802.1x and Cisco IP phones

Similar Messages

• 3560G and 802.1X with Cisco IP Phone

  Hi,
  We have been doing some test on our 3560G switch with 802.1X. The switch port has a Cisco IP Phone 7940 connected and at the back of the IP Phone is the PC (802.1X client).
  The PC authenticates with the computer name or the username properly without any problems. However problem is that the port stays opened/authorized even after disconnecting the Laptop from the phone. Only disconnecting the phone from the switch disables the port and enforces authentication.
  This totally defeats the purpose for us.
  IOS: 12.2(20)SE3
  aaa new-model
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  dot1x system-auth-control
  interface GigabitEthernet0/40
  switchport access vlan 4
  switchport mode access
  switchport voice vlan 15
  dot1x port-control auto
  dot1x timeout quiet-period 15
  dot1x timeout reauth-period 30
  dot1x max-req 1
  dot1x reauthentication
  spanning-tree portfast
  spanning-tree link-type point-to-point
  Any ideas will be appreciated.
  Thanks,
  Cheers
  Kartik

  I believe the problem should be solved with the new phone firmware:
  Ref Cisco Document:
  http://www.cisco.com/en/US/products/hw/phones/ps379/prod_release_note09186a0080461f84.html
  "Firmware release 7.2(2) provides support for the Cisco IP Phone models 7960G and 7940G to monitor IEEE 802.1X messages between an authenticating switch and a connected PC (supplicant).
  When a PC is disconnected from the Cisco IP Phone, the phone issues an EAPOL-Logoff message on behalf of the PC to the authenticating switch.
  Hope This Helps
  Jarle Steffensen

• Dot1x, .1X and Cisco IP Phones

  Hi,
  We are busy performing dot1x tests on IP Phones. We chose the LSC approach and have generated CAPF CSRs which we have signed by our PKI infrastructure.
  Once all certificates and trust have been uploaded and when we update the CUCM CTL with the Cisco CTL client tool, we received the following error message
  “Could not get CAPF certificate(s).CAPF seems to be running on the CUCM Publisher but the certificate file(s) do not exist in the Certifiicate trust path on Server”
  We searched Neptro with an explanation on this and found that article:
  https://supportforums.cisco.com/thread/2067102
  In our setup we one issuing CA in the certification path has n key of 4096 bits. This is imposed by our Security Policy and can’t be workaround from a security policy point of view.
  We then had the CAPF CSR regenerated and had a test CA with an encryption key of only 2048 bit sign our certificate and Dot1x authentication. This worked just fine and test Ip Phones can now authenticate..
  My question is, is that a known limitation of Cisco Callmanager which is unable to handle certificates signed by a PKI in which one of the CA has a key of more that 2048 bits. Or is this a bug related to our 8.6.2.23900-10 CUCM version.
  Is there a way to bypass that limitation or a precise version of callmanager correcting it?
  THanks,
  Antoine

  You can configure the MSFT supplicant to send an EAPOL-Logoff:
  Software\Microsoft\EAPOL\Parameters\General\Global\AuthMode -- REG_DWORD
  0: Machine authentication mode in Windows XP Client RTM. When a user logs in, if the connection has already been authenticated with Machine credentials, the user’s credentials are not used for authentication.
  1: Machine authentication with re-authentication functionality. Whenever a user logs in, 802.1X authentication is performed using the user’s-credentials.
  2: Machine authentication only – Whenever a user logs in, it has no effect on the connection. 802.1X authentication is performed using machine credentials only.
  In the wired-Ethernet case you should set (SupplicantMode = 3) AND (AuthMode = 0) AND (disable Machine-Authentication OR ensure that there are no machine credentials on the client). This will ensure that when a user logs off, an EAPOL-Logoff will be sent out. So, AFAIK, this is the bad news .. you lose machine-auth.
  Actually, stay tuned for the ability for our IP Phones to be able to do this on behalf of a PC very soon. What will happen is when an IP Phone senses EAPOL through it, it will know who the supplicant is, and what port they're on (the phone's PC port). Assuming 2 conditions above, if link to phone's PC port goes down, IP Phone will transmit EAPOL-Logoff to PC immediately (on PCs behalf).
  Hope this helps.

