Deploying 802.1x when workstations are connected behind IP phones

Blog

Feb 16, 2012 5:51 AM
Feb 16th, 2012

In this Chalk Talk, we will  look at various options available for deploying 802.1x on Cisco switches  when workstations are connected behind IP Phones. This article assumes  that you have knowledge of 802.1x, EAP types, RADIUS servers and the  configuration required on a Cisco switch to enable 802.1x.

Introduction

Deploying  802.1x was simple when a switch port in access mode could carry traffic  from a single VLAN only. With the introduction of voice VLANs, a new  layer gets added to the deployment. 802.1x, by default, drops all  non-EAP traffic until a port is authorized. With an IP phone, this may  not be a desirable behavior depending on whether an IP phone is EAP  capable or not. In most cases, IP Phones are not EAP capable and require  a way to bypass 802.1x authentication. On the other hand, with or  without an EAP capable IP Phone, it may be desirable to authorize all IP  phones before allowing them to connect.

Depending  on your requirement, the following options are available for deploying  802.1x with workstations connected behind IP phones:

  1. Bypass 802.1x authentication for IP phones while authenticating workstations
  2. Authenticate both IP Phones and workstations when IP phones are EAP capable
  3. Authenticate both IP Phones and workstations when IP phones are not EAP capable

In  the following sections, we look at each of the above options. Before  proceeding to each of the options, you have to remember that a  switchport configured with voice VLAN has two VLAN identifiers  associated with it:

  • Voice VLAN Identified (VVID) to carry traffic to and from the IP Phone
  • Port VLAN ID (PVID) to carry data traffic to and from the workstation. This is the native VLAN of the switchport.

Bypass 802.1x authentication for IP phones while authenticating workstations

When  802.1x is enabled on an interface, by default, it is in dot1x  single-host mode. In this mode, one host in each of the VLAN – voice and  data – is allowed to connect to the interface. When the IP phone is  connected to such an interface, the switch will allow it to bypass  802.1x authentication and give it full network access. Any traffic  received on the PVID (from the workstation connected to the IP phone)  though, will not be allowed till the workstation is authenticated.

You  can leave the 802.1x host mode to default single-host mode if you want  the IP Phone to bypass authentication. To change the mode from anything  else to single-host mode, use the authentication host-mode single-host or the dot1x host-mode single-host command on the interface configuration mode.

The following caveats apply when 802.1x single-host mode is configured and an IP phone is connected to the interface:

  • The VVID and PVID cannot be same.
  • You cannot connect an IP Phone behind another one. The switch will recognize only the directly connected IP Phone.
  • If 802.1x is enabled while the IP phone is connected, the IP Phone will lose connectivity for up to 30 seconds.

Authenticate both IP Phones and workstations when IP phones are EAP capable

While  802.1x single-host mode allows IP phones to bypass 802.1x  authentication, the 802.1x Multi-Domain Authentication (MDA) mode  enforces authentication on both the IP phone as well as the workstation.

If  your IP phone is EAP capable and you want it to be authenticated before  being allowed network access, you can change the 802.1x mode on the  switchport to MDA using the dot1x host-mode multi-domain or authentication host-mode multi-domain command in the interface configuration mode.

When  MDA is enabled, all non-EAP traffic from both the IP phone and the  workstation will be dropped until they are authenticated. Each of them  will need to be authenticated separately. If the IP phone is  authenticated but the workstation is not, the switch will continue to  drop traffic from the workstation while the traffic from the IP phone is  allowed.

Figure 1 :RADIUS attribute configuration for IP Phone authentication

To  authenticate the IP phone, the configuration on the RADIUS server is  similar to what you would use to authenticate a user, and it depends on  the EAP protocol supported by the IP phone. In addition to this  configuration, the RADIUS server must be configured to send the value “device-traffic-class=voice” in  the cisco-av-pair attribute. Cisco-av-pair is attribute number 001 of  vendor id 009 and is sent as a part of RADIUS IETF attribute 26. Figure 1  shows an example of the attribute configuration on CiscoSecure ACS 5.  If this attribute is not present in the RADIUS Access-Accept packet from  the server, the IP Phone will be treated as a data device instead of a  voice device.

