Let's be clear on this:

The typical goal for the IP Phone is to "remain unauthenticated". So yes, by default, the phone can access the voice-VLAN, and any PC connecting to the phone must "authenticate" via std process.

Of course this presents risk, but it's no worse off than you were BEFORE you had the NAC-Appliance in place to begin with. Also remember, the appliance can logistically only do so much anyway. It's not typically in the business of anti-spoofing prevention or fine-grained access-control. I mean, it may be more than 1-2 hops away anyway.

If you are worried about an attacker spoofing a MAC of a phone, then I would invite you to look at something like 802.1X for your phones, Multi-Domain-Authentication (MDA) on x-Catalyst switches, along with anti-spoofing data-plance protection techniques like DHCP-Snooping, Dynamic ARP Inspection, IP Source-Guard, etc. All this could be done irrespective of the NAC Appliance for data devices BTW.

In summary though, the PC behind a Nortel IP Phone, any other IP Phone, or a PC plugged directly into a switch should get authenticated "much the same way" WRT the NAC Appliance. I'm not sure how Nortel phones are not compatible, since it's outside of the end devices control as to whether a MAC is passed up anyway.

Hope this helps,

Thanks for your reply. Andy had brought up the MAC spoofing issue. Although I am concerned with MAC spoofing, I'm not as concerned with it as I am with the NAC appliance being able to cut off the switch port to the PC if the device fails the security check.

Nortel was telling us that Cisco NAC does not support Nortel IP phones and that any PC's connected to those phones would be able to access the network immediately without being authenticated by the NAC device. What you're telling me is that this is not true. Do you have any documentation on Nortel IP phone compatibility?

So far every person I've talked to at Cisco has either not had the answer or has believed that Nortel was correct. In all cases both companies blame the other, which really does nothing for the customer.

Hi

I found this on Multi Domain Authentication -

Multi Domain Authentication (MDA)-MDA provides enhanced security for IP phone deployments. This allows an IP phone (Cisco or third-party) and a single host behind the IP phone to independently authenticate using 802.1x. Using this method, a switch can place the host in the data VLAN and IP phone in the voice VLAN, though they appear on the same switch port. Data VLAN can be downloaded from the authentication, authorization, and accounting (AAA) server. For non-802.1x devices, MAC Authentication Bypass (MAB) can be used as the fallback to authenticate using the MAC address of the device. For non-802.1x deployments, MAB can be used to authenticate both IP phones and hosts.

However from my research this is only supported on the Cat 4K, 3750 and 3560... I was hoping for a 65xx solution.

May solve your issue though Chalkspray!

Cheers

Andy

Thanks Andy. That's one option, but we really wanted to use the Cisco NAC appliance in our environment as it would be much easier to control our network and would integrate well with our Cisco MARS, IPS, and Firewalls... rather than going to a straight 802.1x solution. Cisco NAC provides so much more. MDA can't decide to not allow a particular PC because of missing patches, because the PC has a virus, or has out of date virus definitions.

802.1x also doesn't work well in environments where there are so many consultants coming in and out each day the company's policy is to not allow ANY network connection (isolated VLAN or not) without being first being checked out by IT personnel.

Additionally, we ran into issues while testing 802.1x where the PC could not be accessed via the network (for patches or remote adminstration) when the user was not logged in to Windows. We were using Windows to pass-through the AD information for 802.1x authentication, rather than going by MAC addresses. Maybe this has been resolved now, but at the time, 802.1x was still fairly new and rarely implemented on wired networks.

So really, I'd love to find out if there's some way to allow complete out-of-band functionality with Cisco NAC using Nortel IP phones. Anyone?

Jeremy

A few things here:

* Not sure of any docs demonstrating how the NAC Appliance works with IP-Tel, even3rd party IP-Tel. Suffice it to say though, it's just a MAC address, and you can choose to ignore it on the NAC Appliance if you wish to have IP-Tel interop. Not sure why/how this would even have anything to do with Nortel, per se.

* Multi Domain Authentication (MDA). Yes, it's only supported on the switches listed before (Cat 4K, 3750 and 3560). It's around the corner for the 6500, so please contact your account team for an update.

You should be able use the Cisco NAC appliance in your environment either way.

HTH,

Everything Jason is saying makes sense. You enable mac snmp traps on the switch, so the CAS knows when a new mac address is learned (device has come up, even if it is daisy-chained off an IP phone). However, you must configure a filter to ignore the mac-addresses that contain the Nortel IP phone OUI -- so when an IP phone is plugged in, the CAS ignores it.

From what I understand, the only place where you could have a problem is 6500s, which cannot send the mac traps. They can send linkup/down traps, but you would not receive those traps if there is an IP phone on the switchport that is already up. From what I've been told, this will be fixed when Whitney code is released.