Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4821
Views
10
Helpful
8
Replies

IP Phone And MAB\802.1x Scenario

Go to solution
Alex Pfeil
Level 7
Level 7

‎01-09-2019 09:10 AM

We have some IP phones that have 802.1x enabled by default. We are deploying 802.1x and planned on using MAB for the phones.  Is there a way to configure the switch to only complete MAB for the phone? We do not want to have to turn 802.1x off on the phone.  When the phone boots up currently, it is displaying an 802.1x authentication screen.

 

Any thoughts?

0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
mnagired
Cisco Employee
Cisco Employee

‎01-09-2019 12:48 PM

Hello Alex,

 

Couple of options..

 

1. CUCM has an option(individual or bulk) to disable dot1x on Phone.. Refer to Step 22 in ISE Authorization Policy for MIC Authentication section
2. Switch by default doesn't Dot1x first and then fallback to MAB..
    1. Adjust default timers for dot1x, so dot1x times out and falls back to MAB.
    2. With IBNS1.0 type configurations, change the authentication order to MAB,Dot1x if you ok with the order or processing.
    3. With IBNS 2.0 policy, do MAB first so Phones gets authenticated without any delay and PC's behind gets dot1x  

         authenticated matching 2nd policy below

    event session-started match-all
        10 class always do-until-failure
            10 authenticate using MAB priority 10
    ......
    event agent-found match-all
          10 class always do-until-failure
          10 terminate mab
          20 authenticate using dot1x priority 10

 

View solution in original post

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎01-09-2019 12:49 PM

Are the phones centrally managed so that you only have to push a new setting to disable dot1x on the phones?

When the phones hit ISE, do they use any default authentication such as sending a preinstalled certificate or username?

View solution in original post

0 Helpful

Go to solution
mnagired
Cisco Employee
Cisco Employee
In response to Alex Pfeil

‎01-09-2019 02:20 PM

Hi Alex,

Recommended is below for normal deployment.. 21 sec

dot1x timeout tx-period 7
dot1x max-reauth-req 3

You could try, refer to IP Telephony for 802.1X Design Guide link below.. 

dot1x timeout tx-period 3
dot1x max-reauth-req 3

https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.html#pgfId-389992 

View solution in original post

8 Replies 8

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎01-09-2019 10:41 AM

Have you looked at the wired guide under http://cs.co/ise-guides It lists the commands for the port. Disable dot1x on that port.

Cisco ISE Secure Wired Access Prescriptive Deployment Guide<>
0 Helpful

Go to solution
Alex Pfeil
Level 7
Level 7
In response to Jason Kunst

‎01-09-2019 11:59 AM

We could also have computers behind the phone that need to run 802.1x.

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Alex Pfeil

‎01-09-2019 12:23 PM

Then there is nothing to assist you. Dot1x either runs on the port or it doesn’t.
0 Helpful

Go to solution
mnagired
Cisco Employee
Cisco Employee

‎01-09-2019 12:48 PM

Hello Alex,

 

Couple of options..

 

1. CUCM has an option(individual or bulk) to disable dot1x on Phone.. Refer to Step 22 in ISE Authorization Policy for MIC Authentication section
2. Switch by default doesn't Dot1x first and then fallback to MAB..
    1. Adjust default timers for dot1x, so dot1x times out and falls back to MAB.
    2. With IBNS1.0 type configurations, change the authentication order to MAB,Dot1x if you ok with the order or processing.
    3. With IBNS 2.0 policy, do MAB first so Phones gets authenticated without any delay and PC's behind gets dot1x  

         authenticated matching 2nd policy below

    event session-started match-all
        10 class always do-until-failure
            10 authenticate using MAB priority 10
    ......
    event agent-found match-all
          10 class always do-until-failure
          10 terminate mab
          20 authenticate using dot1x priority 10

 

Go to solution
Alex Pfeil
Level 7
Level 7
In response to mnagired

‎01-09-2019 01:30 PM

What would be the best setting to change the timers so that 802.1x times out?

0 Helpful

Go to solution
mnagired
Cisco Employee
Cisco Employee
In response to Alex Pfeil

‎01-09-2019 02:20 PM

Hi Alex,

Recommended is below for normal deployment.. 21 sec

dot1x timeout tx-period 7
dot1x max-reauth-req 3

You could try, refer to IP Telephony for 802.1X Design Guide link below.. 

dot1x timeout tx-period 3
dot1x max-reauth-req 3

https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.html#pgfId-389992 

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎01-09-2019 12:49 PM

Are the phones centrally managed so that you only have to push a new setting to disable dot1x on the phones?

When the phones hit ISE, do they use any default authentication such as sending a preinstalled certificate or username?
0 Helpful

Go to solution
Alex Pfeil
Level 7
Level 7
In response to Damien Miller

‎01-18-2019 05:03 AM

We were able to turn 802.1x off on the phones with a configuration on the server. Crisis averted. Thanks to everyone who replied.

0 Helpful
Customers Also Viewed These Support Documents