cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

889
Views
0
Helpful
4
Replies
Highlighted
Beginner

IEEE 802.1X Multidomain Authentication

In the "Guidelines for Configuring IEEE 802.1X Multidomain Authentication" (https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_8021x/configuration/xe-3se/5700/sec-user-8021x-xe-3se-5700-book/sec-ieee-mda.html)

it says:

 

MDA allows both a data device and voice device, such as an IP phone (Cisco or non-Cisco), to authenticate on the same switch port. The port is divided into a data domain and a voice domain.

MDA does not enforce the order of device authentication. However, for best results, we recommend that a voice device is authenticated before a data device on an MDA-enabled port.

 

1st part is clear. The question is about the second (bold) part.

 

Where/how can one actually set/control that the voice device is authenticated before the data device? (authenticator/switch, authentication server, .?.)

 

Thanks for putting me into the right direction...

4 REPLIES 4
Highlighted
VIP Expert

In general most of the enterprise deployment to save infrastructure

 

Same Cat cable used for Phone - and intern connect to PC

 

here is the Good explanation - how MDA host mode works : (hope this help to undertand better).

 

https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.html



BB


*** Rate All Helpful Responses ***

Highlighted

Hi BB,

 

Thanks for your time & your reply.

 

>>Same Cat cable used for Phone - and intern connect to PC

 

It's clear, but that's the physical layout only. Isn't it?

 

You have the VoIP phone connected to the switch and via internal switch of the phone you connect the workstation. How else even?

 

>>MDA does not enforce the order of device authentication. However, for best results, we recommend that a voice device is authenticated before a data device on an MDA-enabled port.

 

But the question is: Does one have control (via any part of the sw configuration) over 'authenticating the voice device before a data device on an MDA-ena bled port' as stated above? I.e. 'the order of device authentication.

 

Is this configurable at any device in the chain (authenticator/switch, auth server)?

 

I would really like to understand what is meant by this recommendation (bold) and how to follow it.

 

They can hardly refer to the physical layout only - as there is no other way than to connect the PC 'behind' the VoIP device/phone (tmbk, please correct me if I'm wrong).

 

 

Thx.

Highlighted

There is no switch configuration to force the voice endpoint to be authenticated before the data endpoint. However, the phone would typically be connected to the switchport first before the PC was connected behind it. This should result in the phone being authenticated/authorised before the PC. I've never seen an order-of-operations issue related to this in a customer environment.

That said, current best practice is to use Multi-Auth mode rather than MDA as PCs using virtual machines will cause issues with MDA. As MDA only allows a single MAC address on the DATA domain, a VM with a bridged NIC will result in an additional MAC address on the DATA domain and can cause the port to go into err-disable state.

For current best practice switch configuration, see the ISE Secure Wired Access Prescriptive Deployment Guide 

Highlighted
Beginner

Thank you very much for the reply.


>>There is no switch configuration to force the voice endpoint to be authenticated before the data endpoint.

 

Also not to my knowledge.

 

>>However, the phone would typically be connected to the switchport first before the PC was connected behind it.

 

Also, the only possible way to my knowledge.

 

Therefore: Since they state in the documentation (MDA does not enforce, but we recommend...)

 

>>MDA does not enforce the order of device authentication. However, for best results, we recommend that a voice device is authenticated before a data device on an MDA-enabled port.


this would imply that you can influence the order of authentication somehow (like "yes, you can also authenticate the data device first - but this is not what we recommend" - ok then: what do I need to do to follow your recommendation to authenticate the voice device first?).


Imho they can hardly refer to the physical layout with this sentence, as connecting the PC behind the phone (via internal switch of the phone) is anyway the only possibility (please correct me if I'm wrong) to do it.

Content for Community-Ad