802.1x multidomain with LG-Nortel IP Phone

Unanswered Question
Jul 29th, 2008

I have issue configuring 802.1x for my customer. I'm using the following components:

Supplicant : Windows XP Native IEEE 802.1x

Authenticator : Cisco Catalyst 3560G-48PS-S, IOS version 12.2(44)SE2

Authentication server : CiscoSecure ACS Release 4.1(4) Build 13 Patch 10

An LG-Nortel IP phone (model: LIP-6812D, hardware version 2.1, software version 1.2.06s) connects to the 802.1x enabled switch port. A PC with Windows XP 802.1x enabled connects to the phone's PC port. EAP-MD5 is used.

Since it is a non-Cisco phone and the administrator confirmed it does not have 802.1x supplicant, I configured Multi-Domain Authentication (MDA). The phone will be authenticated using MAC Authentication Bypass (MAB) in the VOICE domain and the PC will be authenticated using 802.1x in the DATA domain.

My switch port config is as follows:

!

interface GigabitEthernet0/5

switchport access vlan 70

switchport mode access

switchport voice vlan 71

no snmp trap link-status

dot1x mac-auth-bypass

dot1x pae authenticator

dot1x port-control auto

dot1x host-mode multi-domain

dot1x violation-mode protect

dot1x max-reauth-req 1

dot1x guest-vlan 999

spanning-tree portfast

!

Please see the attached file "hps07354_switch_config.log" for the full config.

MAB of the LG-Nortel IP phone is successful. Please see attached log file "IP_Phone.log". MAC address of the phone is 0040.5a17.c630.

Issue arises when I connected a PC behind the phone after the phone is authorized in the VOICE domain. As soon as the PC is connected to the phone, the switch sends an Access-Request to RADIUS with Service-Type=10. This looks like MAB to me. I'm expecting 802.1x to take place because I enabled 802.1x on the PC's LAN connection.

RADIUS returns an Access-Reject. In the ACS Failed Attempts log, there's an entry with User-Name=001e37823378 (PC's MAC address) and Authen-Failure-Code=ACS user unknown. I suspect the phone is blocking the PC's EAPOL packets from reaching the switch. However if it is true, the switch should have waited for 802.1x to timeout (in my config, it is set to 60 seconds) before kicking MAB in. Right? Please refer to attached log file "PC_behind_IP_Phone.log".

If I connect PC directly to the switch port (with the same config), I have no issue. 802.1x took place and the user is successfully authenticated using EAP-MD5. Please refer to attached log file "PC_Direct_to_Switchport.log".

Please advise how to resolve this issue.

Thank you.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion