802.1x authentication for 7942 IP phones

Unanswered Question
Apr 30th, 2010

I have a problem getting Cisco 7942 IP phones to come up in the voice VLAN with 802.1x. With the following configuration when the phone starts up, authentication with the ACS server is good but when I issue the command show mac address-table f0/1 the switch reports that the phone is up in the data VLAN. The phone though reports it is in the voice VLAN. I have configured the ACS group that the IP phones belong to with to use "device-traffic-voice=voice"and the global config on the switch for aaa is also shown below.

I did have a problem when the phones firmware was 8-5-5 where dot1x authentication first succeeded but then failed with EAP_FAST. Downgrading the firmware to 8-4-4S has resolved this and this is now where I am.


!

aaa new-model
!
!
aaa authentication login default local
aaa authentication dot1x default group radius
aaa authorization exec VTY group tacacs+ none
aaa authorization network default group radius
aaa accounting exec VTY start-stop group tacacs+
!
!
dot1x system-auth-control
dot1x guest-vlan supplicant


!
aaa session-id common
interface FastEthernet0/1
switchport access vlan 10
switchport mode access
switchport voice vlan 80
switchport port-security maximum 10
load-interval 30
srr-queue bandwidth share 10 10 60 20
priority-queue out
authentication control-direction in
authentication host-mode multi-domain
authentication port-control auto
authentication periodic
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
dot1x pae authenticator
storm-control broadcast level 10.00 8.00
storm-control action trap
spanning-tree portfast
spanning-tree bpduguard enable
service-policy input AutoQoS-Police-CiscoPhone
!
tacacs-server host xxx.xxx.xxx.xxx key 7 ***removed***
tacacs-server host yyy.yyy.yyy.yyy key 7 ***removed***
tacacs-server timeout 60
tacacs-server directed-request
radius-server host xxx.xxx.xxx.xxx auth-port 1645 acct-port 1646 key 7 ***removed***
radius-server host yyy.yyy.yyy.yyy auth-port 1645 acct-port 1646 key 7 ***removed***
radius-server retransmit 1
radius-server timeout 3
radius-server vsa send authentication
!


The CUCM version is 7.1.3

The ACS version is 4.2

Phone firmware is 8-4-4S

Switch IOS is c3560-ipservicesk9-mz.122-53.SE1

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion