802.1x Nortel Phone and MDA

b.tyler · ‎02-21-2008

I am trying to get a Nortel phone to authenticate using 802.1x and MDA. The phone will authenticate fine when using multi-host mode. When I change to MDA, the phone says "EAP Not Authenticated" however the ACS server see's a passed authentication and showing the dot1x switchport interface detail command, I see the Voice domain authenticated and I see spanning-tree forwarding for the Voice Vlan on that port. The phone gets to the DHCP request and stops there. It appears that it falls back to the guest-vlan and gets an IP address from there. I have the required Cisco attribute configured in ACS. Has anyone else experienced this problem or have any ideas what could be wrong?

limtohsoon · ‎04-17-2008

Hi Brooke,

I have an LG-Nortel IP phone connected to a switchport with the following config:

!

interface GigabitEthernet0/5

switchport access vlan 70

switchport mode access

switchport voice vlan 71

no snmp trap link-status

dot1x pae authenticator

dot1x port-control auto

dot1x host-mode multi-host

dot1x timeout tx-period 5

dot1x max-reauth-req 1

dot1x guest-vlan 999

spanning-tree portfast

!

The switch is Catalyst 3560, IOS version 12.2(25)SEE1. Outputs of "sh dot1x interface g0/5 details" as follows:

Switch#sh dot1x interface g0/5 details

Dot1x Info for GigabitEthernet0/5

-----------------------------------

PAE = AUTHENTICATOR

PortControl = AUTO

ControlDirection = Both

HostMode = MULTI_HOST

ReAuthentication = Disabled

QuietPeriod = 60

ServerTimeout = 30

SuppTimeout = 30

ReAuthPeriod = 3600 (Locally configured)

ReAuthMax = 1

MaxReq = 2

TxPeriod = 5

RateLimitPeriod = 0

Guest-Vlan = 999

Dot1x Authenticator Client List Empty

Port Status = AUTHORIZED

Authorized By = Guest-Vlan

Vlan Policy = 999

Somehow, the phone manage to obtain IP address from DHCP on voice VLAN 71 and becomes operational. However, the PC connected to the phone could not obtain IP address from DHCP. Only VLANs 71 and 999 are in STP forwarding state on this port.

If I connect the PC directly to the switchport, it passed the authentication and becomes operational on VLAN 70. See outputs below:

hps07354#sh dot1x int g0/5 det

Dot1x Info for GigabitEthernet0/5

-----------------------------------

PAE = AUTHENTICATOR

PortControl = AUTO

ControlDirection = Both

HostMode = MULTI_HOST

ReAuthentication = Disabled

QuietPeriod = 60

ServerTimeout = 30

SuppTimeout = 30

ReAuthPeriod = 3600 (Locally configured)

ReAuthMax = 1

MaxReq = 2

TxPeriod = 5

RateLimitPeriod = 0

Guest-Vlan = 999

Dot1x Authenticator Client List

-------------------------------

Supplicant = 001e.3782.3378

Auth SM State = AUTHENTICATED

Auth BEND SM Stat = IDLE

Port Status = AUTHORIZED

Authentication Method = Dot1x

Authorized By = Authentication Server

Vlan Policy = N/A

Did you manage to make things work in a similar scenario? Do I have to configure MDA to make it work?

Please advise.

Thank you.

B.Rgds,

Lim TS

limtohsoon · ‎04-24-2008

Hi Brooke,

I refer to the following URL for MDA configuration:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_44_se/configuration/guide/sw8021x.html#wp1271507

The config looks pretty simple. However I do not know how to configure the ACS to support MDA. Can you please point me to a configuration guide?

Thank you.

B.Rgds,

Lim TS

b.tyler · ‎04-24-2008

Hi Lim,

Check out this link, it is very useful in setting up switch and ACS server.

http://www.cisco.com/en/US/partner/tech/tk389/tk814/technologies_configuration_example09186a00808abf2d.shtml

Also, the final config that I used is:

interface FastEthernet0/41

power inline consumption 10000

switchport mode access

switchport voice vlan 704

dot1x pae authenticator

dot1x port-control auto

dot1x host-mode multi-domain

dot1x timeout quiet-period 2

dot1x timeout tx-period 5

dot1x critical

dot1x critical recovery action reinitialize

dot1x guest-vlan 122

dot1x auth-fail vlan 122

dot1x auth-fail max-attempts 2

spanning-tree portfast

Keep in mind that my scenerio was a little different in that we wanted the phone to authenticate but not the PC plugged into the phone OR a PC plugged directly into the switchport. We used the Guest VLAN as the Data VLAN.

HTH

Brooke

limtohsoon · ‎04-24-2008

Hi Brooke,

Thanks for the link. It's informative. However it illustrates using Cisco IP phone with 802.1x supplicant enabled on the phone.

My scenario is, a Nortel IP phone connects to the switchport and a PC is plugged into the phone.

I'm not sure if the Nortel phone has 802.1x supplicant. However my customer wants a very simple rollout. They don't expect us to go to every phone to configure 802.1x.

I think MDA is the solution for me here. For the voice domain, I'm thinking of configuring MAC authentication bypass (MAB). What do you think? Can you point me to any config guide that shows how to configure MAB, especially on the ACS?

Thank you.

B.Rgds,

Lim TS

b.tyler · ‎04-29-2008

The Nortel phone will support 802.1x after a certain version of Nortel code. (I am not a Nortel engineer, but that is what I used) You do have to manually input the userid/password in every phone. Here is another document that I used for 802.1x. http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst3750e_3560e/software/release/12.2_44_se/configuration/guide/sw8021x.html

As far as the ACS is concerned for MAB, use the link in the previous post. Ingnore the fact that it is a Nortel phone, ACS is config is the same. You will need to set up a USER in ACS for each phone MAC address you want authenticated. Point all USERS to a GROUP that has the Cisco RADIUS Vender attribute.

Regards,

Brooke