802.1x, IP Phones, MAB and AD password policy

mattward6 · ‎03-18-2008

I am currently working on an 802.1x pilot. I have successfully deployed certificates for PCs and users and I'm able to assign VLAN etc in a reliable fashion.

I would like to enable MAC Authentication Bypass on the voice VLAN for IP phones. The problem is, when I create a user with the phones MAC address as a user name, or AD Domain policy does not allow the password to also be the mac address. Disabling this policy temporarily for adding these users is not a credible solution for us. I'd rather not use third party software that allows for diversity in AD password policy.

I've seen it implied that the switch (3560 in my case) can be configured to send the Radius secret rather than the device MAC address as the device's password, is this true? If so, how?

Thanks!

jafrazie · ‎03-18-2008

With MAC-Auth-Bypass, the end station (phone in your case) doesn't interact with the auth method at all. The switch authenticates the MAC after being learned by the switch on behalf of the end-station.

This is a limitation in Windows Server today. This can be controlled through a GPO in Server 2008. Another option(s) is to store the "phone user accounts" directly on the AAA server or another database that allows the ability for this.

Also, to authenticate a phone at all, and to support PCs, you need to configure Multi-Domain-Authentication (MDA) on the 3560. See here:

<http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a00808abf2d.shtml#MDA>

Hope this helps,