I am currently working on an 802.1x pilot. I have successfully deployed certificates for PCs and users and I'm able to assign VLAN etc in a reliable fashion.
I would like to enable MAC Authentication Bypass on the voice VLAN for IP phones. The problem is, when I create a user with the phones MAC address as a user name, or AD Domain policy does not allow the password to also be the mac address. Disabling this policy temporarily for adding these users is not a credible solution for us. I'd rather not use third party software that allows for diversity in AD password policy.
I've seen it implied that the switch (3560 in my case) can be configured to send the Radius secret rather than the device MAC address as the device's password, is this true? If so, how?
With MAC-Auth-Bypass, the end station (phone in your case) doesn't interact with the auth method at all. The switch authenticates the MAC after being learned by the switch on behalf of the end-station.
This is a limitation in Windows Server today. This can be controlled through a GPO in Server 2008. Another option(s) is to store the "phone user accounts" directly on the AAA server or another database that allows the ability for this.
Also, to authenticate a phone at all, and to support PCs, you need to configure Multi-Domain-Authentication (MDA) on the 3560. See here:
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :