cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3104
Views
0
Helpful
8
Replies

SX20 on 802.1X

rchaseling
Level 4
Level 4

Hi,

Jsut trying to register a SX20 using 802.1X and ISE/NAC for first time

have downloaded the LSC to Codec and enabled it for 802.1X  - have also gone into Network settings on Codec and enabled 802.1X.

The Switch port still sees it as unathourised. A Cisco phone on same port works fine.

Anyone used 802.1X on SX20's before - firmware CE8.2

8 Replies 8

Patrick Sparkman
VIP Alumni
VIP Alumni

I've never used 802.1X, but looking at the SX20 Admin Guide, did you configure an iidentity (username) and password?  Does the endpoint or switch logs show anything that might help determine the what's going on?

Hi,

Yeah read that but NAC engineer says none of those options are required. He has the MAC address configured exactly same as 7841 phone on his end.

He believes it is a sx20 issue because it still registers when plugged into a non-802.1x port even though I have it enabled. If we plug a 7841 with 802.1x enabled the phone will not register. 

The NAC debugs on switch shows unauthorised meaning that the switch never attempts communication with ISE which lends weight to the argument it's a sx20 issue

I'm no sx20 or NAC expert either :-)

I'm really interested to hear how this works out for you, please let us know.

Here is a guide for an ACS-driven 802.1x - http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.html

There's also some CLUS docs "Cisco TrustSec for Collaboration", I've included the part 2 which was helpful for me.

There is not yet an end-to-end guide for ISE to my knowledge like the ACS-based guide.

--
-Mark Turpin

Mark,

Turns out its a non publicly viewable defect with the 3850 switch.  CSCux83859 - Switch fails dot1x when identity field in EAP ID response is blank.

This is on the new Denali OS and the fix has not been published yet

Russell

Hi,

Not sure if you ever got this fixed. We found that we had to set a username that matches the cert even though we used EAP-TLS.

Can you share some details on the 3850 bug - CSCux83859 - Switch fails dot1x when identity field in EAP ID response is blank?

 

Chris

We went with MAB in the end

Wayne DeNardi
VIP Alumni
VIP Alumni

Have you checked the certificate on the SX is showing as configured for 802.1x (see screenshot of where to look on Page 32 of the Admin Guide).

You may also want to check the VLAN settings on the SX to make sure it's set correctly.

Wayne
--
Please remember to rate responses and to mark your question as answered if appropriate.

Wayne

Please remember to mark helpful responses and to set your question as answered if appropriate.

Hi,

Yes..the things I've done are push the LSC down from UCM. Enable it as per pg 32 of admin guide and turn on 802.1x in network settings. Reboot the code.

When plugged into verified working 802.1x port the switch sees it as unauthorised if plugged into standard port registers fine

Might need a TAC......