Hi Tarik,

Thanks for the reply, please find below the switch  port config lines, its a 370x switch, IPbase  and universalon 15.2-1.E1 image

Note- Since the 8021x is enabled by default the phone initially tries 802.1x and after failing , the switch  goes to the next auth method which is MAB which is successful. The issue is the phone again initiales a 802.1x packet after some time and the whole process starts again and because 8021x is failed the phone reboots again. I think this is the way this type of phone work and we cannot do much unless disable 802.1x or install the Alkatel CA certs in the ISE cert store?

Interface gi x/y

switchport access vlan xx

 switchport mode access
 switchport voice vlan yy

 ip access-group ACL_ALLOW in
 authentication event fail action next-method
 authentication event server dead action reinitialize vlan xx

 authentication event server dead action authorize voice
 authentication host-mode multi-auth
 authentication open
 authentication order mab dot1x
 authentication priority dot1x mab
 authentication port-control auto

 authentication timer reauthenticate server
 authentication violation restrict
 mab
 snmp trap mac-notification change added
 snmp trap mac-notification change removed
 dot1x pae authenticator
 dot1x timeout tx-period 10
 spanning-tree portfast
 

I have a couple of questions regarding the behavior of the phone.

In most cases endpoints will not prompt re-authentication (computing devices are an exception), unless a timer on the switchport or a link event prompts re-authentication which you can start by running a show authentication sessions interface xxx details.

If the phones are performing eap-tls then your best option would be to use that feature as opposed on relying on strictly profiling.

thanks,

Hi Tarik,

The dot1x debugs in switch showed after certain time switch receives a reauth packet "Apr  8 04:40:24.194: dot1x-packet:[xxxx.yyyy.zzzz, Gi1/0/1] queuing an EAPOL pkt on Auth Q" from the endpoint and the whole process starts again. The endpoint reboots itself once it sees a 8021x failure. "Show auth sess int x/y details" shows MAB as the successfull auth method until the re-request for 802x comes from the endpoint.

Regarding the timers as mentioned in the switch port config above , the port rely on the radius server (ie ISE) "authentication timer reauthenticate server" for the reauth timer and I assume this will be the session time when the device initially connects.

Regs

G
 

Hi

These are ip touch 4068, 4028 phones. I tried testing with Alkatel Enterprise root CA and manufacturing certs installed in ISE cert store but still "unknown CA error" showed up. Further Wire-shark capture for dot1x showed in "client hello" the certs presented by the phones are signed by a issuer "Wired Phones". Trying to get this and test it again.

Regs

G

yeh MAB works fine. I did not test MD5, for 8021x and MD5 the phone presents default user ALCIPT and i assume default password is "password" ???

The issue is since most phones are being deployed its hard to disable 8021x or activate MD5 on per phone basis, at the same time 8021x cannot be disable globally from the PBX manager. Therefore I'm trying with the default Alkatel certs.

if you goto the Alktel business portal, there are links to download the enterprise and Intermediate and and manufacturing certs but   "Wired Phones" Intermediate cert is missing  from the link :(

Regs

G

Hi,

I have the same issue. Did you have become it funktional with 802.1x an did you have become the right certificate for "Wired Phones"?

Regs and thanks for a reply

Marc

Hi Marc

Yes, we got it working. The certificates from the Alkatel business portal doesn't work as these are not the correct CA's signed the certificate of the phone. You have to obtain the correct CA "Wired Phones" from your Alkatel local vendor. You can also verify the CA by accessing the phone setup menu or by looking at the initial TLS hand-shake using wire-shark.

Please note- by using the default Alkatel certs it will be a one way TLS (ie server authenticates client). We only tested with 4028,4038,4068 ip-touch phones.

Hope this helps

Kind regards

G

HI G,

thanks for your response. Now I have received the wired phone certificate.

Which configuration on ISE I must exclict make to auth the phone now via the  one way TLS?

Kind regards

Marc

Hi G,

so long time ago, but now I had implemeted the solution for the alcatel phones and it works good.

I would be say now thans for your help!

regards

Marc

Hi, sorry to revive this old thread, but I have the same problem.

Is there any chance you could share the "Wired Phones" certificate if you managed to get hold of it?