cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3466
Views
0
Helpful
6
Replies

802.1x and VOIP

niall-wilkins
Level 1
Level 1

I am trying to figure out how to get our 7970 phones to authenticate with ACS. The phones have been configured for 802.1x and a pre-shared password has been selected. The ports on the switch have also been configured. In ACS I added the MAC address of the phone to ACS. When I test by using the wrong username and password I see the failed attempts by the phone in the logs of ACS.....However the phone is still allowed to connect and make calls. A co-worker was able to get this to work by selecting "enable AV-PAIR" under group setup. However I have no idea what variables would go in here to make this work. Does any one have any expereince in making this work?

1 Accepted Solution

Accepted Solutions

You need to add multi-domain authentication to the port, per the previous doc. Else, the phone will get access simply b/c it's exchanging CDP info with the switch.

Hope this helps,

View solution in original post

6 Replies 6

Premdeep Banga
Level 7
Level 7

I followed this guide but for whatever reason the phone keeps staying authenticated when the wrong password is entered. If I check the Phone status on the 7970 it says 802.1x authentication failed. Yet it still has access and I can make calls. It doesnt get put on the authentication VLAN. Here is the status of the port and the configs. The phone is plugged into FastEthernet 1/1

Dot1x Info for FastEthernet1/1

-----------------------------------

PAE = AUTHENTICATOR

PortControl = AUTO

ControlDirection = Both

HostMode = SINGLE_HOST

ReAuthentication = Enabled

QuietPeriod = 60

ServerTimeout = 30

SuppTimeout = 30

ReAuthPeriod = 60 (Locally configured)

ReAuthMax = 2

MaxReq = 2

TxPeriod = 30

RateLimitPeriod = 0

Auth-Fail-Vlan = 20

Auth-Fail-Max-attempts = 2

Dot1x Authenticator Client List Empty

Port Status = UNAUTHORIZED

Phone status says authentication failed yet I see this.

outer#show dot1x all summary

Interface PAE Client Status

--------------------------------------------------------

Fa1/1 AUTH 0014.f29c.dd6f AUTHORIZED

My interface is configured as follows:

interface FastEthernet1/1

switchport voice vlan 10

dot1x pae authenticator

dot1x port-control auto

dot1x timeout reauth-period 60

dot1x reauthentication

dot1x auth-fail vlan 20

dot1x auth-fail max-attempts 2

What happens if you remove the command,

"dot1x auth-fail vlan 20" under the interface Fa1/1 ?

Regards,

Prem

You need to add multi-domain authentication to the port, per the previous doc. Else, the phone will get access simply b/c it's exchanging CDP info with the switch.

Hope this helps,

Is multi domain authentication supported on a Cisco 2811 ISR? I am using the onbaord switch. I dont think this command is supported.

So it appears as though its a limitation of the switch card on the 2811 as it does not support multi domain authentication. I will need to use a 3750

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: