Workstation ( behind the Phone)
IP Phone 7911 software 8.5(2)
ACS 4.1 with AD on the same server
Cisco Switch WS-C3750E-24PD with c3750e-universalk9-mz.122-53.SE1.bin
Computer and IP Phone's authentication with 802.1x. The phone using EAP-MD5 and the workstation with PEAP-MsChap-V2.
Tried and Worked:
Workstation using EAP-MD5 ( with ACS username) and using PEAP ( with AD username) and it also gained access to the correct vlan, depending on the username.
The log from the ACS, failed authentication:
Message-Type - User-Name -Group-Name - Caller-ID - Network Access Profile Name - Authen-Failure-Code
Authen failed - CP-7911G-SEP00254594D6BA - VOZ -00-25-45-94-D6-BA - (Default) - EAP type not configured
The Switch's config:
aaa authentication dot1x default group radius
aaa authorization network default group radius
radius-server host 10.32.250.250 auth-port 1645 acct-port 1646 key 7 095F4B07110445425B54
switchport mode access
switchport voice vlan 200
authentication host-mode multi-domain
authentication port-control auto
mls qos trust device cisco-phone
mls qos vlan-based
dot1x pae both
dot1x timeout quiet-period 20
dot1x timeout server-timeout 100
dot1x timeout tx-period 100
storm-control broadcast level 15.00
storm-control multicast level 10.00
spanning-tree guard root
ACS Configuration Resume:
Configured the AAA
2 Groups - voice and data, each with their respective vlans and configuration parameters on the ACS ( Attribute-Value (AV))
Added the user name and password for IP phones
Mapped the AD to the Data group
Issued a certificate and installed in the workstation
Configured the Global Authentication Setup, where i checked the boxes PEAP and EAP-MD5
So like I said, it authenticates only the workstation w/ out the IP Phone. When i add the IP Phone it does not authenticate none of them.
Does anyone have a light ?
First you can try another sw for phone (for example 8.4.2S). I have similar issue with 8.5 software and 7945/7965 phones. Secondary you need confiigure av-pair attributes on ACS side for phone correct placement to voice vlan.