multi-domain with Cisco IP-Phone / Workstation

Unanswered Question
Apr 7th, 2010
User Badges:

Hi,


i set up an 3560 ver.12.2 (52) SE to use 802.1X with host-mode multi-domain to get IP-Phone ( CP 7962G v04 )  and Workstation together on the same port.


I read all the guides i found on cisco.com e.g.


http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a00808abf2d.shtml

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_52_se/configuration/guide/sw8021x.html


The Phone is mab authenticated, Workstation PEAP.


Everything works fine, if only the workstation is connected to the port.

If hostmode is not configured, also the IP-Phone operates as a single device on the Port. Also it works if i set the host-mode to multi-host


Actually i have a problem to get both devices authenticated with multi-domain

The Switch logs that both device authenticated properly, but the IP-Phone restart the authentication every 60sec,everytime the phone passed but failed to get any connection.



Any ideas?


Thx


Sebastian

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sebastiangille Thu, 04/08/2010 - 11:02
User Badges:

i found one mistake in an IAS-Extension configuration.


But everytime the phone passes the authentication process, the domain is set to DATA


e.g.


            Interface:  FastEthernet0/18
          MAC Address:  0021.....
           IP Address:  Unknown
            User-Name:  0021....
               Status:  Authz Success
               Domain:  DATA ( must be VOIP!!!!! )
       Oper host mode:  multi-domain
     Oper control dir:  in
        Authorized By:  Authentication Server
           Vlan Group:  N/A
      Session timeout:  N/A
         Idle timeout:  300s (local), Remaining: 117s
    Common Session ID:  0A040552000011D5E666C4C5
      Acct Session ID:  0x000012A8
               Handle:  0x290001D5


CDP and LLDP is activate on the IP-Phone

sebastiangille Mon, 04/12/2010 - 09:15
User Badges:

a very simple solution.

I forgot "aaa authorization network default group radius".

thananan_c Wed, 04/14/2010 - 03:07
User Badges:

Congrats !!!


How many IP Phones you/customer deployed with MDA mode ?

I wonder how I can manage to adding  IP Phones' MAC to RADIUS and setup EAP password on tousand of IP Phones.

sebastiangille Wed, 04/14/2010 - 03:26
User Badges:

Hi,


i tested MAB with IP-Phones on MS IAS ( no password ) The phone authenticates with a computer-account ( AD )

EAP-MD5 ist not practical to authenticate IP Phones with MS IAS, because you must configure ActiveDirectory for reversible password ( LM-Hash ), this is highly insecure.


It is also possible to authenticate IP-Phones against ACS with EAP-MD5 or EAP-TLS - EAP-TLS is the prefered method, to avoid the EAP-MD5 "typing" password problem :-)

rtimmermans Fri, 10/29/2010 - 04:48
User Badges:

Hi Sebastian,


I am struggling with Microsoft NPS to do the same with phones as computer account, how did you manage to get it working?

MICHAEL CARTER Tue, 08/16/2011 - 01:05
User Badges:

Hello Robert,


Regarding your .1x config.  Did you manage to get the Microsoft NPS to authenticate the phones?  How did you do this?


michael.

rtimmermans Wed, 08/17/2011 - 03:03
User Badges:

Hi Michael,


I have examined this very thorough. I did not get Microsot NPS to authenticate the phones.

Strange thing I encountered: when a device was connected to a switch directly, NPS managed to authenticate it, But when the device whas behind a phone, NPS didn't recognize the "handshake" anymore.

Even traced it with wireshark.


Now we don't need the telephones authenticated: they have their own Voice vlan. But the switch in the phone needs to send the 802.1x authentication to the RADIUS server.

So I tried the same with Cisco ACS, and managed to get it working. The same setup.

MICHAEL CARTER Thu, 08/18/2011 - 00:55
User Badges:

Hi,


TAC also found this bug on what I reckon is the same issue.


http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsr71675


DE has decided it is not worth fixing, which seems a bit short-sighted seeing as how many organisations are running NPS and Cisco Voice - so if anyone else really needs this then you will need to create a PER.


Next step for us is to install a Cisco ACS and try and configure the NPS to proxy to the ACS just for the phones.

sebastiangille Wed, 10/19/2011 - 09:54
User Badges:

Hi Robert,


sorry for this late reply on your post ( 29.10.2010 05:48 )

I authenticate the phones by MAB with IAS/ NPS with a third-party extension from rt-solutions.de

This extension make it possible, among others, to authenticate "MAB-Phones" by using computer-accounts in your AD.

Actions

This Discussion