• RTP streaming and Cisco IP phones problem

  Hello,
  I'm trying to write an application that should dial some numbers and play the voice message from the file into the phone line using Cisco JTAPI and Java Media Framework.
  I've found some samples, that seems useful for me, but unfortunately they does not work. There are no any errors and no exceptions, I have no idea what to do.
  Small brief: I make a call from one Cisco IP phone (7960) to another using Cisco JTAPI, then I catch the CiscoRTPInputStartedEv event, get the IP and port of the IP Phone and call the RTPStreamer class constuctor with them. It gives no any errors or exceptions (just a message shown below), but there is only silence in the phone line. Message:
  Should b streamin'...
  Encoding ok?: true
  streams is [Lcom.sun.media.multiplexer.RawBufferMux$RawBufferSourceStream;@53d : 1
  sink: setOutputLocator rtp://192.168.1.22:20794/audio
  Please see the RTFStreamer class code below.
  I set the packet size to 160 as reccomended for Cisco IP phones, I use the greeting.wav from Cisco example that properties are 8Khz 8bit mono, but it still doesn't work.
  Could you help me? Thank you for any advice!
  import java.io.* ;
  import java.util.* ;
  import java.net.* ;
  import javax.media.* ;
  import javax.media.control.* ;
  import javax.media.format.* ;
  import javax.media.protocol.* ;
  import stream.*;
  public class RtpStreamer
       public static int PlayCounter = 0;
       private RtpStreamer()
            // not supported
       public RtpStreamer(String IP, String Port)
            PlayCounter++;
            new RtpStreamer("rtp://" + IP + ":" + Port + "/");
       public RtpStreamer(String CurrentMediaUrl)
            PlayCounter++;
       System.out.println("Should b streamin'...");
       // Create a Processor for the selected file. Exit if the
       // Processor cannot be created.
       Processor processor = null;
       StateHelper sh = null;
       try
                 String mediaUrl = "file:\\C:\\greetings.wav";
       processor = Manager.createProcessor( new MediaLocator(mediaUrl));
       sh = new StateHelper(processor);
       catch (IOException e)
       System.out.println("Exception occured (1a): " + e);
       catch (NoProcessorException e)
       System.out.println("Exception occured (1b): " + e);
       // for loggin purpose
       //sh.setContext( getServletContext() );
       // configure the processor
       if (!sh.configure(10000))
       System.out.println("Configuration failed!!");
       // Block until the Processor has been configured
       TrackControl track[] = processor.getTrackControls();
       boolean encodingOk = false;
       // Go through the tracks and try to program one of them to
       // output ulaw data.
       for (int i = 0; i < track.length; i++)
       if (!encodingOk && track[i] instanceof FormatControl)
       if (((FormatControl)track).setFormat( new AudioFormat(AudioFormat.ULAW_RTP,8000,8,1)) == null)
       track[i].setEnabled(false);
       else
       encodingOk = true;
       else
       // we could not set this track to ulaw, so disable it
       track[i].setEnabled(false);
                 // set packet size to 160
                 try
                      Codec codec[] = new Codec[3];
                      codec[0] = new com.ibm.media.codec.audio.rc.RCModule();
                      codec[1] = new com.ibm.media.codec.audio.ulaw.JavaEncoder();
                      codec[2] = new com.sun.media.codec.audio.ulaw.Packetizer();
                      ((com.sun.media.codec.audio.ulaw.Packetizer)codec[2]).setPacketSize(160);
                      ((TrackControl)track[i]).setCodecChain(codec);
                 catch (Exception e)
                      System.out.println("Error setting packet size in 160: " + e + " in " + e.getMessage());
       System.out.println("Encoding ok?: " + encodingOk );
       // At this point, we have determined where we can send out
       // ulaw data or not.
       // realize the processor
       if (encodingOk)
       if (!sh.realize(10000))
       System.out.println("Realization failed!!");
       // block until realized.
       // get the output datasource of the processor and exit
       // if we fail
       DataSource ds = null;
       try
       ds = processor.getDataOutput();
       catch (NotRealizedError e)
       System.out.println("Exception occured(2): "+e);
       // hand this datasource to manager for creating an RTP
       // datasink.
       // our RTP datasink will multicast the audio
       try
       //String mediaUrl= "rtp://192.168.1.12:20002/audio/1"; // it works without errors
                      String mediaUrl= CurrentMediaUrl + "audio";
       MediaLocator m = new MediaLocator(mediaUrl);
       DataSink d = Manager.createDataSink(ds, m);
       d.open();
       d.start();
       catch (Exception e)
       System.out.println("Exception occured(3): "+e);