Apart from the required attribute, the following caveats apply:

  • The  voice VLAN can be dynamically assigned by the RADIUS server, but this  is supported only on IOS version 12.2(40) and later. On previous  versions, dynamic voice VLAN assignment will cause the IP Phone to fail  authorization. The attributes used to assign the VLAN are same for data  and voice VLAN – [65] Tunnel-Type=VLAN, [65] Tunnel Medium-Type=802 and  [81] Tunnel-Private-Group-ID = VLAN name or VLAN ID
  • An IP Phone  that fails authentication or is not EAP capable will not be assigned  into a Guest VLAN or Restricted VLAN. These fallback options do not  apply to devices in the voice VLAN.

Authenticate both IP Phones and workstations when IP phones are not EAP capable

As  mentioned earlier, if MDA is enabled and the IP Phone is not EAP  capable, it will not be assigned to the guest VLAN and will not be  allowed network access. If you need to authenticate such IP Phones, you  can use MAC Authentication Bypass (MAB) with MDA.

With  MAB enabled, when the switch does not get a response to EAP packets, it  will take the MAC address of the device and send it to the RADIUS  server for authentication. The MAC address of the device should be added  to the RADIUS server as a user or host. MAB can be enabled using the dot1x mac-auth-bypass command in the interface configuration mode.

If  the MAC address of the device exists in the database, the IP phone will  be authenticated. With MAB also, you will need to configure the RADIUS  server to send the cisco-av-pair attribute with a value of “device-traffic-class=voice”. Additionally, you can also configure the RADIUS server to dynamically assign the voice VLAN.

The  only caveat that you need to be aware of is that once MAB is enabled,  it applies to both the data VLAN as well as the voice VLAN. If the  workstation does not respond to the EAP packets, its MAC address will be  used to try and authenticate it.

Summary

Deploying  802.1x with workstations connected to IP Phones requires quiet a bit of  planning. This Chalk Talk aims to make planning easier by providing the  available deployment options. The actual configuration may require  tweaking of some dot1x timers to suit your environment, especially if  MAB is used. I would like to point that port security in such a  deployment is one option that I did not consider in this Chalk Talk  because in single-host mode, port security does not limit the number of  hosts that can connect to the voice VLAN. So, port security cannot be  considered as an alternative to MDA and MAB for controlling which IP  phones can connect.

Vivek Santuka is  a Customer Support Engineer with Cisco TAC AAA team. In the last 7  years, Vivek has helped resolve thousands of AAA, ACS and NAC related  cases for organizations of all sizes. He holds two CCIEs, one in  Security and the other in Routing and Switching. In addition to that, he  holds a RHCE certification. Vivek is also the co-author for the Cisco Press title 'AAA Identity Management Security'

Chalk Talk articles are featured each month in the Cisco TS Newsletter.  Are you subscribed?

Average Rating: 4.5 (2 ratings)

Comments

Vivek Santuka Thu, 04/26/2012 - 16:54 (reply to shoaibkhan)

Hi Shoaib,

I am not sure what is being asked here. Would you like to see some articles/documents created for these ?

Regards,

Vivek

marioderosa2008 Fri, 06/22/2012 - 01:57

Hi,

nice article. I need to use this feature.

Do you know how the various port authentication modes will affect the ability of Cisco ISE to apply dACLs to the switchport during posture, remediation & full network access?

Regards

Mario De Rosa

Vivek Santuka Fri, 06/22/2012 - 06:23 (reply to marioderosa2008)

Hi Mario De Rosa,

ISE can push down a DACL for any RADIUS request that it accepts. So in single-host mode, the DACL will be pushed for the host in DATA VLAN. For MDA (with or without MAB), each authentication can have its own DACLs applied. The switch will merge them both into a single ACL.

Regards,

Vivek

stamkorv@gmail.com Tue, 11/06/2012 - 03:03

Hi,

Very useful article indeed.

I would like one clarification if possible. What I would like to know relates to hot desk environments.

When implementing MDA mode, does that mean that only one specific client can be authenticated? Can multiple workstations be authorised (not at the same time) when connecting behind the IP phone's port?

Example sccenario:

1. client A connects to the port -> authorised (given he has the right credentials)

2. client A disconnects

3. client B connects to the port -> what happens (given he has the right credentials)?

Thanks.

Veroniki.

Actions

Login or Register to take actions

This Blog

Posted February 16, 2012 at 5:51 AM
Stats:
Comments:10 Avg. Rating:4.5
Views:3057   
Shares:0
Tags: aaa, radius, nac, 802.1x, phone
+

Related Content