802.1x mab local auth

bwedel1234 · ‎05-06-2013

I've seen other discuessions on 802.1x mab, however most of the ones I saw were from a couple years ago and IOS has changed since them so I figure I might as well ask again.

We are moving to 802.1x in our infrastructure. We currently run Cisco 2960s switches through out our organization. After inital testing the authentication is working great with our Microsoft 2008r2 NPS server. The laptops/desktops authenticate and then switch gets the VLan that they are supposed to be a part of and they get an IP address.

We also use Cisco IP phones (8945) throughout our organization as well. I know the phones can do 802.1x eaps, but we don't want to have to add the phones into the NPS as users (are rough count is about 6100 phones). Ideally we would just like for them to authenticate with mab get the voice vlan. We have another switch vendor (Extreme Networks) in our organization too. With those we can authenticate with the mac OUI right off of the switch. I'm having a hard time finding out if it's possible to do that with our ciscos. I see how it always says you can do it with a radius, but we would like the mac auth bypass to work right off of the switches by authenticating with the mac oui, when the 802.1x times out. We are runnign IOS 15.0(1) SE2 on our ciscos.

If it is possible, how would we go about adding the macs into the switch?

Thanks in advance for the help/sugesstions.

johnlloyd_13 · ‎05-06-2013

hi blake,

just to be clear, you want MAB enabled for your 2960s?

do note that adding MAC or creating the MAC database is done on the RADIUS/ACS or a third party server and NOT on the switch (authenticator) itself.

bwedel1234 · ‎05-07-2013

Hi John,

Thanks for the quick reply. I figured I wouldn't be able to get the macs on the cisco switch like I do on Extreme. After looking into auto provisioning of ports onto a switch I took a look into smartports. It looks like I should be able to setup a mac address group and put in the mac OUI and then set it to a macro to run. This will work great with our printers, ups's, time clocks and geothermal devices.

However, I tried it with two of our phones an, 8945 and 6945. The 8945 works great because the switch sees the CDP traffic and knows that it's a phone. The 6945 cisco phone isn't known on the switch with CDP. We are getting this error on the switch:

May 7 14:23:36.278: %AUTOSMARTPORT-5-INSERT: Device Un-Classified Device detected on interface GigabitEthernet1/0/21, executed CISCO_LAST_RESORT_EVENT

'show cdp neighbors' gives me the following:

SEPc46413010f02 Gig 1/0/21 154 H P M IP Phone Port 1

SEP70810585B8A6 Gig 1/0/6 167 H P M IP Phone Port 1

Any ideas why this might be?

********************* EDIT

Went back to do some testing and saw that if you have dot1x authentication on a port along with auto macros enabled the dot1x tries to authenticate to the radius server, however the phone isn't setup for eap. Once it timesout then the switch stops processing and doesn't try to run a macro from CDP. Is this how the switch should be processing, or do I have something setup wrong.

Thanks Again!

Ben James · ‎04-21-2014

Another way to authenticate the Cisco phones is by the certificate. Essentially you would be authenticating every Cisco phone (in the world) by the built in certificate using EAP-TLS.