  BTW is there any solution to figure out if the RTP application makes any network activity or not?

• MAB/802.1x and Alkatel IP Phones

  Hi All
  We have a distributed deployment where Alkatel ip-touch phones are authentictaed via MAB. Alkatel ip touch phones has 802.1x enabled by default and the phone tries eapol first and then switch authenticates via MAB which is fine. Once authenticated its working as expected. The issue is the phone keeps on periodic retry after x amount of minutes for 802.1x again which triggers the phone to reboot again and goes via the whole process. This interupts the voice. We could disable 802.1x but its per phone basis. Has anyone came across this issue and found a way to diable globally via the call manager etcc. or any workarounf from ISE/switch side?
  Thanks
  G

  Hi Tarik,
  Thanks for the reply, please find below the switch  port config lines, its a 370x switch, IPbase  and universalon 15.2-1.E1 image
  Note- Since the 8021x is enabled by default the phone initially tries 802.1x and after failing , the switch  goes to the next auth method which is MAB which is successful. The issue is the phone again initiales a 802.1x packet after some time and the whole process starts again and because 8021x is failed the phone reboots again. I think this is the way this type of phone work and we cannot do much unless disable 802.1x or install the Alkatel CA certs in the ISE cert store?
  Interface gi x/y
  switchport access vlan xx
   switchport mode access
   switchport voice vlan yy
   ip access-group ACL_ALLOW in
   authentication event fail action next-method
   authentication event server dead action reinitialize vlan xx
   authentication event server dead action authorize voice
   authentication host-mode multi-auth
   authentication open
   authentication order mab dot1x
   authentication priority dot1x mab
   authentication port-control auto
   authentication timer reauthenticate server
   authentication violation restrict
   mab
   snmp trap mac-notification change added
   snmp trap mac-notification change removed
   dot1x pae authenticator
   dot1x timeout tx-period 10
   spanning-tree portfast

• Call manager and Cisco IP phones

  I would like to know if it's possible to use Cisco IP phones in small environments, without having Call manager, or it's mandatory to have always CallManager if one wants to use the IP phones.
  Thank you

  You can use Call Manager Express, which runs on cisco 1751/60, 2600 and above routers. it can support up to 120 users. Cisco Unity Express will provide voice mail. this is a network module in 2600 and above routers. for more info, see www.cisco.com/go/ccme

• Using 802.1X and non-Cisco IP Phones

  Hi there,
  Having some questions about an 802.1x/non-Cisco ip phone setup and was hoping to find some answers/user-experience with this setup.
  Main questions i'm facing:
  1) When using non-Cisco ip phones (eg Nortel or Siemens) and a previous authorized client connected behind this ip phone gets disconnected. What will this action do with the authorized state of 802.1X on the switch port? WIll it stay authorized until the reauth timer expires or does it reject communication from any other device?
  2) What about EAPOL-Logoff messages from the ip phone to the switch. Are these only used by Cisco phones when they experience a link-status change on data ports?
  Thanks for sharing your thoughts

