Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

802.1x and Cisco IP Phone

I am trying to authenticate a Cisco 7970 IP phone that is setup to do 802.1x with ACS. When I check the log files on ACS is hows that the phone failed authentication but the phone is still allowed on the network and can make calls. I have added the MAC address as a ACS user and configured a password which matches the password configured on the phone. If I put the wrong password in its still allowed on the network the port is never shut down. I was speaking to someone who was able to do this and the some how enabled the av-pair. Only I am not sure what to put in there. Does anyway have an idea as to what would need to go in there so that when a phone fails authentication its put in the guest VLAN or denied access?

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: 802.1x and Cisco IP Phone

Right. This is the phone doing MD5. Every phone will have a unique and hard-coded username. It's designed to simplify configuration on the phone side.

You'll have to verify, since I don't have one handy, but I think the username is something like "SEP-mac-address-phone-model" or something like that.

HTH,

5 REPLIES
Cisco Employee

Re: 802.1x and Cisco IP Phone

If the Cisco 7970 IP phone is setup to do 802.1X, this should have nothing to do with the MAC address of it.

If you enable the phone to do 802.1X, it will perform EAP-MD5 with a username, and password that you give it.

The phone may still be permitted based on your port config. Adding the MAC as a username/password would work for authenticating non-1X phones.

This should help you out:

http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a00808abf2d.shtml#MDA

New Member

Re: 802.1x and Cisco IP Phone

The 7970 phone is using firmware 8.2(1) and their is no option to enter in a username. I can only input a Password. I dont have an option to use input a username.

Cisco Employee

Re: 802.1x and Cisco IP Phone

Right. This is the phone doing MD5. Every phone will have a unique and hard-coded username. It's designed to simplify configuration on the phone side.

You'll have to verify, since I don't have one handy, but I think the username is something like "SEP-mac-address-phone-model" or something like that.

HTH,

New Member

Re: 802.1x and Cisco IP Phone

Sorry the phone is using version 8-2-2SR1S

New Member

Re: 802.1x and Cisco IP Phone

Ok,

Thats the way I have it in ACS. Th username is the SEP info

Thanks for the help

340
Views
0
Helpful
5
Replies
CreatePlease login to create content