07-29-2008 04:19 AM - edited 03-10-2019 03:59 PM
Hello everybody!
The main idea: I need to authenticate Cisco IP Phone connected to C3750 and put it into voice VLAN. Authentication in ACS v.3.2 using IP Phone's MAC-address.
There's port configuration on C3750:
interface GigabitEthernet1/0/2
switchport mode access
switchport voice vlan 12
dot1x mac-auth-bypass
dot1x pae authenticator
dot1x port-control auto
dot1x host-mode multi-domain
spanning-tree portfast
end
In ACS I've created group "IP Phones" and in it's configuration I checked:
1) Voice-over-IP Support
2) IETF RADIUS Attributes:
[064] Tunnel-Type = VLAN
[065] Tunnel-Medium-Type = 802
[081] Tunnel-Private-Group-ID = 12
There's user 000d65707e7a (IP Phone's MAC-address) in this ACS group.
When I connect IP Phone to GigabitEthernet1/0/2 interface it don't get voice VLAN.
c3750#show mac-address-table interface gigabitEthernet 1/0/2
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
1 000d.6570.7e7a STATIC Drop
12 000d.6570.7e7a STATIC Drop
In ACS choosing "Reports and Activity" -> "Failed Attemts" i see a mistake:
Authen failed - 000d65707e7a - Access denied to Voice-over-IP group
What's wrong? How to configure ACS group to authenticate IP Phone by it's MAC-address and put it into voice VLAN 12 on C3750?
Thanks for any help!
Solved! Go to Solution.
08-04-2008 05:28 AM
7940 will never do 802.1X. Neither will 7960. Newer phones will.
08-03-2008 08:13 PM
I think you need to add a radius VSA:
http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a00808abf2d.shtml
Also make sure your device-ID on the phone is same as the username you are putting (Not just the mac-address). It is in this format:
CP-
Please let me know how this turns out.
Regards
Farrukh
08-03-2008 09:22 PM
Thanks Farrukh for your help!
I've already learn these documents, did all the things in ACS and discovered that my IP Phone CP-7940G, firmware 8.0(7.0), do not support 802.1x-authentication.
Is there any other CP-7940G firmware with 802.1x feature enabled or I need to change model to 7961G (7970G)?
08-04-2008 05:28 AM
7940 will never do 802.1X. Neither will 7960. Newer phones will.
08-22-2008 05:46 AM
Using this port-config:
interface GigabitEthernet1/0/15
switchport mode access
switchport voice vlan XXX
no logging event link-status
dot1x mac-auth-bypass
dot1x pae authenticator
dot1x port-control auto
dot1x host-mode multi-host
dot1x timeout quiet-period 5
dot1x timeout reauth-period server
dot1x guest-vlan XXX
dot1x auth-fail vlan XXX
spanning-tree portfast
end
I achieved putting 802.1x-PC to needed access VLAN, non-802.1x IP Phone to voice VLAN and authenticate devices by MAC-address.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide