03-31-2010 02:59 PM - edited 03-10-2019 05:02 PM
Scenario:
Workstation ( behind the Phone)
IP Phone 7911 software 8.5(2)
ACS 4.1 with AD on the same server
Cisco Switch WS-C3750E-24PD with c3750e-universalk9-mz.122-53.SE1.bin
Guide utilized:
http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a00808abf2d.shtml
To accomplish:
Computer and IP Phone's authentication with 802.1x. The phone using EAP-MD5 and the workstation with PEAP-MsChap-V2.
Tried and Worked:
Workstation using EAP-MD5 ( with ACS username) and using PEAP ( with AD username) and it also gained access to the correct vlan, depending on the username.
The log from the ACS, failed authentication:
Message-Type - User-Name -Group-Name - Caller-ID - Network Access Profile Name - Authen-Failure-Code
Authen failed - CP-7911G-SEP00254594D6BA - VOZ -00-25-45-94-D6-BA - (Default) - EAP type not configured
The Switch's config:
aaa authentication dot1x default group radius
aaa authorization network default group radius
radius-server host 10.32.250.250 auth-port 1645 acct-port 1646 key 7 095F4B07110445425B54
interface GigabitEthernet1/0/3
switchport mode access
switchport nonegotiate
switchport voice vlan 200
authentication host-mode multi-domain
authentication port-control auto
authentication periodic
mls qos trust device cisco-phone
mls qos vlan-based
dot1x pae both
dot1x timeout quiet-period 20
dot1x timeout server-timeout 100
dot1x timeout tx-period 100
storm-control broadcast level 15.00
storm-control multicast level 10.00
spanning-tree portfast
spanning-tree guard root
ACS Configuration Resume:
Configured the AAA
2 Groups - voice and data, each with their respective vlans and configuration parameters on the ACS ( Attribute-Value (AV))
Added the user name and password for IP phones
Mapped the AD to the Data group
Issued a certificate and installed in the workstation
Configured the Global Authentication Setup, where i checked the boxes PEAP and EAP-MD5
So like I said, it authenticates only the workstation w/ out the IP Phone. When i add the IP Phone it does not authenticate none of them.
Does anyone have a light ?
Solved! Go to Solution.
04-29-2010 05:17 AM
Hello
First you can try another sw for phone (for example 8.4.2S). I have similar issue with 8.5 software and 7945/7965 phones. Secondary you need confiigure av-pair attributes on ACS side for phone correct placement to voice vlan.
Regards
Stanislav
04-29-2010 05:17 AM
Hello
First you can try another sw for phone (for example 8.4.2S). I have similar issue with 8.5 software and 7945/7965 phones. Secondary you need confiigure av-pair attributes on ACS side for phone correct placement to voice vlan.
Regards
Stanislav
04-29-2010 05:33 AM
Thanks man! There is a bug that affect the dot1x on phones... the bad thing is that i cant downgrade my phones beacause of other bugs and my callmanager doesn't take newer version.
Take a look at this bug
cscsz59661PS. i had the av-pair for the phones ... i found out about this bug a week ago and i tryed out one phone w/ a 8.4 release and it worked just fine.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide