02-21-2008 06:22 PM - edited 03-05-2019 09:18 PM
I am trying to get a Nortel phone to authenticate using 802.1x and MDA. The phone will authenticate fine when using multi-host mode. When I change to MDA, the phone says "EAP Not Authenticated" however the ACS server see's a passed authentication and showing the dot1x switchport interface detail command, I see the Voice domain authenticated and I see spanning-tree forwarding for the Voice Vlan on that port. The phone gets to the DHCP request and stops there. It appears that it falls back to the guest-vlan and gets an IP address from there. I have the required Cisco attribute configured in ACS. Has anyone else experienced this problem or have any ideas what could be wrong?
04-17-2008 09:12 PM
Hi Brooke,
I have an LG-Nortel IP phone connected to a switchport with the following config:
!
interface GigabitEthernet0/5
switchport access vlan 70
switchport mode access
switchport voice vlan 71
no snmp trap link-status
dot1x pae authenticator
dot1x port-control auto
dot1x host-mode multi-host
dot1x timeout tx-period 5
dot1x max-reauth-req 1
dot1x guest-vlan 999
spanning-tree portfast
!
The switch is Catalyst 3560, IOS version 12.2(25)SEE1. Outputs of "sh dot1x interface g0/5 details" as follows:
Switch#sh dot1x interface g0/5 details
Dot1x Info for GigabitEthernet0/5
-----------------------------------
PAE = AUTHENTICATOR
PortControl = AUTO
ControlDirection = Both
HostMode = MULTI_HOST
ReAuthentication = Disabled
QuietPeriod = 60
ServerTimeout = 30
SuppTimeout = 30
ReAuthPeriod = 3600 (Locally configured)
ReAuthMax = 1
MaxReq = 2
TxPeriod = 5
RateLimitPeriod = 0
Guest-Vlan = 999
Dot1x Authenticator Client List Empty
Port Status = AUTHORIZED
Authorized By = Guest-Vlan
Vlan Policy = 999
Somehow, the phone manage to obtain IP address from DHCP on voice VLAN 71 and becomes operational. However, the PC connected to the phone could not obtain IP address from DHCP. Only VLANs 71 and 999 are in STP forwarding state on this port.
If I connect the PC directly to the switchport, it passed the authentication and becomes operational on VLAN 70. See outputs below:
hps07354#sh dot1x int g0/5 det
Dot1x Info for GigabitEthernet0/5
-----------------------------------
PAE = AUTHENTICATOR
PortControl = AUTO
ControlDirection = Both
HostMode = MULTI_HOST
ReAuthentication = Disabled
QuietPeriod = 60
ServerTimeout = 30
SuppTimeout = 30
ReAuthPeriod = 3600 (Locally configured)
ReAuthMax = 1
MaxReq = 2
TxPeriod = 5
RateLimitPeriod = 0
Guest-Vlan = 999
Dot1x Authenticator Client List
-------------------------------
Supplicant = 001e.3782.3378
Auth SM State = AUTHENTICATED
Auth BEND SM Stat = IDLE
Port Status = AUTHORIZED
Authentication Method = Dot1x
Authorized By = Authentication Server
Vlan Policy = N/A
Did you manage to make things work in a similar scenario? Do I have to configure MDA to make it work?
Please advise.
Thank you.
B.Rgds,
Lim TS
04-24-2008 12:05 AM
Hi Brooke,
I refer to the following URL for MDA configuration:
The config looks pretty simple. However I do not know how to configure the ACS to support MDA. Can you please point me to a configuration guide?
Thank you.
B.Rgds,
Lim TS
04-24-2008 02:49 AM
Hi Lim,
Check out this link, it is very useful in setting up switch and ACS server.
Also, the final config that I used is:
interface FastEthernet0/41
power inline consumption 10000
switchport mode access
switchport voice vlan 704
dot1x pae authenticator
dot1x port-control auto
dot1x host-mode multi-domain
dot1x timeout quiet-period 2
dot1x timeout tx-period 5
dot1x critical
dot1x critical recovery action reinitialize
dot1x guest-vlan 122
dot1x auth-fail vlan 122
dot1x auth-fail max-attempts 2
spanning-tree portfast
Keep in mind that my scenerio was a little different in that we wanted the phone to authenticate but not the PC plugged into the phone OR a PC plugged directly into the switchport. We used the Guest VLAN as the Data VLAN.
HTH
Brooke
04-24-2008 09:42 PM
Hi Brooke,
Thanks for the link. It's informative. However it illustrates using Cisco IP phone with 802.1x supplicant enabled on the phone.
My scenario is, a Nortel IP phone connects to the switchport and a PC is plugged into the phone.
I'm not sure if the Nortel phone has 802.1x supplicant. However my customer wants a very simple rollout. They don't expect us to go to every phone to configure 802.1x.
I think MDA is the solution for me here. For the voice domain, I'm thinking of configuring MAC authentication bypass (MAB). What do you think? Can you point me to any config guide that shows how to configure MAB, especially on the ACS?
Thank you.
B.Rgds,
Lim TS
04-29-2008 02:41 AM
The Nortel phone will support 802.1x after a certain version of Nortel code. (I am not a Nortel engineer, but that is what I used) You do have to manually input the userid/password in every phone. Here is another document that I used for 802.1x. http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst3750e_3560e/software/release/12.2_44_se/configuration/guide/sw8021x.html
As far as the ACS is concerned for MAB, use the link in the previous post. Ingnore the fact that it is a Nortel phone, ACS is config is the same. You will need to set up a USER in ACS for each phone MAC address you want authenticated. Point all USERS to a GROUP that has the Cisco RADIUS Vender attribute.
Regards,
Brooke
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide