802.1x and VOIP

Answered Question
Nov 1st, 2008
User Badges:

I am trying to figure out how to get our 7970 phones to authenticate with ACS. The phones have been configured for 802.1x and a pre-shared password has been selected. The ports on the switch have also been configured. In ACS I added the MAC address of the phone to ACS. When I test by using the wrong username and password I see the failed attempts by the phone in the logs of ACS.....However the phone is still allowed to connect and make calls. A co-worker was able to get this to work by selecting "enable AV-PAIR" under group setup. However I have no idea what variables would go in here to make this work. Does any one have any expereince in making this work?

Correct Answer by jafrazie about 8 years 4 months ago

You need to add multi-domain authentication to the port, per the previous doc. Else, the phone will get access simply b/c it's exchanging CDP info with the switch.


Hope this helps,



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
niall-wilkins Sun, 11/02/2008 - 08:05
User Badges:

I followed this guide but for whatever reason the phone keeps staying authenticated when the wrong password is entered. If I check the Phone status on the 7970 it says 802.1x authentication failed. Yet it still has access and I can make calls. It doesnt get put on the authentication VLAN. Here is the status of the port and the configs. The phone is plugged into FastEthernet 1/1


Dot1x Info for FastEthernet1/1

-----------------------------------

PAE = AUTHENTICATOR

PortControl = AUTO

ControlDirection = Both

HostMode = SINGLE_HOST

ReAuthentication = Enabled

QuietPeriod = 60

ServerTimeout = 30

SuppTimeout = 30

ReAuthPeriod = 60 (Locally configured)

ReAuthMax = 2

MaxReq = 2

TxPeriod = 30

RateLimitPeriod = 0

Auth-Fail-Vlan = 20

Auth-Fail-Max-attempts = 2


Dot1x Authenticator Client List Empty


Port Status = UNAUTHORIZED


Phone status says authentication failed yet I see this.

outer#show dot1x all summary

Interface PAE Client Status

--------------------------------------------------------

Fa1/1 AUTH 0014.f29c.dd6f AUTHORIZED


My interface is configured as follows:


interface FastEthernet1/1

switchport voice vlan 10

dot1x pae authenticator

dot1x port-control auto

dot1x timeout reauth-period 60

dot1x reauthentication

dot1x auth-fail vlan 20

dot1x auth-fail max-attempts 2

Premdeep Banga Sun, 11/02/2008 - 08:42
User Badges:
  • Gold, 750 points or more

What happens if you remove the command,


"dot1x auth-fail vlan 20" under the interface Fa1/1 ?


Regards,

Prem

Correct Answer
jafrazie Sun, 11/02/2008 - 09:00
User Badges:
  • Cisco Employee,

You need to add multi-domain authentication to the port, per the previous doc. Else, the phone will get access simply b/c it's exchanging CDP info with the switch.


Hope this helps,



niall-wilkins Sun, 11/02/2008 - 15:54
User Badges:

Is multi domain authentication supported on a Cisco 2811 ISR? I am using the onbaord switch. I dont think this command is supported.

niall-wilkins Mon, 11/03/2008 - 09:31
User Badges:

So it appears as though its a limitation of the switch card on the 2811 as it does not support multi domain authentication. I will need to use a 3750

Actions

This Discussion