  Overall, you need to try and deal with the fact that a machine can disappear from the network and the network may not know about it directly (i.e. Link doesn't go down).
  I have no idea what other phones do, but Cisco phones send an EAPOL-Logoff when something is unplugged. This lets the switch know directly, and 1X session start is torn down immediately, closing what would be a security hole.
  Fundamentally, re-auth is a workaround only, and this is not the reason to enable re-auth to begin with.
  If your phone doesn't send an EAPOL-Logoff in this case, the switch might be left thinking an attack is underway when someone else tries to plug in (with presumably a different MAC). You do NOT want this to occur.
  Hope this helps,

• Cisco ip phones authenticate 802.1x with cisco ise 1.3

  Dear all,
  I want to configure cisco ise 1.3 with 802.1x , to authenticate cisco ip phones ( CUCM 10.5.2 ) with LSC certificate. 
  How I have to configure cisco ise authentication rules for 802.1x with cisco ip phones? Are there any configuration examples ? 
  Thanks

  following are ISE 802.1x  sample authentication rules..you can change the protocol (Policy -> policy elements - > results -> authentication and you can select the proctocal)

• IEEE 802.3u and IEEE 802.3z Compatibility

  Hello everyone!
  Does anyone know if these 2 fiber optic SFPs are compatible with each other?
  We have and old HP J4853A transceiver which is 802.3u and Cisco SFP LX Module which is 802.3z
  Thank you!

  Hello
  For your reference, when talking about fiber transceiver you want to check the following details:
  - There exists two modes: Single mode, and multi-mode, you want to make sure both use the same mode.
  - Wavelenght, there are 850nm, 950nm, 1310nm.... You need to make sure it matches.
  - No all switches/routers support all types of modules, so check the following compatibility matrix to make sure hardware and tranceiver are compatible.
  http://www.cisco.com/en/US/docs/interfaces_modules/transceiver_modules/compatibility/matrix/OL_6981.html
  Regards.
  Wilson B.

• Mitel phone 802.1x with Cat 3560 and Cisco ACS5.2 problem

  I am piloting an 802.1x implementation for a client who has Mitel IP Phones.  I have setup the switch and ACS based on previous experience and a windows PC can authenticate onto the network OK.  When I use a Mitel phone however, it seems to skip past the first 802.1x LCD message and goes straight to LLDP and DHCP discovery, which obviously fails.  The phone are 5224s and the controller is on the original v10 release.  I have cleared the 802.1x config on the phone and rebooting as per Mitel documentation which leads me to believe it should then prompt for a user/pass on next reboot.  It does not do this.
  I known the ACS is setup to support EAP-MD5 and I have tried all the various types of host modes including the default and Multi-Auth, Multi-Domain and none of them seem to make any difference.  I have tried with and without a PC attached to the phone as well.
  A wireshark shows the EAP identity request from the switch, and I see an EAP response from the phone, although it is slightly different to the PC's response.  In the end the phone issues an EAP 4 failure message.  So something in that EAP conversation doesnt seem to work.  Does anybody have an experience of this?

