Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
640
Views
7
Helpful
4
Replies

Using 802.1X and non-Cisco IP Phones

dkrijgsman
Level 1
Level 1

‎04-17-2007 01:39 AM - edited ‎03-09-2019 05:48 PM

Hi there,

Having some questions about an 802.1x/non-Cisco ip phone setup and was hoping to find some answers/user-experience with this setup.

Main questions i'm facing:

1) When using non-Cisco ip phones (eg Nortel or Siemens) and a previous authorized client connected behind this ip phone gets disconnected. What will this action do with the authorized state of 802.1X on the switch port? WIll it stay authorized until the reauth timer expires or does it reject communication from any other device?

2) What about EAPOL-Logoff messages from the ip phone to the switch. Are these only used by Cisco phones when they experience a link-status change on data ports?

Thanks for sharing your thoughts

Labels:
0 Helpful
4 Replies 4

jafrazie
Cisco Employee
Cisco Employee

‎04-17-2007 12:24 PM

Overall, you need to try and deal with the fact that a machine can disappear from the network and the network may not know about it directly (i.e. Link doesn't go down).

I have no idea what other phones do, but Cisco phones send an EAPOL-Logoff when something is unplugged. This lets the switch know directly, and 1X session start is torn down immediately, closing what would be a security hole.

Fundamentally, re-auth is a workaround only, and this is not the reason to enable re-auth to begin with.

If your phone doesn't send an EAPOL-Logoff in this case, the switch might be left thinking an attack is underway when someone else tries to plug in (with presumably a different MAC). You do NOT want this to occur.

Hope this helps,

dkrijgsman
Level 1
Level 1
In response to jafrazie

‎04-17-2007 10:30 PM

Hi Jafrazie.

Thanks for responding.

Presumably these phones aren't able to send EAPOL-logoff messages on behalf of a connected device. So with only devices behind this phone using 802.1X, do any other options exist to make sure a second (non authorized device) isn't able to use a previously authorized 1X session of a disconnected device?

0 Helpful

jafrazie
Cisco Employee
Cisco Employee
In response to dkrijgsman

‎04-19-2007 02:24 PM

It's not good that your phones evidently cannot do it ;-(.

The only work-around here would be re-auth, but that doesn't fix the problem, and it's only a work-around, and it doesn't come for free.

Analogy:

There's no need to have a fire-drill just to make sure everyone in your building is a badged employee ;-).

0 Helpful

etmarcof
Level 3
Level 3
In response to jafrazie

‎05-16-2007 02:19 PM

Hi,

I have another question regarding non-cisco ip phone and 802.1x

If i connect a pc to ip phone and i have dynamic vlans for users of pc (After user login in PC he receives a vlan from radius server) this kind of configuration should work or after sucessfull authentication user will go to vlan configured in native vlan?

Best Regards

MC

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents