802.1x (dot1x) with IP Phone / Workstation using Multi-Domain Authentication (MDA)

Answered Question
Mar 31st, 2010

Scenario:

Workstation ( behind the Phone)

IP Phone 7911 software 8.5(2)

ACS 4.1 with AD on the same server

Cisco Switch WS-C3750E-24PD with c3750e-universalk9-mz.122-53.SE1.bin

Guide utilized:

http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a00808abf2d.shtml

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0e4.shtml

To accomplish:

Computer and IP Phone's authentication with 802.1x. The phone using EAP-MD5 and the workstation with PEAP-MsChap-V2.

Tried and Worked:

Workstation using EAP-MD5 ( with ACS username) and using PEAP ( with AD username) and it also gained access to the correct vlan, depending on the username.

The log from the ACS, failed authentication:

Message-Type - User-Name -Group-Name - Caller-ID - Network Access Profile Name - Authen-Failure-Code

Authen failed - CP-7911G-SEP00254594D6BA - VOZ -00-25-45-94-D6-BA -  (Default) - EAP type not configured  

The Switch's config:

aaa authentication dot1x default group radius

aaa authorization network default group radius

radius-server host 10.32.250.250 auth-port 1645 acct-port 1646 key 7 095F4B07110445425B54

interface GigabitEthernet1/0/3

switchport mode access

switchport nonegotiate

switchport voice vlan 200

authentication host-mode multi-domain

authentication port-control auto

authentication periodic

mls qos trust device cisco-phone

mls qos vlan-based

dot1x pae both

dot1x timeout quiet-period 20

dot1x timeout server-timeout 100

dot1x timeout tx-period 100

storm-control broadcast level 15.00

storm-control multicast level 10.00

spanning-tree portfast

spanning-tree guard root

ACS Configuration Resume:

Configured the AAA

2 Groups - voice and data, each with their respective vlans and configuration parameters on the ACS ( Attribute-Value (AV))

Added the user name and password for IP phones

Mapped the AD to the Data group

Issued a certificate and installed in the workstation

Configured the Global Authentication Setup, where i checked the boxes PEAP and EAP-MD5

So like I said, it authenticates only the workstation w/ out the IP Phone.  When i add the IP Phone it does not authenticate none of them.

Does anyone have a light ?

I have this problem too.
0 votes
Correct Answer by Support Team about 6 years 7 months ago

Hello

First you can try another sw for phone (for example 8.4.2S). I have similar issue with 8.5 software and 7945/7965 phones. Secondary you need confiigure av-pair attributes on ACS side for phone correct placement to voice vlan.

Regards

Stanislav

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Support Team Thu, 04/29/2010 - 05:17

Hello

First you can try another sw for phone (for example 8.4.2S). I have similar issue with 8.5 software and 7945/7965 phones. Secondary you need confiigure av-pair attributes on ACS side for phone correct placement to voice vlan.

Regards

Stanislav

Rodrigo Gurriti Thu, 04/29/2010 - 05:33

Thanks man! There is a bug that affect the dot1x on phones... the bad thing is that i cant downgrade my phones beacause of other bugs and my callmanager doesn't take newer version.

Take a look at this bug

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman"; mso-ansi-language:#0400; mso-fareast-language:#0400; mso-bidi-language:#0400;} cscsz59661

PS. i had the av-pair for the phones ... i found out about this bug a week ago and i tryed out one phone w/ a 8.4 release and it worked just fine.

Actions

This Discussion

Related Content