Solved: IP Phone + dot1x + ACS 3.2

VladimirFilippov · ‎07-29-2008

Hello everybody!

The main idea: I need to authenticate Cisco IP Phone connected to C3750 and put it into voice VLAN. Authentication in ACS v.3.2 using IP Phone's MAC-address.

There's port configuration on C3750:

interface GigabitEthernet1/0/2

switchport mode access

switchport voice vlan 12

dot1x mac-auth-bypass

dot1x pae authenticator

dot1x port-control auto

dot1x host-mode multi-domain

spanning-tree portfast

end

In ACS I've created group "IP Phones" and in it's configuration I checked:

1) Voice-over-IP Support

2) IETF RADIUS Attributes:

[064] Tunnel-Type = VLAN

[065] Tunnel-Medium-Type = 802

[081] Tunnel-Private-Group-ID = 12

There's user 000d65707e7a (IP Phone's MAC-address) in this ACS group.

When I connect IP Phone to GigabitEthernet1/0/2 interface it don't get voice VLAN.

c3750#show mac-address-table interface gigabitEthernet 1/0/2

Mac Address Table

-------------------------------------------

Vlan Mac Address Type Ports

---- ----------- -------- -----

1 000d.6570.7e7a STATIC Drop

12 000d.6570.7e7a STATIC Drop

In ACS choosing "Reports and Activity" -> "Failed Attemts" i see a mistake:

Authen failed - 000d65707e7a - Access denied to Voice-over-IP group

What's wrong? How to configure ACS group to authenticate IP Phone by it's MAC-address and put it into voice VLAN 12 on C3750?

Thanks for any help!

jafrazie · ‎08-04-2008

7940 will never do 802.1X. Neither will 7960. Newer phones will.

View solution in original post

Farrukh Haroon · ‎08-03-2008

I think you need to add a radius VSA:

http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a00808abf2d.shtml

Also make sure your device-ID on the phone is same as the username you are putting (Not just the mac-address). It is in this format:

CP--SEP-

http://www.cisco.com/en/US/docs/voice_ip_comm/cuipph/7961g_7961g-ge_7941g_7941g-ge/5_1/english/administration_sccp/guide/7961net.html#wp1041028

Please let me know how this turns out.

Regards

Farrukh

VladimirFilippov · ‎08-03-2008

Thanks Farrukh for your help!

I've already learn these documents, did all the things in ACS and discovered that my IP Phone CP-7940G, firmware 8.0(7.0), do not support 802.1x-authentication.

Is there any other CP-7940G firmware with 802.1x feature enabled or I need to change model to 7961G (7970G)?

jafrazie · ‎08-04-2008

7940 will never do 802.1X. Neither will 7960. Newer phones will.

VladimirFilippov · ‎08-22-2008

Using this port-config:

interface GigabitEthernet1/0/15

switchport mode access

switchport voice vlan XXX

no logging event link-status

dot1x mac-auth-bypass

dot1x pae authenticator

dot1x port-control auto

dot1x host-mode multi-host

dot1x timeout quiet-period 5

dot1x timeout reauth-period server

dot1x guest-vlan XXX

dot1x auth-fail vlan XXX

spanning-tree portfast

end

I achieved putting 802.1x-PC to needed access VLAN, non-802.1x IP Phone to voice VLAN and authenticate devices by MAC-address.