Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1330
Views
0
Helpful
5
Replies

802.1x and Cisco IP Phone

Go to solution
niall-wilkins
Level 1
Level 1

‎10-30-2008 02:46 PM - edited ‎03-10-2019 04:09 PM

I am trying to authenticate a Cisco 7970 IP phone that is setup to do 802.1x with ACS. When I check the log files on ACS is hows that the phone failed authentication but the phone is still allowed on the network and can make calls. I have added the MAC address as a ACS user and configured a password which matches the password configured on the phone. If I put the wrong password in its still allowed on the network the port is never shut down. I was speaking to someone who was able to do this and the some how enabled the av-pair. Only I am not sure what to put in there. Does anyway have an idea as to what would need to go in there so that when a phone fails authentication its put in the guest VLAN or denied access?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jafrazie
Cisco Employee
Cisco Employee
In response to niall-wilkins

‎10-31-2008 08:14 AM

Right. This is the phone doing MD5. Every phone will have a unique and hard-coded username. It's designed to simplify configuration on the phone side.

You'll have to verify, since I don't have one handy, but I think the username is something like "SEP-mac-address-phone-model" or something like that.

HTH,

View solution in original post

0 Helpful
5 Replies 5

Go to solution
jafrazie
Cisco Employee
Cisco Employee

‎10-30-2008 03:07 PM

If the Cisco 7970 IP phone is setup to do 802.1X, this should have nothing to do with the MAC address of it.

If you enable the phone to do 802.1X, it will perform EAP-MD5 with a username, and password that you give it.

The phone may still be permitted based on your port config. Adding the MAC as a username/password would work for authenticating non-1X phones.

This should help you out:

http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a00808abf2d.shtml#MDA

0 Helpful

Go to solution
niall-wilkins
Level 1
Level 1
In response to jafrazie

‎10-31-2008 07:20 AM

The 7970 phone is using firmware 8.2(1) and their is no option to enter in a username. I can only input a Password. I dont have an option to use input a username.

0 Helpful

Go to solution
jafrazie
Cisco Employee
Cisco Employee
In response to niall-wilkins

‎10-31-2008 08:14 AM

Right. This is the phone doing MD5. Every phone will have a unique and hard-coded username. It's designed to simplify configuration on the phone side.

You'll have to verify, since I don't have one handy, but I think the username is something like "SEP-mac-address-phone-model" or something like that.

HTH,

0 Helpful

Go to solution
niall-wilkins
Level 1
Level 1
In response to jafrazie

‎10-31-2008 07:50 AM

Sorry the phone is using version 8-2-2SR1S

0 Helpful

Go to solution
niall-wilkins
Level 1
Level 1
In response to niall-wilkins

‎10-31-2008 08:21 AM

Ok,

Thats the way I have it in ACS. Th username is the SEP info

Thanks for the help

0 Helpful
Customers Also Viewed These Support Documents