  A wireshark capture shows a difference in the EAP request message from a Cisco Cat 3560 (12.2.55) to the Mitel, compared to a HP Procurve to the Mitel which the Mitel responds to:
  Cisco EAP Request trace:
  Frame 17 (60 bytes on wire, 60 bytes captured)
  Ethernet II, Src: Cisco_99:06:84 (00:1e:49:99:06:84), Dst: Mitel_2c:ad:3b (08:00:0f:2c:ad:3b)
      Destination: Mitel_2c:ad:3b (08:00:0f:2c:ad:3b)
      Source: Cisco_99:06:84 (00:1e:49:99:06:84)
      Type: 802.1X Authentication (0x888e)
      Trailer: 000000000000000000000000000000000000000000000000...
  802.1X Authentication
     Version: 3
      Type: EAP Packet (0)
      Length: 5
      Extensible Authentication Protocol
          Code: Request (1)
          Id: 1
          Length: 5
          Type: Identity [RFC3748] (1)
  HP EAP Request trace:
  Frame 36 (60 bytes on wire, 60 bytes captured)
  Ethernet II, Src: Procurve_03:b7:40 (00:1b:3f:03:b7:40), Dst: Mitel_42:f5:21 (08:00:0f:42:f5:21)
      Destination: Mitel_42:f5:21 (08:00:0f:42:f5:21)
      Source: Procurve_03:b7:40 (00:1b:3f:03:b7:40)
      Type: 802.1X Authentication (0x888e)
      Trailer: 000000000000000000000000000000000000000000000000...
  802.1X Authentication
      Version: 1
      Type: EAP Packet (0)
      Length: 15
      Extensible Authentication Protocol
          Code: Request (1)
          Id: 1
          Length: 15
          Type: Identity [RFC3748] (1)
          Identity (10 bytes): User name:
  The HP seems to be requesting a User name as a string in the Identity field, whcih the Mitel phone then responds with an EAP response packet with an identity of MITEL.
  The other difference seems to be that a Version code of 3 is being used by the Catalyst but Version 1 by the HP and Mitel phone.
  Any ideas anyone?

• Cisco IP Phone 802.1x authentication with NPS

  Hi All,
  I would like to configure 802.1x authentication on both my Cisco ip phones and windows clients using NPS. So far i have tested the clients and it works however I am not finding any information on if NPS supports 802.1x on ip phones. Has anyone done a similar
  deployment using NPS. So far I am only seeing cisco ACS server being used as the policy server.

  Hi,
  Based on my research, it seems that you may enounter issues related to username(Basically Mircosoft only allows a 20 character user name, while the user name of the phone exceeds the 20 character limit and causes it to fail.) and certificate schema when
  configuring 802.1x authentication for Cisco IP phones.
  Best regards,
  Susie
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Cisco ip phones authenticate 802.1x with cisco ise

  Dears,
  I want to  configure ip phones authenticate from Cisco ISE with 802.1X with certificates. But i can not find any configuration guide about this solutions.
  I find one config and this is about ACS. Please provide me any documentation guide on cisco ise.
  Thanks. 

  802.1x configuration for IP Phones
  http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.html#69217

• SD208P PoE and Pre-Standard Cisco IP Phones (eg. 7960)

  Well, I've been learning the eccentricities of Cisco's product lines the hard way!  Here's my situation:
  I've taken over for an office that has a hosted Cisco IP phone system using a variety of what seem to be older Cisco phones (the one at my desk is a 7960) these are normally powered by the PoE that gets delivered by some Cisco Catalyst 3750X switches.  Our office has grown to the point where we've had to place a few people into some semi-jury rigged seats in areas with limited network drops.  As a result I need to do something creative to get phones over there.
  I first went out and purchased a small 8 port switch with 4 PoE ports on it from a competitor and this was where I discovered that the models of Cisco phones I had needed something generally referred to as Cisco Pre-Standard PoE (or some variation on that theme).  I returned the switch and after doing some research decided to buy a Cisco SD208P switch, which a few messages out on the Interwebs led me to believe should be able to power the switch (possibly a firmware upgrade would be needed).
  So I got the switch today, and plugged my phone into it and... nothing.  No signs of life on the phone.  (And nothing as simple as plugging it into one of the non-PoE ports on the switch).  I went online to try and find a firmware update, and couldn't find anything.  It's also an unmanaged switch, so I'm not even sure how I'd update firmware on it if I wanted to (and there's nothing in the manual).
  I went back and double-checked some of  the sources that may have led me to believe that this would work and I found what turned out to mostly be people recommending this as a possible option, but not strictly saying it worked for them.  I found one person saying it worked for some Cisco phones, but he didn't specifically say they were prestandard ones.  Lastly, there is mention of 200 and 300 series switches being firmware upgradable to support prestandard PoE, but from looking around Cisco's site I'm not 100% sure that this switch is actually part of the 200 series despite the number in the name.  It seems to show up in a Small Business Unmanaged Switch category online rather than in any proper series.
  So, the question is - have I just missed something somewhere?  Is there any hope for me?  Or do I have to send this back and go for something else?  If so, what's recommended?  Perferably something in that price range or we might just give in and... gasp... buy power supplies.
  Thanks,
  Chris.

