Configuring VoIP Phones to use Dot1.x Authentication

Unanswered Question
Sep 21st, 2010

I am part of a diverse team that is in the process of implementing a VoIP solution within our organisation, which will see approximately 3000 new telephones deployed to the desktop accross a Geographically dispersed network.  One of the criteria that has been chosen as part of the solution is the use of Dot1x for the Authorisation and Authentication (A & A) of hosts connected to the network.  I am having some difficultly getting it to work and I was wondering if there is a simple whitepaper or solutions document somewhere that will assist in the implementation.

I should point out a few of the hurdles that I face as I don't belieive the solution will necessarily be straight forward.  So here goes:-

  1. We currently use CISCO ACS 4.1 as a TACAS+ server to authenticate Management access to our fleet of approximately 300 network devices.
  2. Many of the VoIP phones will act as a switch for a Desktop Workstaion, thus each switch port will need to automatically A & A two hosts into sperate Vlans.
  3. The organisation uses seperate DHCP Servers to issue IP addresses to hosts on the network
  4. We are looking to use ACS 4.1 as the Radius Server but this has not been completely agreed on yet.  The other alternative is the use of a Windows Server trunning IAS.

I have found a number of documents on the A & A of Windows based hosts to the Radius Server but can't seem to find much information regarding CISCO VoIP phones, in particular how to set up the VoIP Phone as a user in ACS.

Any assistance or guidance on this matter will be appreciated

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jamesemery Thu, 09/23/2010 - 15:46

Thanks for the reply,

I have tied to use the information within the document you recommended without success.  I have activated the debug options for both Dot1x events and  Radius with some interesting results.  The messages received on the console indicate that the Authentciation request is being received by the switch and relayed to the ACS Servers but then the request times out.  Looking at the ACS Server logs indicates that the request is never reaching the Radius Server as there is no entry for failed attempts or even radius accounting.  I am at a loss as to why this might be happening as I am able to ping the server from the switch and I don't believe that the UDP prots are being blocked in any way although I am yet to fully investigate this fact.

I am wondering if there are any configuration setting on the actual Windows Server that I may have overlooked when initially installing and configuring ACS?

James

Yudong Wu Thu, 09/23/2010 - 21:38

So, we need figure out if the radius packet sent from switch has reached ACS box.

1. Install a wireshark on ACS box and do a capture to see if you can see the incoming radius packet.

2. If not, you need find out where it is blocked

3. If yes, change logging level on ACS to full, then try the authentication again, then capture your package.cab file from ACS, upload it here.

I would suggest you to open a TAC case, in that way, you can get a fast support.

jamesemery Thu, 09/23/2010 - 22:23

This is all very frustrating as I belive that the Dot1x Authentication should be pretty straight forward.  Although I am no expert on all of this I am lost as to why it won't work.

To date I have:-

  • creaed a user a in ACS 4.2 for the VoIP Phone. I used the user name that appeared in the Debug printout as I feel that is a safe bet.  Did NOT set the password.
  • Added the User to a Group which is desiganted as a VoIP group
  • Added Switch (Authenticator) to the Network Devices.  Set this to Use Cisco IOS/PIX6.0 for authentication
  • Set the cisco-av-pair=voice attribute
  • set Radius IETF attributed for vlan, 802 & vlan number
  • All shared secrets have been checked to ensure they are identical

The thing is that I don't think that I am even getting to the point where I need any of these setting, as the server is not responding to the switch when it sends out the authentication request.  I am now getting entries in the failed Attempts Log and the error is "Invalid message authenticator in EAP request"  I am not quite sure exactly what this means but it indicates to me that ACS does not recognise the switch as an authenticator.

james

Yudong Wu Thu, 09/23/2010 - 22:52

In general, "Invalid message authenticator in EAP request" indicates a mismatch shared key.

Can you try to reconfigure a different key saying "cisco1234" on both switch and ACS box?

you can verify your connectivity from switch to ACS by using "test aaa" command.

jamesemery Tue, 09/28/2010 - 22:08

I have now checked all of my settings and can confirm that the shared secrets are the same on both the ACS4.2 Server and the CISCO 6509 switch.

I have used Wire Shark to do some packet captures and can confirm that the Radius request is being forwarded to the Server but that the server is NOT reaponding to the request.  What I have noticed is that when I use the "NETSTAT" command on the server, port 1645 and 1646 do not seem to be in the listening state which is what I would expect.  This is not a difinative indication that something is wrong as Windows sometimes doesn't display all ports that are configured and active.

I was wondering though, does the Switch need to be configured for TACACS+  Authentication to the ACS server before it will work with the ACS Radius Server?  I appreciate that these are 2 different services for different requirements but I though that there might be some dependancy that I am unawre of

I am now a a total loss as to what the problem is and  am now going to rasie a TAC case with CISCO.

Yudong Wu Wed, 09/29/2010 - 09:32

Your ACS is probably listening on port 1812/1813.

You need check related the server configuration in "network configuration" to see which port they are listening.

If it is 1812/1813, you need change your switch configuration to point to the right port #.

Actions

This Discussion