i set up an 3560 ver.12.2 (52) SE to use 802.1X with host-mode multi-domain to get IP-Phone ( CP 7962G v04 ) and Workstation together on the same port.
I read all the guides i found on cisco.com e.g.
The Phone is mab authenticated, Workstation PEAP.
Everything works fine, if only the workstation is connected to the port.
If hostmode is not configured, also the IP-Phone operates as a single device on the Port. Also it works if i set the host-mode to multi-host
Actually i have a problem to get both devices authenticated with multi-domain
The Switch logs that both device authenticated properly, but the IP-Phone restart the authentication every 60sec,everytime the phone passed but failed to get any connection.
i found one mistake in an IAS-Extension configuration.
But everytime the phone passes the authentication process, the domain is set to DATA
MAC Address: 0021.....
IP Address: Unknown
Status: Authz Success
Domain: DATA ( must be VOIP!!!!! )
Oper host mode: multi-domain
Oper control dir: in
Authorized By: Authentication Server
Vlan Group: N/A
Session timeout: N/A
Idle timeout: 300s (local), Remaining: 117s
Common Session ID: 0A040552000011D5E666C4C5
Acct Session ID: 0x000012A8
CDP and LLDP is activate on the IP-Phone
How many IP Phones you/customer deployed with MDA mode ?
I wonder how I can manage to adding IP Phones' MAC to RADIUS and setup EAP password on tousand of IP Phones.
i tested MAB with IP-Phones on MS IAS ( no password ) The phone authenticates with a computer-account ( AD )
EAP-MD5 ist not practical to authenticate IP Phones with MS IAS, because you must configure ActiveDirectory for reversible password ( LM-Hash ), this is highly insecure.
It is also possible to authenticate IP-Phones against ACS with EAP-MD5 or EAP-TLS - EAP-TLS is the prefered method, to avoid the EAP-MD5 "typing" password problem :-)
I am struggling with Microsoft NPS to do the same with phones as computer account, how did you manage to get it working?
Regarding your .1x config. Did you manage to get the Microsoft NPS to authenticate the phones? How did you do this?
I have examined this very thorough. I did not get Microsot NPS to authenticate the phones.
Strange thing I encountered: when a device was connected to a switch directly, NPS managed to authenticate it, But when the device whas behind a phone, NPS didn't recognize the "handshake" anymore.
Even traced it with wireshark.
Now we don't need the telephones authenticated: they have their own Voice vlan. But the switch in the phone needs to send the 802.1x authentication to the RADIUS server.
So I tried the same with Cisco ACS, and managed to get it working. The same setup.
TAC also found this bug on what I reckon is the same issue.
DE has decided it is not worth fixing, which seems a bit short-sighted seeing as how many organisations are running NPS and Cisco Voice - so if anyone else really needs this then you will need to create a PER.
Next step for us is to install a Cisco ACS and try and configure the NPS to proxy to the ACS just for the phones.
sorry for this late reply on your post ( 29.10.2010 05:48 )
I authenticate the phones by MAB with IAS/ NPS with a third-party extension from rt-solutions.de
This extension make it possible, among others, to authenticate "MAB-Phones" by using computer-accounts in your AD.