I am trying to figure out how to get our 7970 phones to authenticate with ACS. The phones have been configured for 802.1x and a pre-shared password has been selected. The ports on the switch have also been configured. In ACS I added the MAC address of the phone to ACS. When I test by using the wrong username and password I see the failed attempts by the phone in the logs of ACS.....However the phone is still allowed to connect and make calls. A co-worker was able to get this to work by selecting "enable AV-PAIR" under group setup. However I have no idea what variables would go in here to make this work. Does any one have any expereince in making this work?
I followed this guide but for whatever reason the phone keeps staying authenticated when the wrong password is entered. If I check the Phone status on the 7970 it says 802.1x authentication failed. Yet it still has access and I can make calls. It doesnt get put on the authentication VLAN. Here is the status of the port and the configs. The phone is plugged into FastEthernet 1/1
Dot1x Info for FastEthernet1/1
PAE = AUTHENTICATOR
PortControl = AUTO
ControlDirection = Both
HostMode = SINGLE_HOST
ReAuthentication = Enabled
QuietPeriod = 60
ServerTimeout = 30
SuppTimeout = 30
ReAuthPeriod = 60 (Locally configured)
ReAuthMax = 2
MaxReq = 2
TxPeriod = 30
RateLimitPeriod = 0
Auth-Fail-Vlan = 20
Auth-Fail-Max-attempts = 2
Dot1x Authenticator Client List Empty
Port Status = UNAUTHORIZED
Phone status says authentication failed yet I see this.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...