cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
13854
Views
9
Helpful
21
Replies

MAB/802.1x and Alkatel IP Phones

Gaj Ana
Level 1
Level 1

Hi All

 

We have a distributed deployment where Alkatel ip-touch phones are authentictaed via MAB. Alkatel ip touch phones has 802.1x enabled by default and the phone tries eapol first and then switch authenticates via MAB which is fine. Once authenticated its working as expected. The issue is the phone keeps on periodic retry after x amount of minutes for 802.1x again which triggers the phone to reboot again and goes via the whole process. This interupts the voice. We could disable 802.1x but its per phone basis. Has anyone came across this issue and found a way to diable globally via the call manager etcc. or any workarounf from ISE/switch side?

 

Thanks

G

1 Accepted Solution

Accepted Solutions

Hi Marc

Great that you have the certs.

ISE doesn't know about one way tls. In this scenario (one way tls) ise only authenticates the client. First import the wired phone cert in-to ise cert store and trust for tls.(tick check box). Create a certificate authentication profile (CAP) (with subject name as the attribute) to be used as the identity store in authentication policy. Create a identity source sequence with local and the above CAP as identity stores. The local identity store is required as these phones will first authenticate via MAB during initial boot and once 802.1x process starts they will re-authenticate via CAP. Then create a authentication policy with the above identity source sequence. This has to be after the MAB rule. Then create appropriate authorization policy.example you can use custom profiling conditions (if alkatel profiles are not available in ise) to profile and authorize the phone or some other means.

 

Hope this helps

 

regards

G

 

 

View solution in original post

21 Replies 21

Tarik Admani
VIP Alumni
VIP Alumni

I have run into this issue before, there is a command on the switch port so that if authentication fails to use the next-method. Can you post the output of your port settings and the version and type of switch you are using?

Thanks

Tarik

Hi Tarik,

 

Thanks for the reply, please find below the switch  port config lines, its a 370x switch, IPbase  and universalon 15.2-1.E1 image

Note- Since the 8021x is enabled by default the phone initially tries 802.1x and after failing , the switch  goes to the next auth method which is MAB which is successful. The issue is the phone again initiales a 802.1x packet after some time and the whole process starts again and because 8021x is failed the phone reboots again. I think this is the way this type of phone work and we cannot do much unless disable 802.1x or install the Alkatel CA certs in the ISE cert store?

Interface gi x/y

switchport access vlan xx

 switchport mode access
 switchport voice vlan yy

 ip access-group ACL_ALLOW in
 authentication event fail action next-method
 authentication event server dead action reinitialize vlan xx

 authentication event server dead action authorize voice
 authentication host-mode multi-auth
 authentication open
 authentication order mab dot1x
 authentication priority dot1x mab
 authentication port-control auto

 authentication timer reauthenticate server
 authentication violation restrict
 mab
 snmp trap mac-notification change added
 snmp trap mac-notification change removed
 dot1x pae authenticator
 dot1x timeout tx-period 10
 spanning-tree portfast
 

I have a couple of questions regarding the behavior of the phone.

In most cases endpoints will not prompt re-authentication (computing devices are an exception), unless a timer on the switchport or a link event prompts re-authentication which you can start by running a show authentication sessions interface xxx details.

If the phones are performing eap-tls then your best option would be to use that feature as opposed on relying on strictly profiling.

thanks,

Hi Tarik,

The dot1x debugs in switch showed after certain time switch receives a reauth packet "Apr  8 04:40:24.194: dot1x-packet:[xxxx.yyyy.zzzz, Gi1/0/1] queuing an EAPOL pkt on Auth Q" from the endpoint and the whole process starts again. The endpoint reboots itself once it sees a 8021x failure. "Show auth sess int x/y details" shows MAB as the successfull auth method until the re-request for 802x comes from the endpoint.

Regarding the timers as mentioned in the switch port config above , the port rely on the radius server (ie ISE) "authentication timer reauthenticate server" for the reauth timer and I assume this will be the session time when the device initially connects.

 

Regs

G
 

christoulakis
Level 1
Level 1

 

Hi,

 

May i  ask what alcatel model do you have, because i'm facing a similar problem with them you can see my posts on the forum

 

regards

 

Hi

These are ip touch 4068, 4028 phones. I tried testing with Alkatel Enterprise root CA and manufacturing certs installed in ISE cert store but still "unknown CA error" showed up. Further Wire-shark capture for dot1x showed in "client hello" the certs presented by the phones are signed by a issuer "Wired Phones". Trying to get this and test it again.

 

Regs

G

christoulakis
Level 1
Level 1

 

For my understanding the phone works fine via MAB, the problem appears with dot1x,  right?

Have you tried to tested except EAP/TLS with the next and only available option EAP/MD5  and see if you will face a similar behavior? that will be interesting  test.

I have come to a venturous conclusion that some devices mostly Printers and IP phones if they do not find ISE they blocked and cannot talk with anything else, as a result they continuously reboot. In contrast PCs/ workstations if failed they can Login despite the failed messages that will apearead on your ISE console.

Probably our cases have many similarities and are quiet difficult to analyzed, even from the experts  :)

 

regards

T.C

yeh MAB works fine. I did not test MD5, for 8021x and MD5 the phone presents default user ALCIPT and i assume default password is "password" ???

 

The issue is since most phones are being deployed its hard to disable 8021x or activate MD5 on per phone basis, at the same time 8021x cannot be disable globally from the PBX manager. Therefore I'm trying with the default Alkatel certs.

if you goto the Alktel business portal, there are links to download the enterprise and Intermediate and and manufacturing certs but   "Wired Phones" Intermediate cert is missing  from the link :(

Regs

G

Hi,

I have the same issue. Did you have become it funktional with 802.1x an did you have become the right certificate for "Wired Phones"?

Regs and thanks for a reply

 

Marc

Hi Marc

 

Yes, we got it working. The certificates from the Alkatel business portal doesn't work as these are not the correct CA's signed the certificate of the phone. You have to obtain the correct CA "Wired Phones" from your Alkatel local vendor. You can also verify the CA by accessing the phone setup menu or by looking at the initial TLS hand-shake using wire-shark.

Please note- by using the default Alkatel certs it will be a one way TLS (ie server authenticates client). We only tested with 4028,4038,4068 ip-touch phones.

Hope this helps

 

Kind regards

G

 

 

HI G,

thanks for your response. Now I have received the wired phone certificate.

Which configuration on ISE I must exclict make to auth the phone now via the  one way TLS?

Kind regards

Marc

 

 

Hi Marc

Great that you have the certs.

ISE doesn't know about one way tls. In this scenario (one way tls) ise only authenticates the client. First import the wired phone cert in-to ise cert store and trust for tls.(tick check box). Create a certificate authentication profile (CAP) (with subject name as the attribute) to be used as the identity store in authentication policy. Create a identity source sequence with local and the above CAP as identity stores. The local identity store is required as these phones will first authenticate via MAB during initial boot and once 802.1x process starts they will re-authenticate via CAP. Then create a authentication policy with the above identity source sequence. This has to be after the MAB rule. Then create appropriate authorization policy.example you can use custom profiling conditions (if alkatel profiles are not available in ise) to profile and authorize the phone or some other means.

 

Hope this helps

 

regards

G

 

 

Hi G,

so long time ago, but now I had implemeted the solution for the alcatel phones and it works good.

I would be say now thans for your help!

regards

Marc

Hi, sorry to revive this old thread, but I have the same problem.

 

Is there any chance you could share the "Wired Phones" certificate if you managed to get hold of it?