Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3106
Views
0
Helpful
8
Replies

SX20 on 802.1X

rchaseling
Level 4
Level 4

‎01-10-2017 09:55 AM - edited ‎03-18-2019 12:47 PM

Hi,

Jsut trying to register a SX20 using 802.1X and ISE/NAC for first time

have downloaded the LSC to Codec and enabled it for 802.1X  - have also gone into Network settings on Codec and enabled 802.1X.

The Switch port still sees it as unathourised. A Cisco phone on same port works fine.

Anyone used 802.1X on SX20's before - firmware CE8.2

Labels:
0 Helpful
8 Replies 8

Patrick Sparkman
VIP Alumni
VIP Alumni

‎01-10-2017 12:43 PM

I've never used 802.1X, but looking at the SX20 Admin Guide, did you configure an iidentity (username) and password?  Does the endpoint or switch logs show anything that might help determine the what's going on?

0 Helpful

rchaseling
Level 4
Level 4
In response to Patrick Sparkman

‎01-10-2017 12:55 PM

Hi,

Yeah read that but NAC engineer says none of those options are required. He has the MAC address configured exactly same as 7841 phone on his end.

He believes it is a sx20 issue because it still registers when plugged into a non-802.1x port even though I have it enabled. If we plug a 7841 with 802.1x enabled the phone will not register. 

The NAC debugs on switch shows unauthorised meaning that the switch never attempts communication with ISE which lends weight to the argument it's a sx20 issue

I'm no sx20 or NAC expert either :-)

0 Helpful

Mark Turpin
Level 5
Level 5
In response to rchaseling

‎01-14-2017 11:23 AM

I'm really interested to hear how this works out for you, please let us know.

Here is a guide for an ACS-driven 802.1x - http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.html

There's also some CLUS docs "Cisco TrustSec for Collaboration", I've included the part 2 which was helpful for me.

There is not yet an end-to-end guide for ISE to my knowledge like the ACS-based guide.

--
-Mark Turpin
Preview file
3955 KB
Preview file
4731 KB
0 Helpful

rchaseling
Level 4
Level 4
In response to Mark Turpin

‎01-24-2017 12:50 PM

Mark,

Turns out its a non publicly viewable defect with the 3850 switch.  CSCux83859 - Switch fails dot1x when identity field in EAP ID response is blank.

This is on the new Denali OS and the fix has not been published yet

Russell

0 Helpful

CHRIS GRUBER
Level 1
Level 1
In response to rchaseling

‎06-08-2017 05:16 PM

Hi,

Not sure if you ever got this fixed. We found that we had to set a username that matches the cert even though we used EAP-TLS.

Can you share some details on the 3850 bug - CSCux83859 - Switch fails dot1x when identity field in EAP ID response is blank?

 

Chris

0 Helpful

rchaseling
Level 4
Level 4
In response to CHRIS GRUBER

‎06-09-2017 01:46 AM

We went with MAB in the end

Preview file
56 KB
0 Helpful

Wayne DeNardi
VIP Alumni
VIP Alumni

‎01-10-2017 07:09 PM

Have you checked the certificate on the SX is showing as configured for 802.1x (see screenshot of where to look on Page 32 of the Admin Guide).

You may also want to check the VLAN settings on the SX to make sure it's set correctly.

Wayne
--
Please remember to rate responses and to mark your question as answered if appropriate.

Wayne

Please remember to mark helpful responses and to set your question as answered if appropriate.

0 Helpful

rchaseling
Level 4
Level 4
In response to Wayne DeNardi

‎01-11-2017 12:13 AM

Hi,

Yes..the things I've done are push the LSC down from UCM. Enable it as per pg 32 of admin guide and turn on 802.1x in network settings. Reboot the code.

When plugged into verified working 802.1x port the switch sees it as unauthorised if plugged into standard port registers fine

Might need a TAC......

0 Helpful
Customers Also Viewed These Support Documents