Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2612
Views
0
Helpful
1
Replies

Mitel phone 802.1x with Cat 3560 and Cisco ACS5.2 problem

Nicholas Poole
Level 1
Level 1

‎02-22-2011 01:48 AM - last edited on ‎03-25-2019 05:15 PM by Community Manager

I am piloting an 802.1x implementation for a client who has Mitel IP Phones.  I have setup the switch and ACS based on previous experience and a windows PC can authenticate onto the network OK.  When I use a Mitel phone however, it seems to skip past the first 802.1x LCD message and goes straight to LLDP and DHCP discovery, which obviously fails.  The phone are 5224s and the controller is on the original v10 release.  I have cleared the 802.1x config on the phone and rebooting as per Mitel documentation which leads me to believe it should then prompt for a user/pass on next reboot.  It does not do this.

I known the ACS is setup to support EAP-MD5 and I have tried all the various types of host modes including the default and Multi-Auth, Multi-Domain and none of them seem to make any difference.  I have tried with and without a PC attached to the phone as well.

A wireshark shows the EAP identity request from the switch, and I see an EAP response from the phone, although it is slightly different to the PC's response.  In the end the phone issues an EAP 4 failure message.  So something in that EAP conversation doesnt seem to work.  Does anybody have an experience of this?

Labels:
0 Helpful
1 Reply 1

Nicholas Poole
Level 1
Level 1

‎02-22-2011 03:58 AM

A wireshark capture shows a difference in the EAP request message from a Cisco Cat 3560 (12.2.55) to the Mitel, compared to a HP Procurve to the Mitel which the Mitel responds to:

Cisco EAP Request trace:

Frame 17 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: Cisco_99:06:84 (00:1e:49:99:06:84), Dst: Mitel_2c:ad:3b (08:00:0f:2c:ad:3b)
    Destination: Mitel_2c:ad:3b (08:00:0f:2c:ad:3b)
    Source: Cisco_99:06:84 (00:1e:49:99:06:84)
    Type: 802.1X Authentication (0x888e)
    Trailer: 000000000000000000000000000000000000000000000000...
802.1X Authentication
   Version: 3
    Type: EAP Packet (0)
    Length: 5
    Extensible Authentication Protocol
        Code: Request (1)
        Id: 1
        Length: 5
        Type: Identity [RFC3748] (1)

HP EAP Request trace:

Frame 36 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: Procurve_03:b7:40 (00:1b:3f:03:b7:40), Dst: Mitel_42:f5:21 (08:00:0f:42:f5:21)
    Destination: Mitel_42:f5:21 (08:00:0f:42:f5:21)
    Source: Procurve_03:b7:40 (00:1b:3f:03:b7:40)
    Type: 802.1X Authentication (0x888e)
    Trailer: 000000000000000000000000000000000000000000000000...
802.1X Authentication
    Version: 1
    Type: EAP Packet (0)
    Length: 15
    Extensible Authentication Protocol
        Code: Request (1)
        Id: 1
        Length: 15
        Type: Identity [RFC3748] (1)
        Identity (10 bytes): User name:

The HP seems to be requesting a User name as a string in the Identity field, whcih the Mitel phone then responds with an EAP response packet with an identity of MITEL.

The other difference seems to be that a Version code of 3 is being used by the Catalyst but Version 1 by the HP and Mitel phone.

Any ideas anyone?

0 Helpful
Customers Also Viewed These Support Documents