Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

802.1x and VOIP

I am trying to figure out how to get our 7970 phones to authenticate with ACS. The phones have been configured for 802.1x and a pre-shared password has been selected. The ports on the switch have also been configured. In ACS I added the MAC address of the phone to ACS. When I test by using the wrong username and password I see the failed attempts by the phone in the logs of ACS.....However the phone is still allowed to connect and make calls. A co-worker was able to get this to work by selecting "enable AV-PAIR" under group setup. However I have no idea what variables would go in here to make this work. Does any one have any expereince in making this work?

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: 802.1x and VOIP

You need to add multi-domain authentication to the port, per the previous doc. Else, the phone will get access simply b/c it's exchanging CDP info with the switch.

Hope this helps,

6 REPLIES

Re: 802.1x and VOIP

New Member

Re: 802.1x and VOIP

I followed this guide but for whatever reason the phone keeps staying authenticated when the wrong password is entered. If I check the Phone status on the 7970 it says 802.1x authentication failed. Yet it still has access and I can make calls. It doesnt get put on the authentication VLAN. Here is the status of the port and the configs. The phone is plugged into FastEthernet 1/1

Dot1x Info for FastEthernet1/1

-----------------------------------

PAE = AUTHENTICATOR

PortControl = AUTO

ControlDirection = Both

HostMode = SINGLE_HOST

ReAuthentication = Enabled

QuietPeriod = 60

ServerTimeout = 30

SuppTimeout = 30

ReAuthPeriod = 60 (Locally configured)

ReAuthMax = 2

MaxReq = 2

TxPeriod = 30

RateLimitPeriod = 0

Auth-Fail-Vlan = 20

Auth-Fail-Max-attempts = 2

Dot1x Authenticator Client List Empty

Port Status = UNAUTHORIZED

Phone status says authentication failed yet I see this.

outer#show dot1x all summary

Interface PAE Client Status

--------------------------------------------------------

Fa1/1 AUTH 0014.f29c.dd6f AUTHORIZED

My interface is configured as follows:

interface FastEthernet1/1

switchport voice vlan 10

dot1x pae authenticator

dot1x port-control auto

dot1x timeout reauth-period 60

dot1x reauthentication

dot1x auth-fail vlan 20

dot1x auth-fail max-attempts 2

Re: 802.1x and VOIP

What happens if you remove the command,

"dot1x auth-fail vlan 20" under the interface Fa1/1 ?

Regards,

Prem

Cisco Employee

Re: 802.1x and VOIP

You need to add multi-domain authentication to the port, per the previous doc. Else, the phone will get access simply b/c it's exchanging CDP info with the switch.

Hope this helps,

New Member

Re: 802.1x and VOIP

Is multi domain authentication supported on a Cisco 2811 ISR? I am using the onbaord switch. I dont think this command is supported.

New Member

Re: 802.1x and VOIP

So it appears as though its a limitation of the switch card on the 2811 as it does not support multi domain authentication. I will need to use a 3750

1145
Views
0
Helpful
6
Replies