04-07-2010 07:53 AM - edited 03-06-2019 10:29 AM
Hi,
i set up an 3560 ver.12.2 (52) SE to use 802.1X with host-mode multi-domain to get IP-Phone ( CP 7962G v04 ) and Workstation together on the same port.
I read all the guides i found on cisco.com e.g.
http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a00808abf2d.shtml
The Phone is mab authenticated, Workstation PEAP.
Everything works fine, if only the workstation is connected to the port.
If hostmode is not configured, also the IP-Phone operates as a single device on the Port. Also it works if i set the host-mode to multi-host
Actually i have a problem to get both devices authenticated with multi-domain
The Switch logs that both device authenticated properly, but the IP-Phone restart the authentication every 60sec,everytime the phone passed but failed to get any connection.
Any ideas?
Thx
Sebastian
04-08-2010 11:02 AM
i found one mistake in an IAS-Extension configuration.
But everytime the phone passes the authentication process, the domain is set to DATA
e.g.
Interface: FastEthernet0/18
MAC Address: 0021.....
IP Address: Unknown
User-Name: 0021....
Status: Authz Success
Domain: DATA ( must be VOIP!!!!! )
Oper host mode: multi-domain
Oper control dir: in
Authorized By: Authentication Server
Vlan Group: N/A
Session timeout: N/A
Idle timeout: 300s (local), Remaining: 117s
Common Session ID: 0A040552000011D5E666C4C5
Acct Session ID: 0x000012A8
Handle: 0x290001D5
CDP and LLDP is activate on the IP-Phone
04-12-2010 09:15 AM
a very simple solution.
I forgot "aaa authorization network default group radius".
04-14-2010 03:07 AM
Congrats !!!
How many IP Phones you/customer deployed with MDA mode ?
I wonder how I can manage to adding IP Phones' MAC to RADIUS and setup EAP password on tousand of IP Phones.
04-14-2010 03:26 AM
Hi,
i tested MAB with IP-Phones on MS IAS ( no password ) The phone authenticates with a computer-account ( AD )
EAP-MD5 ist not practical to authenticate IP Phones with MS IAS, because you must configure ActiveDirectory for reversible password ( LM-Hash ), this is highly insecure.
It is also possible to authenticate IP-Phones against ACS with EAP-MD5 or EAP-TLS - EAP-TLS is the prefered method, to avoid the EAP-MD5 "typing" password problem :-)
10-29-2010 04:48 AM
Hi Sebastian,
I am struggling with Microsoft NPS to do the same with phones as computer account, how did you manage to get it working?
08-16-2011 01:05 AM
Hello Robert,
Regarding your .1x config. Did you manage to get the Microsoft NPS to authenticate the phones? How did you do this?
michael.
08-17-2011 03:03 AM
Hi Michael,
I have examined this very thorough. I did not get Microsot NPS to authenticate the phones.
Strange thing I encountered: when a device was connected to a switch directly, NPS managed to authenticate it, But when the device whas behind a phone, NPS didn't recognize the "handshake" anymore.
Even traced it with wireshark.
Now we don't need the telephones authenticated: they have their own Voice vlan. But the switch in the phone needs to send the 802.1x authentication to the RADIUS server.
So I tried the same with Cisco ACS, and managed to get it working. The same setup.
08-18-2011 12:55 AM
Hi,
TAC also found this bug on what I reckon is the same issue.
DE has decided it is not worth fixing, which seems a bit short-sighted seeing as how many organisations are running NPS and Cisco Voice - so if anyone else really needs this then you will need to create a PER.
Next step for us is to install a Cisco ACS and try and configure the NPS to proxy to the ACS just for the phones.
10-19-2011 09:54 AM
Hi Robert,
sorry for this late reply on your post ( 29.10.2010 05:48 )
I authenticate the phones by MAB with IAS/ NPS with a third-party extension from rt-solutions.de
This extension make it possible, among others, to authenticate "MAB-Phones" by using computer-accounts in your AD.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide