802.1x - Phones + MAB + AD Help

datasolutions · ‎12-02-2016

I'm testing 802.1x in a lab and am struggling a bit with setting up MAB for phones. My understanding is that it requires an AD account to work with Microsoft NPS, and I've read that there is supposedly a way to wildcard the account so not every phone needs a unique AD account, but I am at a loss to find examples or guidance as to how this is configured. Has anyone done this? Or have any advice on the simplest way to deal with phones and 802.1x?

Gagandeep Singh · ‎12-06-2016

You need to configure voice and data vlan on port for phones and PC behind it.

In case of MAB , we need just MAC address of phone in ISE as internal hosts or you can also have MAC address in AD.

http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/config_guide_c17-605524.html#wp9000533

Keep above link for reference.

Regards

Gagan

ps: rate if it helps!!!!

datasolutions · ‎12-06-2016

Thanks Gagan. We already have Voice & Data VLANs deployed. I was able to successfully test MAB by creating an AD account for a test phone. But better yet, I found how to authenticate multiple phones without requiring each one to have its own AD account.

Using Microsoft's Network Policy Server, it is possible to create a Connection Request Policy with a wildcard MAC address. You can do this by:

Within Conditions

select 'NAS Port Type' and set to Ethernet
select 'Calling Station ID' and specify the appropriate wildcard MAC address (e.g. 00-04-f2-* for Polycom phones)

Within Settings->Forwarding Connection Request->Authenticationselect

Select 'Accept users without validating credentials'

jsayer · ‎11-02-2018

Were you able to make this work? I am working on a similar project with Polycom phones and NPS, but not having much luck getting the phones to authenticate with MAB. When you setup the Connection Request Policy, did you then also have a Network Policy to check against AD and pass down the voice-vlan attribute?