We have a distributed deployment where Alkatel ip-touch phones are authentictaed via MAB. Alkatel ip touch phones has 802.1x enabled by default and the phone tries eapol first and then switch authenticates via MAB which is fine. Once authenticated its working as expected. The issue is the phone keeps on periodic retry after x amount of minutes for 802.1x again which triggers the phone to reboot again and goes via the whole process. This interupts the voice. We could disable 802.1x but its per phone basis. Has anyone came across this issue and found a way to diable globally via the call manager etcc. or any workarounf from ISE/switch side?
I have run into this issue before, there is a command on the switch port so that if authentication fails to use the next-method. Can you post the output of your port settings and the version and type of switch you are using?
Thanks for the reply, please find below the switch port config lines, its a 370x switch, IPbase and universalon 15.2-1.E1 image
Note- Since the 8021x is enabled by default the phone initially tries 802.1x and after failing , the switch goes to the next auth method which is MAB which is successful. The issue is the phone again initiales a 802.1x packet after some time and the whole process starts again and because 8021x is failed the phone reboots again. I think this is the way this type of phone work and we cannot do much unless disable 802.1x or install the Alkatel CA certs in the ISE cert store?
Interface gi x/y
switchport access vlan xx
switchport mode access
switchport voice vlan yy
ip access-group ACL_ALLOW in
authentication event fail action next-method
authentication event server dead action reinitialize vlan xx
authentication event server dead action authorize voice
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication timer reauthenticate server
authentication violation restrict
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 10
I have a couple of questions regarding the behavior of the phone.
In most cases endpoints will not prompt re-authentication (computing devices are an exception), unless a timer on the switchport or a link event prompts re-authentication which you can start by running a show authentication sessions interface xxx details.
If the phones are performing eap-tls then your best option would be to use that feature as opposed on relying on strictly profiling.
The dot1x debugs in switch showed after certain time switch receives a reauth packet "Apr 8 04:40:24.194: dot1x-packet:[xxxx.yyyy.zzzz, Gi1/0/1] queuing an EAPOL pkt on Auth Q" from the endpoint and the whole process starts again. The endpoint reboots itself once it sees a 8021x failure. "Show auth sess int x/y details" shows MAB as the successfull auth method until the re-request for 802x comes from the endpoint.
Regarding the timers as mentioned in the switch port config above , the port rely on the radius server (ie ISE) "authentication timer reauthenticate server" for the reauth timer and I assume this will be the session time when the device initially connects.
May i ask what alcatel model do you have, because i'm facing a similar problem with them you can see my posts on the forum
These are ip touch 4068, 4028 phones. I tried testing with Alkatel Enterprise root CA and manufacturing certs installed in ISE cert store but still "unknown CA error" showed up. Further Wire-shark capture for dot1x showed in "client hello" the certs presented by the phones are signed by a issuer "Wired Phones". Trying to get this and test it again.
For my understanding the phone works fine via MAB, the problem appears with dot1x, right?
Have you tried to tested except EAP/TLS with the next and only available option EAP/MD5 and see if you will face a similar behavior? that will be interesting test.
I have come to a venturous conclusion that some devices mostly Printers and IP phones if they do not find ISE they blocked and cannot talk with anything else, as a result they continuously reboot. In contrast PCs/ workstations if failed they can Login despite the failed messages that will apearead on your ISE console.
Probably our cases have many similarities and are quiet difficult to analyzed, even from the experts :)
yeh MAB works fine. I did not test MD5, for 8021x and MD5 the phone presents default user ALCIPT and i assume default password is "password" ???
The issue is since most phones are being deployed its hard to disable 8021x or activate MD5 on per phone basis, at the same time 8021x cannot be disable globally from the PBX manager. Therefore I'm trying with the default Alkatel certs.
if you goto the Alktel business portal, there are links to download the enterprise and Intermediate and and manufacturing certs but "Wired Phones" Intermediate cert is missing from the link :(
I have the same issue. Did you have become it funktional with 802.1x an did you have become the right certificate for "Wired Phones"?
Regs and thanks for a reply
Yes, we got it working. The certificates from the Alkatel business portal doesn't work as these are not the correct CA's signed the certificate of the phone. You have to obtain the correct CA "Wired Phones" from your Alkatel local vendor. You can also verify the CA by accessing the phone setup menu or by looking at the initial TLS hand-shake using wire-shark.
Please note- by using the default Alkatel certs it will be a one way TLS (ie server authenticates client). We only tested with 4028,4038,4068 ip-touch phones.
Hope this helps
thanks for your response. Now I have received the wired phone certificate.
Which configuration on ISE I must exclict make to auth the phone now via the one way TLS?
Great that you have the certs.
ISE doesn't know about one way tls. In this scenario (one way tls) ise only authenticates the client. First import the wired phone cert in-to ise cert store and trust for tls.(tick check box). Create a certificate authentication profile (CAP) (with subject name as the attribute) to be used as the identity store in authentication policy. Create a identity source sequence with local and the above CAP as identity stores. The local identity store is required as these phones will first authenticate via MAB during initial boot and once 802.1x process starts they will re-authenticate via CAP. Then create a authentication policy with the above identity source sequence. This has to be after the MAB rule. Then create appropriate authorization policy.example you can use custom profiling conditions (if alkatel profiles are not available in ise) to profile and authorize the phone or some other means.
Hope this helps
so long time ago, but now I had implemeted the solution for the alcatel phones and it works good.
I would be say now thans for your help!