i have setup 802.1x MS IAS. All seems to work fine when i am using a plain pc connection to switch but the moment IP phone is involved i start facing issues.
I am using cisco 3750 switch with version 12.2(25)SEB4
dhcp server is on windows which is on a different network i.e. 10.50.1.9
dhcp relay agent is defined on firewall subinterces
All works when phone is not involved. BTW i am using Nortel IP phone
when the phone is plugged and cable is throug the phone, i provide the user name and credentials and also when i say show vlan on switch i can see i am aprt of corrent vlan but i do not get an ip address.
This is the error i get on switch when is said debug radius:
pls find two attachments of debug dot1x events and radius.
This topology will not work on a port configured for 802.1X. The Nortel phone has no way to access the network. Also, is the Nortel phone briding the 1X control traffic to/from the switch.client anyway?
The phone won't work b/c it doesn't have a 1x supplicant.
The PC "should work" if the phone is passing EAPOL to the switch.
Although remember the MAC of the PC is locked into the switchport. Typically, part of the security provided by 802.1x is based on the assumption that the switch port is not connected to a hub-based shared Ethernet segment. If not, an unauthenticated hub/switch could be used to gain access for other unauthorized systems. So, by default, a switchport running 802.1x is able to deny access to any such "piggybacked" ports (or for any other machines on the wire). And remember what happens if the authenticated PC unplugs from the phone. Does the phone inform the network of this to tear down the active security session?
Hope this helps,
Hmmm, I have tested this in a lab and it works fine.... with a big caveat that makes it not almost not worth doing.
To get it to work make sure that IAS allows EAP-MD5 as an authenication method as that is the only method the IP phone supports. Also the switch port needs to use 802.1x multi-host mode since the port will see more then 1 MAC address (the IP phone plus the PC).
Let me know exactly which Nortel IP phone you have and I can tell you how to get it working.
Now for the caveat: The 802.1x spec does not any any way, shape, or form address what to do when multiple devices try to access an 802.1x-controlled port. What this means is that once the Nortel IP phone (and the 200x series phones does have a supplicant)authenticates a port, the port is active and ANYTHING plugged into the phones PC port will work. Now if the PC has 802.1x enabled it may try to reauthenticate the port and if it fails the port may be unauthenticated, but there is no way to force a device plugged into the IP phones PC port to use 802.1x. What this means is that without using port security or some other administratively intense means, any IP phone data port can be used by anybody using any device to access the network once the IP phone authenticates the port.
If the whole point of 802.1x is to secure your ports in an relatively administrativley easy way, throwing a Nortel IP phone into the mix sinks that faster then the Edmund Fitzgerald.
PS: Someone PLEASE tell me I am wrong about the IP phones PC port. I really need to get this working myself.
1) Make sure IAS allows EAP-MD5 as an authentication method (I am using ACS so I can't help you much there)
2) Make sure there is an account in AD for whatever user/password combo you have the phone trying to authenticate on. If possible, use GPO's/User rights to NOT allow this user to login
3) run "dot1x host-mode multi-host" on the access port. This will allow the port to see multiple MACS on the port and not shut down. As already stated this really hoses 802.1x since as soon as a phone authenticates the port is active and any device can use the PC port on the phone. See my other post for more information on how Cisco is looking at fixing this.
Let me know if that helps.
Remember if you plug in a phone running 1X to a 1X port, and it works, AND you also have multi-host mode enabled, then any PC that plugs into the phone will be granted access ("for free") implicitly.
Would recommend discussing roadmap items with your account team.
Hope this helps,
Ah, I didn't know you had a phone with a 1X supplicant on it ;-).
If so, this is the only avail (non-default) option avail today on the switch you're testing with. See my last reply on how it works by default. With multi-host mode though, 802.1X is used to "enable the port" only with no other restrictions being placed on it. Analogy would be like walking into a building with a valid badge, but leaving the door propped open behind you.
The rest of your comments WRT the 1X-spec, the security implications of the current multi-host mode, etc. are pretty well-founded.
From a spec perspective, it's similar to evaluating 802.1X in a Wireless-LAN WITHOUT the use of encryption. Mind you, there's potentially only 2 devices on the wire here instead of 200, the threat model's different, so may be your risk assessment, but the technology use is about the same today.
Hope this helps,
I found a link to an "Ask the Expert" post that addresses these issues.
Basically this fall Cisco is going to release a feature on their switches that will allow multiple authentications per port per vlan. I presume that what they are doing is requiring each MAC address to aquire a seperate authentication. This will solve most or all of the problems associated with 802.1x w/ VOIP. They also mention that Cisco IP phones above the 7960 get an 802.1x supplicant late this year or early next year.
Posted by: ksilva - CCIE - Sep 8, 2006, 8:31pm PST
When might we see 802.1x(Port Based Network Access Control) capabilities rolled out to the standard 79XX phones, or is this something not on the roadmap at this time?
Posted by: tsherman - CISCO SYSTEMS - Sep 8, 2006, 9:07pm PST
You will see 802.1x on the phones this late 4th qtr or early 1st qtr next year. The 802.1x supplicant will only be phones above the 7960. The firmware load for the phones is planned to be 8.3.1. A design guide to deploy the phones is planned to be released as the same time as the supplicant.
Posted by: kleo - Sep 12, 2006, 8:22am PST
So does this mean that the data switch will have to support multiple authentication (multiple dot1x-hosts on a port and every host is authenticated separately) on at aux/voice port ? Without using cdp ?
Posted by: tsherman - CISCO SYSTEMS - Sep 12, 2006, 10:56am PST
Yes, if you are going to authenticate the phone and a PC plugged into a phone both of the devices will have to authenticate to the port per vlan. This feature is coming out on Cisco switches this fall to allow multiple authentications per port per vlan so this will be possible.
On the subject of CDP, the CDP will be allowed to pass between the phone and the switch so the phone can get the information it needs to determine which VLAN on the port is the voice VLAN. Once the phone has that information, it will attempt to authenticate into the voice vlan on the port of the switch.