Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

802.1x (dot1x) with IP Phone / Workstation using Multi-Domain Authentication (MDA)

Scenario:

Workstation ( behind the Phone)

IP Phone 7911 software 8.5(2)

ACS 4.1 with AD on the same server

Cisco Switch WS-C3750E-24PD with c3750e-universalk9-mz.122-53.SE1.bin

Guide utilized:

http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a00808abf2d.shtml

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0e4.shtml

To accomplish:

Computer and IP Phone's authentication with 802.1x. The phone using EAP-MD5 and the workstation with PEAP-MsChap-V2.

Tried and Worked:

Workstation using EAP-MD5 ( with ACS username) and using PEAP ( with AD username) and it also gained access to the correct vlan, depending on the username.

The log from the ACS, failed authentication:

Message-Type - User-Name -Group-Name - Caller-ID - Network Access Profile Name - Authen-Failure-Code

Authen failed - CP-7911G-SEP00254594D6BA - VOZ -00-25-45-94-D6-BA -  (Default) - EAP type not configured  

The Switch's config:

aaa authentication dot1x default group radius

aaa authorization network default group radius

radius-server host 10.32.250.250 auth-port 1645 acct-port 1646 key 7 095F4B07110445425B54

interface GigabitEthernet1/0/3

switchport mode access

switchport nonegotiate

switchport voice vlan 200

authentication host-mode multi-domain

authentication port-control auto

authentication periodic

mls qos trust device cisco-phone

mls qos vlan-based

dot1x pae both

dot1x timeout quiet-period 20

dot1x timeout server-timeout 100

dot1x timeout tx-period 100

storm-control broadcast level 15.00

storm-control multicast level 10.00

spanning-tree portfast

spanning-tree guard root

ACS Configuration Resume:

Configured the AAA

2 Groups - voice and data, each with their respective vlans and configuration parameters on the ACS ( Attribute-Value (AV))

Added the user name and password for IP phones

Mapped the AD to the Data group

Issued a certificate and installed in the workstation

Configured the Global Authentication Setup, where i checked the boxes PEAP and EAP-MD5

So like I said, it authenticates only the workstation w/ out the IP Phone.  When i add the IP Phone it does not authenticate none of them.

Does anyone have a light ?

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: 802.1x (dot1x) with IP Phone / Workstation using Multi-Domai

Hello

First you can try another sw for phone (for example 8.4.2S). I have similar issue with 8.5 software and 7945/7965 phones. Secondary you need confiigure av-pair attributes on ACS side for phone correct placement to voice vlan.

Regards

Stanislav

2 REPLIES
New Member

Re: 802.1x (dot1x) with IP Phone / Workstation using Multi-Domai

Hello

First you can try another sw for phone (for example 8.4.2S). I have similar issue with 8.5 software and 7945/7965 phones. Secondary you need confiigure av-pair attributes on ACS side for phone correct placement to voice vlan.

Regards

Stanislav

New Member

Re: 802.1x (dot1x) with IP Phone / Workstation using Multi-Domai

Thanks man! There is a bug that affect the dot1x on phones... the bad thing is that i cant downgrade my phones beacause of other bugs and my callmanager doesn't take newer version.

Take a look at this bug

cscsz59661

PS. i had the av-pair for the phones ... i found out about this bug a week ago and i tryed out one phone w/ a 8.4 release and it worked just fine.

9932
Views
0
Helpful
2
Replies