03-11-2016 06:59 AM - edited 03-18-2019 05:40 AM
I'm trying to configure 802.1x on MX and SX type endpoints registered on CUCM v10.5.
From CUCM I pushed the LSC and on the endpoint: Security > CUCM I see:
IEEE802.1x config done on endpoint (see attached screenshot).
I've also added the CA certificates on the endpoint.
But when the switch port is activated for 802.1x the endpoint is not reachable anymore and authentication failed is showed on the switch logs.
Did somebody already managed to make this work?
For IP-phones there's a 802.1x setting on the CUCM but for TP endpoints this is not the case.
03-29-2016 12:41 AM
As follow-up of my own thread here some hints to make it work:
- The codec series do not use the same identity format as for IP phones in their certificate. They use 'SEP' + mac-address instead. So the ISE server needs to have a rule that matches on this name combination.
- the LSC of the UCM must be installed on the Codec: use "Install/Upgrade by Authentication string"
- the LSC certificate must be enabled for 802.1X
- on the codec the following fields are needed:
- Identity: 'SEP' + mac-address
- Mode: On
- TlsVerify: Off
- UseClientCertificate: On
- EAP MD5: Off
- PEAP: Off
- TLS: On
- Ttls: Off
- On the switch:
Radius-server vsa send authentication
Radius-server vsa send accounting
- On the switch port (note: the voice VLAN must be used):
interface GigabitEthernet2/0/46
description ### MX700 ###
switchport access vlan 500
switchport mode access
switchport voice vlan 500
switchport port-security aging type inactivity
no logging event link-status
authentication control-direction in
authentication event fail action next-method
authentication event server dead action authorize vlan 500
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer restart 3600
authentication violation replace
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout tx-period 7
storm-control broadcast level 10.00
storm-control multicast level 10.00
macro description dot1x-secure
spanning-tree portfast
end
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide