Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2680
Views
0
Helpful
9
Replies

multi-domain with Cisco IP-Phone / Workstation

sebastiangille
Level 1
Level 1

‎04-07-2010 07:53 AM - edited ‎03-06-2019 10:29 AM

Hi,

i set up an 3560 ver.12.2 (52) SE to use 802.1X with host-mode multi-domain to get IP-Phone ( CP 7962G v04 )  and Workstation together on the same port.

I read all the guides i found on cisco.com e.g.

http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a00808abf2d.shtml

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_52_se/configuration/guide/sw8021x.html

The Phone is mab authenticated, Workstation PEAP.

Everything works fine, if only the workstation is connected to the port.

If hostmode is not configured, also the IP-Phone operates as a single device on the Port. Also it works if i set the host-mode to multi-host

Actually i have a problem to get both devices authenticated with multi-domain

The Switch logs that both device authenticated properly, but the IP-Phone restart the authentication every 60sec,everytime the phone passed but failed to get any connection.

Any ideas?

Thx

Sebastian

Labels:
0 Helpful
9 Replies 9

sebastiangille
Level 1
Level 1

‎04-08-2010 11:02 AM

i found one mistake in an IAS-Extension configuration.

But everytime the phone passes the authentication process, the domain is set to DATA

e.g.

            Interface:  FastEthernet0/18
          MAC Address:  0021.....
           IP Address:  Unknown
            User-Name:  0021....
               Status:  Authz Success
               Domain:  DATA ( must be VOIP!!!!! )
       Oper host mode:  multi-domain
     Oper control dir:  in
        Authorized By:  Authentication Server
           Vlan Group:  N/A
      Session timeout:  N/A
         Idle timeout:  300s (local), Remaining: 117s
    Common Session ID:  0A040552000011D5E666C4C5
      Acct Session ID:  0x000012A8
               Handle:  0x290001D5

CDP and LLDP is activate on the IP-Phone

0 Helpful

sebastiangille
Level 1
Level 1
In response to sebastiangille

‎04-12-2010 09:15 AM

a very simple solution.

I forgot "aaa authorization network default group radius".

0 Helpful

thananan_c
Level 1
Level 1
In response to sebastiangille

‎04-14-2010 03:07 AM

Congrats !!!

How many IP Phones you/customer deployed with MDA mode ?

I wonder how I can manage to adding  IP Phones' MAC to RADIUS and setup EAP password on tousand of IP Phones.

0 Helpful

sebastiangille
Level 1
Level 1
In response to thananan_c

‎04-14-2010 03:26 AM

Hi,

i tested MAB with IP-Phones on MS IAS ( no password ) The phone authenticates with a computer-account ( AD )

EAP-MD5 ist not practical to authenticate IP Phones with MS IAS, because you must configure ActiveDirectory for reversible password ( LM-Hash ), this is highly insecure.

It is also possible to authenticate IP-Phones against ACS with EAP-MD5 or EAP-TLS - EAP-TLS is the prefered method, to avoid the EAP-MD5 "typing" password problem :-)

0 Helpful

rtimmermans
Level 1
Level 1
In response to sebastiangille

‎10-29-2010 04:48 AM

Hi Sebastian,

I am struggling with Microsoft NPS to do the same with phones as computer account, how did you manage to get it working?

0 Helpful

MICHAEL CARTER
Level 1
Level 1
In response to rtimmermans

‎08-16-2011 01:05 AM

Hello Robert,

Regarding your .1x config.  Did you manage to get the Microsoft NPS to authenticate the phones?  How did you do this?

michael.

0 Helpful

rtimmermans
Level 1
Level 1
In response to MICHAEL CARTER

‎08-17-2011 03:03 AM

Hi Michael,

I have examined this very thorough. I did not get Microsot NPS to authenticate the phones.

Strange thing I encountered: when a device was connected to a switch directly, NPS managed to authenticate it, But when the device whas behind a phone, NPS didn't recognize the "handshake" anymore.

Even traced it with wireshark.

Now we don't need the telephones authenticated: they have their own Voice vlan. But the switch in the phone needs to send the 802.1x authentication to the RADIUS server.

So I tried the same with Cisco ACS, and managed to get it working. The same setup.

0 Helpful

MICHAEL CARTER
Level 1
Level 1
In response to rtimmermans

‎08-18-2011 12:55 AM

Hi,

TAC also found this bug on what I reckon is the same issue.

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsr71675

DE has decided it is not worth fixing, which seems a bit short-sighted seeing as how many organisations are running NPS and Cisco Voice - so if anyone else really needs this then you will need to create a PER.

Next step for us is to install a Cisco ACS and try and configure the NPS to proxy to the ACS just for the phones.

0 Helpful

sebastiangille
Level 1
Level 1
In response to sebastiangille

‎10-19-2011 09:54 AM

Hi Robert,

sorry for this late reply on your post ( 29.10.2010 05:48 )

I authenticate the phones by MAB with IAS/ NPS with a third-party extension from rt-solutions.de

This extension make it possible, among others, to authenticate "MAB-Phones" by using computer-accounts in your AD.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card