An LG-Nortel IP phone (model: LIP-6812D, hardware version 2.1, software version 1.2.06s) connects to the 802.1x enabled switch port. A PC with Windows XP 802.1x enabled connects to the phone's PC port. EAP-MD5 is used.
Since it is a non-Cisco phone and the administrator confirmed it does not have 802.1x supplicant, I configured Multi-Domain Authentication (MDA). The phone will be authenticated using MAC Authentication Bypass (MAB) in the VOICE domain and the PC will be authenticated using 802.1x in the DATA domain.
My switch port config is as follows:
switchport access vlan 70
switchport mode access
switchport voice vlan 71
no snmp trap link-status
dot1x pae authenticator
dot1x port-control auto
dot1x host-mode multi-domain
dot1x violation-mode protect
dot1x max-reauth-req 1
dot1x guest-vlan 999
Please see the attached file "hps07354_switch_config.log" for the full config.
MAB of the LG-Nortel IP phone is successful. Please see attached log file "IP_Phone.log". MAC address of the phone is 0040.5a17.c630.
Issue arises when I connected a PC behind the phone after the phone is authorized in the VOICE domain. As soon as the PC is connected to the phone, the switch sends an Access-Request to RADIUS with Service-Type=10. This looks like MAB to me. I'm expecting 802.1x to take place because I enabled 802.1x on the PC's LAN connection.
RADIUS returns an Access-Reject. In the ACS Failed Attempts log, there's an entry with User-Name=001e37823378 (PC's MAC address) and Authen-Failure-Code=ACS user unknown. I suspect the phone is blocking the PC's EAPOL packets from reaching the switch. However if it is true, the switch should have waited for 802.1x to timeout (in my config, it is set to 60 seconds) before kicking MAB in. Right? Please refer to attached log file "PC_behind_IP_Phone.log".
If I connect PC directly to the switch port (with the same config), I have no issue. 802.1x took place and the user is successfully authenticated using EAP-MD5. Please refer to attached log file "PC_Direct_to_Switchport.log".
Hi everyone, I would like to thank you in advance for any help you can provide a newcomer like myself!
Im studying the 100-105 book by Odom and am currently on the topic of Port security. I purchased a used 2960 and I'm trying to follow a...
While deploying a number of 18xx/2802/3802 model access points (APs), which run AP-COS as their operating platform. It can be observed on some occasions that while many of their access points were able to join the fabric WLC withou...
I am going to design and build an LAN network under a tunnel underground with long distance between the switches.
I will have 2 Catalyst switches and 8 Industrial IE3000, and they will be connected with fiber.
For now I am planning on use Layer-2 s...