Re: dot1x authentication - Switch 3650 / Polycom phone 430

289114 · ‎11-19-2010

Hi,

I have a switch 3650 with the IP base image IOS 12.2(25) SEE3, a polycom phone SoundPoint IP 430 SIP, A radius server IAS 2003 and a Windows XP PC.

I enabled the windows XP pc for wired authentication ( started the service Wired AutoConfig, added the registry entries AuthMode, SupplicantMode, choose Enable IEEE 802.1x authenticaiton with PEAP, then secured password EAP-MSCHAP-v2.

I configured the RADIUS server for ethernet authentication and domain users. In the profile I choose Eap, mschap v2

The port configuration of the switch is as following:

Switch#sh run int fa0/1
Building configuration...

Current configuration : 590 bytes
!
interface FastEthernet0/1
switchport access vlan 121

switchport mode access
switchport voice vlan 155

switchport priority extend trust
service-policy input QoS-Policy-LAN
speed 100
duplex full
spanning-tree portfast
end

I configured the switch as the following:

switch(config)#dot1x system-auth-control

Under the interface configuration mode:

switch(config-if)#dot1x port-control auto

switch(config-if)#dot1x pae authenticator
switch(config-if)#dot1x host-mode multi-host

I plugged the PC directly into the switch port, I got that additional credentials are required for the PC to connect to the network, So I put my username and password for windows and was successfully authenticated.

Then I plugged the PC to the phone( Polycom 430) and the phone into the switch port. the network card appears as attempting to authenticate but it doesn't prompt, and I am not able to access the network, neither I am able to use the phone.( the problem that the authentication packets sent from the PC do not reach the switch, as I see in the debug dot1x (on the switch) comparison when I was connecting the PC alone and when I connected the PC&Phone, the client ID trying to authenticate is different in each case. I will put the debug for both down, when it connects and when it was unable to connect)

I tried dot1x host-mode single-host

I did many changes , one time with single-host and then with multi-host: ( each time , I tried to disable/enable Network card of the PC, and make a phone call in order generate traffic)

First added dot1x mac-auth-bypass - disconnected and reconnected -- didn't work(neither phone , nor PC)

Second in addition to First , i added dot1x control-direction in --- didn't work (neither phone , nor PC).

Then I removed both these settings and I set:

dot1x guest-vlan 155 where 155 is the voice vlan

dot1x auth-fail vlan 155

Nothing was working

Then I added these 2 records, in addition to the dot1x mac-auth-bypass, nothing was working.

In the attachment, I marked with blue font, where I saw the ClientID, After that state-machine record that shows the client ID, I saw that the debug output of the debug changed

CDP is enabled on both the phone and the switch, and when I use show cdp , i see the phone connected to the port.

Thanks

Sayed

289114 · ‎11-19-2010

I run a test that I run was making the duplex to half on all switches/phone/PC,

I brought a small switch, connected to the the cisco 3650 with the port configuration

and I did two more tests:

test1,

dot1x port-control auto

dot1x authenticator pae

dot1x host-mode multi-host

the PC authenticated successfully and I was able to to access the network as well as to make phone calls.

Test2.

dot1x port-control auto

dot1x authenticator pae

dot1x host-mode single-host

The PC was able to authenticate and access the network but the phone was not able.

The problem that I am thinking is that the phone wants to try to authenticate, and doesn't let the authentication of the PC to pass.

I hope somebody can help me, regarding this problem

Thanks