11-01-2008 11:15 AM - edited 03-10-2019 04:10 PM
I am trying to figure out how to get our 7970 phones to authenticate with ACS. The phones have been configured for 802.1x and a pre-shared password has been selected. The ports on the switch have also been configured. In ACS I added the MAC address of the phone to ACS. When I test by using the wrong username and password I see the failed attempts by the phone in the logs of ACS.....However the phone is still allowed to connect and make calls. A co-worker was able to get this to work by selecting "enable AV-PAIR" under group setup. However I have no idea what variables would go in here to make this work. Does any one have any expereince in making this work?
Solved! Go to Solution.
11-02-2008 09:00 AM
You need to add multi-domain authentication to the port, per the previous doc. Else, the phone will get access simply b/c it's exchanging CDP info with the switch.
Hope this helps,
11-01-2008 11:18 AM
Try following this doc,
http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a00808abf2d.shtml
Regards,
Prem
Please rate if it helps!
11-02-2008 08:05 AM
I followed this guide but for whatever reason the phone keeps staying authenticated when the wrong password is entered. If I check the Phone status on the 7970 it says 802.1x authentication failed. Yet it still has access and I can make calls. It doesnt get put on the authentication VLAN. Here is the status of the port and the configs. The phone is plugged into FastEthernet 1/1
Dot1x Info for FastEthernet1/1
-----------------------------------
PAE = AUTHENTICATOR
PortControl = AUTO
ControlDirection = Both
HostMode = SINGLE_HOST
ReAuthentication = Enabled
QuietPeriod = 60
ServerTimeout = 30
SuppTimeout = 30
ReAuthPeriod = 60 (Locally configured)
ReAuthMax = 2
MaxReq = 2
TxPeriod = 30
RateLimitPeriod = 0
Auth-Fail-Vlan = 20
Auth-Fail-Max-attempts = 2
Dot1x Authenticator Client List Empty
Port Status = UNAUTHORIZED
Phone status says authentication failed yet I see this.
outer#show dot1x all summary
Interface PAE Client Status
--------------------------------------------------------
Fa1/1 AUTH 0014.f29c.dd6f AUTHORIZED
My interface is configured as follows:
interface FastEthernet1/1
switchport voice vlan 10
dot1x pae authenticator
dot1x port-control auto
dot1x timeout reauth-period 60
dot1x reauthentication
dot1x auth-fail vlan 20
dot1x auth-fail max-attempts 2
11-02-2008 08:42 AM
What happens if you remove the command,
"dot1x auth-fail vlan 20" under the interface Fa1/1 ?
Regards,
Prem
11-02-2008 09:00 AM
You need to add multi-domain authentication to the port, per the previous doc. Else, the phone will get access simply b/c it's exchanging CDP info with the switch.
Hope this helps,
11-02-2008 03:54 PM
Is multi domain authentication supported on a Cisco 2811 ISR? I am using the onbaord switch. I dont think this command is supported.
11-03-2008 09:31 AM
So it appears as though its a limitation of the switch card on the 2811 as it does not support multi domain authentication. I will need to use a 3750
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: