802.1x and Cisco IP Phone

Answered Question
Oct 30th, 2008
User Badges:

I am trying to authenticate a Cisco 7970 IP phone that is setup to do 802.1x with ACS. When I check the log files on ACS is hows that the phone failed authentication but the phone is still allowed on the network and can make calls. I have added the MAC address as a ACS user and configured a password which matches the password configured on the phone. If I put the wrong password in its still allowed on the network the port is never shut down. I was speaking to someone who was able to do this and the some how enabled the av-pair. Only I am not sure what to put in there. Does anyway have an idea as to what would need to go in there so that when a phone fails authentication its put in the guest VLAN or denied access?

Correct Answer by jafrazie about 8 years 6 months ago

Right. This is the phone doing MD5. Every phone will have a unique and hard-coded username. It's designed to simplify configuration on the phone side.


You'll have to verify, since I don't have one handy, but I think the username is something like "SEP-mac-address-phone-model" or something like that.


HTH,

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
jafrazie Thu, 10/30/2008 - 15:07
User Badges:
  • Cisco Employee,

If the Cisco 7970 IP phone is setup to do 802.1X, this should have nothing to do with the MAC address of it.


If you enable the phone to do 802.1X, it will perform EAP-MD5 with a username, and password that you give it.


The phone may still be permitted based on your port config. Adding the MAC as a username/password would work for authenticating non-1X phones.


This should help you out:

http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a00808abf2d.shtml#MDA


niall-wilkins Fri, 10/31/2008 - 07:20
User Badges:

The 7970 phone is using firmware 8.2(1) and their is no option to enter in a username. I can only input a Password. I dont have an option to use input a username.

Correct Answer
jafrazie Fri, 10/31/2008 - 08:14
User Badges:
  • Cisco Employee,

Right. This is the phone doing MD5. Every phone will have a unique and hard-coded username. It's designed to simplify configuration on the phone side.


You'll have to verify, since I don't have one handy, but I think the username is something like "SEP-mac-address-phone-model" or something like that.


HTH,

niall-wilkins Fri, 10/31/2008 - 08:21
User Badges:

Ok,

Thats the way I have it in ACS. Th username is the SEP info

Thanks for the help

Actions

This Discussion