I am/will be beginning a deployment of dot1x to our campus. We will be authenticating to a Windows 2003 IAS Domain Controller, but I have a few questions before we begin:
1) I have found no documentation as to the setup of switchports in regards to Cisco IP Phones....namely, how do the phones get around the authentication (or do they)? Can anyone point me into the right direction for some docs and/or sample configs?
2) We have an environment of about 23 Catalyst 3560's and 23 Catalyst 500 Expresses all with PoE. I can get the 3560's to authenticate to IAS with no problem. However, the 500's have got me stumped. I know it needs to be done through SDM, but there seems to be virtually NO documentation on the configuration aspects for these guys. I read somewhere that it can only be done using the Desktop Smartport role? Is this true, and if so, is there a way around it for the IP Phones? Are future OS releases going to support the IP Phone+Desktop role?
Essentially, you create a voice VLAN on your access port (the port where your phone plugs in), enable dot1x on it, plug your phone in and that's it. The phone sends a CDP packet to the switch identifying itself as a Cisco IP phone. The switch then bypasses 802.1x authentication for the phone and enables communication from the MAC of the IP phone on the voice VLAN (VVID) only. So when a computer plugs into the back of the phone, it's forced to authenticate via 802.1x because it traverses the PVID. Here's some documentation that should make it clear.
Regarding your second question, you need to use Cisco Network Assistant (CNA) in order to configure the Catalyst Express 500 switches to use 802.1X. The only other way to configure the CE 500 is via its web interface, but this does not provide all of the switch configuration options. In CNA, if you click on the Configure tab, then choose Security, and Network Security Settings a window will open where you can set the host access security level to High. You will then be able to enter the RADIUS server information. Also, the IP Phone+Desktop smartports role is supported by the CE 500, even with its first SW release 12.2(25)FY.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :