IP Phone + dot1x + ACS 3.2

Answered Question
Jul 29th, 2008
User Badges:

Hello everybody!


The main idea: I need to authenticate Cisco IP Phone connected to C3750 and put it into voice VLAN. Authentication in ACS v.3.2 using IP Phone's MAC-address.


There's port configuration on C3750:


interface GigabitEthernet1/0/2

switchport mode access

switchport voice vlan 12

dot1x mac-auth-bypass

dot1x pae authenticator

dot1x port-control auto

dot1x host-mode multi-domain

spanning-tree portfast

end


In ACS I've created group "IP Phones" and in it's configuration I checked:

1) Voice-over-IP Support

2) IETF RADIUS Attributes:

[064] Tunnel-Type = VLAN

[065] Tunnel-Medium-Type = 802

[081] Tunnel-Private-Group-ID = 12


There's user 000d65707e7a (IP Phone's MAC-address) in this ACS group.


When I connect IP Phone to GigabitEthernet1/0/2 interface it don't get voice VLAN.


c3750#show mac-address-table interface gigabitEthernet 1/0/2


Mac Address Table

-------------------------------------------

Vlan Mac Address Type Ports

---- ----------- -------- -----

1 000d.6570.7e7a STATIC Drop

12 000d.6570.7e7a STATIC Drop


In ACS choosing "Reports and Activity" -> "Failed Attemts" i see a mistake:


Authen failed - 000d65707e7a - Access denied to Voice-over-IP group


What's wrong? How to configure ACS group to authenticate IP Phone by it's MAC-address and put it into voice VLAN 12 on C3750?


Thanks for any help!

Correct Answer by jafrazie about 8 years 10 months ago

7940 will never do 802.1X. Neither will 7960. Newer phones will.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (3 ratings)
Loading.
Farrukh Haroon Sun, 08/03/2008 - 20:13
User Badges:
  • Red, 2250 points or more

I think you need to add a radius VSA:


http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a00808abf2d.shtml


Also make sure your device-ID on the phone is same as the username you are putting (Not just the mac-address). It is in this format:

CP--SEP-


http://www.cisco.com/en/US/docs/voice_ip_comm/cuipph/7961g_7961g-ge_7941g_7941g-ge/5_1/english/administration_sccp/guide/7961net.html#wp1041028


Please let me know how this turns out.


Regards


Farrukh

VladimirFilippov Sun, 08/03/2008 - 21:22
User Badges:

Thanks Farrukh for your help!


I've already learn these documents, did all the things in ACS and discovered that my IP Phone CP-7940G, firmware 8.0(7.0), do not support 802.1x-authentication.


Is there any other CP-7940G firmware with 802.1x feature enabled or I need to change model to 7961G (7970G)?

Correct Answer
jafrazie Mon, 08/04/2008 - 05:28
User Badges:
  • Cisco Employee,

7940 will never do 802.1X. Neither will 7960. Newer phones will.

VladimirFilippov Fri, 08/22/2008 - 05:46
User Badges:

Using this port-config:


interface GigabitEthernet1/0/15

switchport mode access

switchport voice vlan XXX

no logging event link-status

dot1x mac-auth-bypass

dot1x pae authenticator

dot1x port-control auto

dot1x host-mode multi-host

dot1x timeout quiet-period 5

dot1x timeout reauth-period server

dot1x guest-vlan XXX

dot1x auth-fail vlan XXX

spanning-tree portfast

end


I achieved putting 802.1x-PC to needed access VLAN, non-802.1x IP Phone to voice VLAN and authenticate devices by MAC-address.

Actions

This Discussion