test_Group

Caller-ID = 00-40-5A-17-C6-30

Authen-Failure-Code = Internal error

ACS version is 4.1.

what am I missing? Please advise.

Thank you.

B.Rgds,

Lim TS