Solved: Re: 802.1x (dot1x) with IP Phone / Workstation using Multi-Domai

Rodrigo Gurriti · ‎03-31-2010

Scenario:

Workstation ( behind the Phone)

IP Phone 7911 software 8.5(2)

ACS 4.1 with AD on the same server

Cisco Switch WS-C3750E-24PD with c3750e-universalk9-mz.122-53.SE1.bin

Guide utilized:

http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a00808abf2d.shtml

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0e4.shtml

To accomplish:

Computer and IP Phone's authentication with 802.1x. The phone using EAP-MD5 and the workstation with PEAP-MsChap-V2.

Tried and Worked:

Workstation using EAP-MD5 ( with ACS username) and using PEAP ( with AD username) and it also gained access to the correct vlan, depending on the username.

The log from the ACS, failed authentication:

Message-Type - User-Name -Group-Name - Caller-ID - Network Access Profile Name - Authen-Failure-Code

Authen failed - CP-7911G-SEP00254594D6BA - VOZ -00-25-45-94-D6-BA - (Default) - EAP type not configured

The Switch's config:

aaa authentication dot1x default group radius

aaa authorization network default group radius

radius-server host 10.32.250.250 auth-port 1645 acct-port 1646 key 7 095F4B07110445425B54

interface GigabitEthernet1/0/3

switchport mode access

switchport nonegotiate

switchport voice vlan 200

authentication host-mode multi-domain

authentication port-control auto

authentication periodic

mls qos trust device cisco-phone

mls qos vlan-based

dot1x pae both

dot1x timeout quiet-period 20

dot1x timeout server-timeout 100

dot1x timeout tx-period 100

storm-control broadcast level 15.00

storm-control multicast level 10.00

spanning-tree portfast

spanning-tree guard root

ACS Configuration Resume:

Configured the AAA

2 Groups - voice and data, each with their respective vlans and configuration parameters on the ACS ( Attribute-Value (AV))

Added the user name and password for IP phones

Mapped the AD to the Data group

Issued a certificate and installed in the workstation

Configured the Global Authentication Setup, where i checked the boxes PEAP and EAP-MD5

So like I said, it authenticates only the workstation w/ out the IP Phone. When i add the IP Phone it does not authenticate none of them.

Does anyone have a light ?

Support Team · ‎04-29-2010

Hello

First you can try another sw for phone (for example 8.4.2S). I have similar issue with 8.5 software and 7945/7965 phones. Secondary you need confiigure av-pair attributes on ACS side for phone correct placement to voice vlan.

Regards

Stanislav

View solution in original post

Support Team · ‎04-29-2010

Hello

First you can try another sw for phone (for example 8.4.2S). I have similar issue with 8.5 software and 7945/7965 phones. Secondary you need confiigure av-pair attributes on ACS side for phone correct placement to voice vlan.

Regards

Stanislav

Rodrigo Gurriti · ‎04-29-2010

Thanks man! There is a bug that affect the dot1x on phones... the bad thing is that i cant downgrade my phones beacause of other bugs and my callmanager doesn't take newer version.

Take a look at this bug

cscsz59661

PS. i had the av-pair for the phones ... i found out about this bug a week ago and i tryed out one phone w/ a 8.4 release and it worked just fine.

802.1x (dot1x) with IP Phone / Workstation using Multi-Domain Authentication (MDA)