Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1201
Views
5
Helpful
1
Replies

802.1x port security auth for MX &SX endpoints registered on CUCM

gfolens
Level 4
Level 4

‎03-11-2016 06:59 AM - edited ‎03-18-2019 05:40 AM

I'm trying to configure 802.1x on MX and SX type endpoints registered on CUCM v10.5.

From CUCM I pushed the LSC and on the endpoint: Security > CUCM I see:

CUCM status
CUCM is enabled.
CTL status
CTL is installed.
ITL status
ITL is installed.
LSC status
Certificates are installed.
Operation status
No pending operations.

IEEE802.1x config done on endpoint (see attached screenshot).

I've also added the CA certificates on the endpoint.

But when the switch port is activated for 802.1x the endpoint is not reachable anymore and authentication failed is showed on the switch logs.

Did somebody already managed to make this work?

For IP-phones there's a 802.1x setting on the CUCM but for TP endpoints this is not the case.

Labels:
Preview file
40 KB
0 Helpful
1 Reply 1

gfolens
Level 4
Level 4

‎03-29-2016 12:41 AM

As follow-up of my own thread here some hints to make it work:

- The codec series do not use the same identity format as for IP phones in their certificate. They use 'SEP' + mac-address instead. So the ISE server needs to have a rule that matches on this name combination.

- the LSC of the UCM must be installed on the Codec: use "Install/Upgrade by Authentication string"

- the LSC certificate must be enabled for 802.1X

- on the codec the following fields are needed:

- Identity: 'SEP' + mac-address

- Mode: On

- TlsVerify: Off

- UseClientCertificate: On

- EAP MD5: Off

- PEAP: Off

- TLS: On

- Ttls: Off

- On the switch:

Radius-server vsa send authentication

Radius-server vsa send accounting

- On the switch port (note: the voice VLAN must be used):

interface GigabitEthernet2/0/46

 description ### MX700 ###

 switchport access vlan 500

 switchport mode access

 switchport voice vlan 500

 switchport port-security aging type inactivity

 no logging event link-status

 authentication control-direction in

 authentication event fail action next-method

 authentication event server dead action authorize vlan 500

 authentication event server dead action authorize voice

 authentication event server alive action reinitialize

 authentication host-mode multi-domain

 authentication order dot1x mab

 authentication priority dot1x mab

 authentication port-control auto

 authentication periodic

 authentication timer reauthenticate server

 authentication timer restart 3600

 authentication violation replace

 mab

 no snmp trap link-status

 dot1x pae authenticator

 dot1x timeout tx-period 7

 storm-control broadcast level 10.00

 storm-control multicast level 10.00

 macro description dot1x-secure

 spanning-tree portfast

end

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents