Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Using 802.1X and non-Cisco IP Phones

Hi there,

Having some questions about an 802.1x/non-Cisco ip phone setup and was hoping to find some answers/user-experience with this setup.

Main questions i'm facing:

1) When using non-Cisco ip phones (eg Nortel or Siemens) and a previous authorized client connected behind this ip phone gets disconnected. What will this action do with the authorized state of 802.1X on the switch port? WIll it stay authorized until the reauth timer expires or does it reject communication from any other device?

2) What about EAPOL-Logoff messages from the ip phone to the switch. Are these only used by Cisco phones when they experience a link-status change on data ports?

Thanks for sharing your thoughts

4 REPLIES
Cisco Employee

Re: Using 802.1X and non-Cisco IP Phones

Overall, you need to try and deal with the fact that a machine can disappear from the network and the network may not know about it directly (i.e. Link doesn't go down).

I have no idea what other phones do, but Cisco phones send an EAPOL-Logoff when something is unplugged. This lets the switch know directly, and 1X session start is torn down immediately, closing what would be a security hole.

Fundamentally, re-auth is a workaround only, and this is not the reason to enable re-auth to begin with.

If your phone doesn't send an EAPOL-Logoff in this case, the switch might be left thinking an attack is underway when someone else tries to plug in (with presumably a different MAC). You do NOT want this to occur.

Hope this helps,

New Member

Re: Using 802.1X and non-Cisco IP Phones

Hi Jafrazie.

Thanks for responding.

Presumably these phones aren't able to send EAPOL-logoff messages on behalf of a connected device. So with only devices behind this phone using 802.1X, do any other options exist to make sure a second (non authorized device) isn't able to use a previously authorized 1X session of a disconnected device?

Cisco Employee

Re: Using 802.1X and non-Cisco IP Phones

It's not good that your phones evidently cannot do it ;-(.

The only work-around here would be re-auth, but that doesn't fix the problem, and it's only a work-around, and it doesn't come for free.

Analogy:

There's no need to have a fire-drill just to make sure everyone in your building is a badged employee ;-).

New Member

Re: Using 802.1X and non-Cisco IP Phones

Hi,

I have another question regarding non-cisco ip phone and 802.1x

If i connect a pc to ip phone and i have dynamic vlans for users of pc (After user login in PC he receives a vlan from radius server) this kind of configuration should work or after sucessfull authentication user will go to vlan configured in native vlan?

Best Regards

MC

372
Views
7
Helpful
4
Replies
CreatePlease to create content