Using 802.1X and non-Cisco IP Phones

Unanswered Question
Apr 17th, 2007

Hi there,


Having some questions about an 802.1x/non-Cisco ip phone setup and was hoping to find some answers/user-experience with this setup.


Main questions i'm facing:


1) When using non-Cisco ip phones (eg Nortel or Siemens) and a previous authorized client connected behind this ip phone gets disconnected. What will this action do with the authorized state of 802.1X on the switch port? WIll it stay authorized until the reauth timer expires or does it reject communication from any other device?


2) What about EAPOL-Logoff messages from the ip phone to the switch. Are these only used by Cisco phones when they experience a link-status change on data ports?


Thanks for sharing your thoughts

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.5 (2 ratings)
Loading.
jafrazie Tue, 04/17/2007 - 12:24

Overall, you need to try and deal with the fact that a machine can disappear from the network and the network may not know about it directly (i.e. Link doesn't go down).


I have no idea what other phones do, but Cisco phones send an EAPOL-Logoff when something is unplugged. This lets the switch know directly, and 1X session start is torn down immediately, closing what would be a security hole.


Fundamentally, re-auth is a workaround only, and this is not the reason to enable re-auth to begin with.


If your phone doesn't send an EAPOL-Logoff in this case, the switch might be left thinking an attack is underway when someone else tries to plug in (with presumably a different MAC). You do NOT want this to occur.


Hope this helps,

dkrijgsman Tue, 04/17/2007 - 22:30

Hi Jafrazie.


Thanks for responding.

Presumably these phones aren't able to send EAPOL-logoff messages on behalf of a connected device. So with only devices behind this phone using 802.1X, do any other options exist to make sure a second (non authorized device) isn't able to use a previously authorized 1X session of a disconnected device?

jafrazie Thu, 04/19/2007 - 14:24

It's not good that your phones evidently cannot do it ;-(.


The only work-around here would be re-auth, but that doesn't fix the problem, and it's only a work-around, and it doesn't come for free.


Analogy:

There's no need to have a fire-drill just to make sure everyone in your building is a badged employee ;-).

etmarcof Wed, 05/16/2007 - 14:19

Hi,


I have another question regarding non-cisco ip phone and 802.1x

If i connect a pc to ip phone and i have dynamic vlans for users of pc (After user login in PC he receives a vlan from radius server) this kind of configuration should work or after sucessfull authentication user will go to vlan configured in native vlan?


Best Regards

MC

Actions

This Discussion