Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3165
Views
5
Helpful
5
Replies

C2960 IP phone and 802.1x enable

Go to solution
vanness629
Level 1
Level 1

‎03-02-2020 02:22 AM

Dear All,

 

I would like to know if there any way to implement 802.1x authentication for the VOIP Phone and PC at the same time?

 

My current infrastructure is, 

 

Avaya Phone: 1603 and 1608,

I have voice VLAN for the phone and Prod VLAN for the pc.

radius-server: windows server 2012 with NSP services.

 

My target is the phone can ignore the authentication and direct obtain IP from the pbx server and All the pc must through 802.1x to authentication.

 

I 'm successful in authentication for our pc, but the phone only works when I connect my pc to the phone, it means the port authentication pass-through to my pc.

 

my port current setting as below:


switchport mode access
switchport voice vlan 100
authentication event no-response action authorize vlan 99
authentication host-mode multi-domain
authentication port-control auto
authentication violation replace
mls qos trust dscp
dot1x pae authenticator
spanning-tree portfast edge

 

I read a lot of document, but it seems only work when the radius-server or phone is Cisco.

 

I hope I can get some help on this topic.

 

thank you in advance.

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni
In response to vanness629

‎03-05-2020 01:47 AM

Hi,

 

     The GPO could be changed just for a specific group of users, in order to allow that, and you can add an additional GPO to restrict any access for those users, except for MAB purposes, and also create shadow groups, so that in case someone moves the user from a specific OU/place in the AD schema to somewhere else, the GPO's will follow along; so basically there is no way those users could pose a security issue to your infrastructure.

    See if the attached document helps you, ignore the ISE/ACS steps, but read the document and use only what you need.

 

Let me know how it went.

 

Regards,

Cristian Matei.

View solution in original post

Preview file
1064 KB
0 Helpful
5 Replies 5

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni

‎03-03-2020 12:26 PM

Hi,

 

    1. Do the phones support 802.1x? If yes configure your NPS policy for the phones to get authenticated via 802.1x; you must configure network authorization on the switch towards the NPS server, and configure your NPS policy (for the phones only) to return in the Access-Accept RADIUS message the "device-traffic-class=voice" attribute, which you find in the "Vendor Specific---> Cisco --> Cisco-AV-Pair" section

   2. If phones do not support 802.1x or you don't want to use it, you need to enable MAB on the port, configure a policy on your NPS server for MAB; ou must configure network authorization on the switch towards the NPS server, and configure your NPS policy (for the phones only) to return in the Access-Accept RADIUS message the "device-traffic-class=voice" attribute, which you find in the "Vendor Specific---> Cisco --> Cisco-AV-Pair" section

 

Regards,

Cristian Matei.

Go to solution
vanness629
Level 1
Level 1
In response to Cristian Matei

‎03-04-2020 11:04 PM

many thanks for your reply,

 

I would like to go on method 2, I have successful to enable phone and PC.

 

but the issue is, I need to create an AD account on the windows server by the phone mac address for authentication. (password should same as the username, it means mac-address)

 

our security team didn't allow our environment to have the account like this,(Cannot change password, password same as username) 

 

any method can improve in this case?

once again, thank you for your help.

0 Helpful

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni
In response to vanness629

‎03-05-2020 01:47 AM

Hi,

 

     The GPO could be changed just for a specific group of users, in order to allow that, and you can add an additional GPO to restrict any access for those users, except for MAB purposes, and also create shadow groups, so that in case someone moves the user from a specific OU/place in the AD schema to somewhere else, the GPO's will follow along; so basically there is no way those users could pose a security issue to your infrastructure.

    See if the attached document helps you, ignore the ISE/ACS steps, but read the document and use only what you need.

 

Let me know how it went.

 

Regards,

Cristian Matei.

Preview file
1064 KB
0 Helpful

Go to solution
vanness629
Level 1
Level 1
In response to Cristian Matei

‎03-11-2020 02:01 AM

Hi Cristian,

 

I 'm still speaking to our security team and I think it will ok with this solution.

 

But I want to know about our environment, is that possible to use the mab without password?

 

I 'm reading this document to set up our environment, but it looks like we cannot avoid creating the account on the radius server?

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960xr/software/15-2_5_e/configuration_guide/b_1525e_consolidated_2960xr_cg/mac_authentication_bypass.pdf

0 Helpful

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni
In response to vanness629

‎03-11-2020 04:26 AM

Hi,

 

    It's up to the security team to decide if:

           - you want the MAB process to be "authenticated", which means create users/passwords matching the MAC address of each device (you would also need to change the AD policies, for this to be allowed, and make sure these users cannot be used for logging, so someone cannot take the MAC address of a PHONE and login with those on a computer)

           - you want the MAB process to be "unauthenticated", which means you create a policy in NPS where for the MAC addresses of the phones and you configure to "accept users without validating credentials"

 

The second one may seem "insecure", but if you look at the bigger picture, on both options, someone could jus take the MAC address of one of your phones, connect itself on the network with his computer, change the MAC address to match the one of the PHONE, and boom, he's in the network, with the authorization received from NPS (whatever the PHONE was allowed to access, the user is allowed to access as well. MAB is inherently weak, poses many challenges, and to have a chance to catch such attacks and respond quick enough, you need some smarter applications in your network: ISE for profiling and Anomalous EndPoint Detection, as well as a sort of SIEM which can detect anomalies in user traffic, signal that to ISE which can change the authorization of the end user, like quarantine.

 

Ensure to push ACL's to restrict what users/phones can do on the network, this way you raise the security bar a bit.

Here are some guides on how to work with NPS for both options presented above:

 

https://routemypacket.com/2017/12/31/nps-settings-for-mac-authentication-bypass-mab-using-802-1x/

https://dethadoesit.wordpress.com/2017/04/04/windows-2008-r2-radius-server-configuration-part-2/

https://mikepembo.wordpress.com/2016/11/14/802-1x-mac-authentication-bypass-mab-to-an-nps-server/

 

Regards,

Cristian Matei.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card