  Hi Chris,
       The SD208P is an unmanaged switch that does not have any web interface and you will not be able to upgrade firmwares on this switch. The unmanaged switch that you have gotten will only support 802.3af POE standard and does not support the Cisco pre-standard. Also, you did mention the 200 and 300 series switches which are managed switches and with the latest firmware of 1.1.2.0, you will be able to power up your 7960 phones. The models are called SF200, SF300, SG200, and SG300. Please make sure to get the models with the letter "P" for POE. For example, you can get the SF300-24P. I hope this information is helpful.
  Thanks,
  Brian Ng

• Recording for Cisco IP Phones and Cisco C90 Codec

  Hello
  We are looking for a solution that is capable to record both Cisco IP Phones and Cisco Codec C90.
  We are using CUCM 9.X for IP Phones and VCS 7.X for Cisco Codecs.
  Is their any third party solution available for both the requirements or do i have to go with TCS and any other third party recording solution.
  Thanks & Regards
  Aniket Patil

  My reply may be too late to be of any help to you, but for the benefit of others:
  Be sure you understand the different types of PoE out there. The Linksys PoE switch only supports the newer IEEE 802.3af PoE standard.
  The 7940, 7960, 7905 and other older Cisco phones only support Cisco pre-standard PoE and thus will not work with the 802.3af Linksys Switch.
  To use this switch, you will need to make sure you are using the newer 7070, 7961, 7941 phones with support both pre-standard and 802.3af PoE.
  All the best,
  John

• VPN Site-to-Site or VPN Client Server with Cisco IP Phone 8941 and 8945

  Hi everyone,
  I decide to deploy a CUCM (BE6K platform), SX20, and IP Phone 8941/8945 on Head Office and Cisco SX10 and IP Phone 8941/8945 for branch offices (actually 9 branch offices).
  The connection will use internet connection for HO and each branch offices.
  And the IT guy want to use kind a VPN client server or VPN site-to-site for the connection through internet,
  what kind of VPN client server or VPN site-to-site that recommended for this deployment?
  and what type of Cisco router that support that kind of VPN (the cheapest one will be great)?
  So the SX10 and IP Phone 8941/8945 in branch offices can work properly through internet connection?
  please advise
  Regards,
  Ovindo

  Hi Leo,
  technically, the ipsec users will not use up any premium license seats, so if you have 10 ipsec users connecting first, the premium seats are still free and so you can then still have 10 phones/anyconnect users connect.
  However, the 250 you mention is the global platform limit, so it refers to the sum of premium and non-premium connections. Or in other words, you can have 240 ipsec users and 10 phones,  but not 250 ipsec users and 10 phones.
  If 250 ipsec users and 10 phones would try to connect, it would be first-in, first-served, e.g. you could have 248 ipsec users and 2 phones connected.
  Note: since you have Essentials disabled I'm assuming you are referring to the legacy "Cisco vpnclient" (IKEv1 client) which does not require any license on the ASA. But for the benefit of others reading this thread: if  you do have Anyconnect clients (using SSL or IPsec/IKEv2) for which you currently have an Essentials license, then note that the Essentials and Premium license cannot co-exist. So for e.g. 240 Anyconnect users and no phones, you can use Essentials. For 240 Anyconnect users and 10 phones, you need a 250-seat Premium license (and a vpn phone license).
  hth
  Herbert