Dot1x, .1X and Cisco IP Phones

Similar Messages

• RTP streaming and Cisco IP phones problem

  Hello,
  I'm trying to write an application that should dial some numbers and play the voice message from the file into the phone line using Cisco JTAPI and Java Media Framework.
  I've found some samples, that seems useful for me, but unfortunately they does not work. There are no any errors and no exceptions, I have no idea what to do.
  Small brief: I make a call from one Cisco IP phone (7960) to another using Cisco JTAPI, then I catch the CiscoRTPInputStartedEv event, get the IP and port of the IP Phone and call the RTPStreamer class constuctor with them. It gives no any errors or exceptions (just a message shown below), but there is only silence in the phone line. Message:
  Should b streamin'...
  Encoding ok?: true
  streams is [Lcom.sun.media.multiplexer.RawBufferMux$RawBufferSourceStream;@53d : 1
  sink: setOutputLocator rtp://192.168.1.22:20794/audio
  Please see the RTFStreamer class code below.
  I set the packet size to 160 as reccomended for Cisco IP phones, I use the greeting.wav from Cisco example that properties are 8Khz 8bit mono, but it still doesn't work.
  Could you help me? Thank you for any advice!
  import java.io.* ;
  import java.util.* ;
  import java.net.* ;
  import javax.media.* ;
  import javax.media.control.* ;
  import javax.media.format.* ;
  import javax.media.protocol.* ;
  import stream.*;
  public class RtpStreamer
       public static int PlayCounter = 0;
       private RtpStreamer()
            // not supported
       public RtpStreamer(String IP, String Port)
            PlayCounter++;
            new RtpStreamer("rtp://" + IP + ":" + Port + "/");
       public RtpStreamer(String CurrentMediaUrl)
            PlayCounter++;
       System.out.println("Should b streamin'...");
       // Create a Processor for the selected file. Exit if the
       // Processor cannot be created.
       Processor processor = null;
       StateHelper sh = null;
       try
                 String mediaUrl = "file:\\C:\\greetings.wav";
       processor = Manager.createProcessor( new MediaLocator(mediaUrl));
       sh = new StateHelper(processor);
       catch (IOException e)
       System.out.println("Exception occured (1a): " + e);
       catch (NoProcessorException e)
       System.out.println("Exception occured (1b): " + e);
       // for loggin purpose
       //sh.setContext( getServletContext() );
       // configure the processor
       if (!sh.configure(10000))
       System.out.println("Configuration failed!!");
       // Block until the Processor has been configured
       TrackControl track[] = processor.getTrackControls();
       boolean encodingOk = false;
       // Go through the tracks and try to program one of them to
       // output ulaw data.
       for (int i = 0; i < track.length; i++)
       if (!encodingOk && track[i] instanceof FormatControl)
       if (((FormatControl)track).setFormat( new AudioFormat(AudioFormat.ULAW_RTP,8000,8,1)) == null)
       track[i].setEnabled(false);
       else
       encodingOk = true;
       else
       // we could not set this track to ulaw, so disable it
       track[i].setEnabled(false);
                 // set packet size to 160
                 try
                      Codec codec[] = new Codec[3];
                      codec[0] = new com.ibm.media.codec.audio.rc.RCModule();
                      codec[1] = new com.ibm.media.codec.audio.ulaw.JavaEncoder();
                      codec[2] = new com.sun.media.codec.audio.ulaw.Packetizer();
                      ((com.sun.media.codec.audio.ulaw.Packetizer)codec[2]).setPacketSize(160);
                      ((TrackControl)track[i]).setCodecChain(codec);
                 catch (Exception e)
                      System.out.println("Error setting packet size in 160: " + e + " in " + e.getMessage());
       System.out.println("Encoding ok?: " + encodingOk );
       // At this point, we have determined where we can send out
       // ulaw data or not.
       // realize the processor
       if (encodingOk)
       if (!sh.realize(10000))
       System.out.println("Realization failed!!");
       // block until realized.
       // get the output datasource of the processor and exit
       // if we fail
       DataSource ds = null;
       try
       ds = processor.getDataOutput();
       catch (NotRealizedError e)
       System.out.println("Exception occured(2): "+e);
       // hand this datasource to manager for creating an RTP
       // datasink.
       // our RTP datasink will multicast the audio
       try
       //String mediaUrl= "rtp://192.168.1.12:20002/audio/1"; // it works without errors
                      String mediaUrl= CurrentMediaUrl + "audio";
       MediaLocator m = new MediaLocator(mediaUrl);
       DataSink d = Manager.createDataSink(ds, m);
       d.open();
       d.start();
       catch (Exception e)
       System.out.println("Exception occured(3): "+e);

  BTW is there any solution to figure out if the RTP application makes any network activity or not?

• Call manager and Cisco IP phones

  I would like to know if it's possible to use Cisco IP phones in small environments, without having Call manager, or it's mandatory to have always CallManager if one wants to use the IP phones.
  Thank you

  You can use Call Manager Express, which runs on cisco 1751/60, 2600 and above routers. it can support up to 120 users. Cisco Unity Express will provide voice mail. this is a network module in 2600 and above routers. for more info, see www.cisco.com/go/ccme

• 802.1x and Cisco IP phones

  I have 802.1x configured on a Cisco 2950 switch. On ports where I have PCs plugged into the data port on the IP phones users sometimes get placed in the guest vlan. If they shut down their attached PC and then unplug the network cable (the one between the switch and the phone), then re-plug in the cable and boot their PC it seems to authenticate them again.... sometimes. The config for the ports with phones configured is as below:
  interface FastEthernet0/4
  switchport access vlan 4
  switchport mode access
  switchport voice vlan 200
  switchport port-security
  switchport port-security maximum 2
  no ip address
  dot1x port-control auto
  dot1x host-mode multi-host
  dot1x guest-vlan 3
  spanning-tree portfast
  Does anyone have a possible fix or work around?
  Thanks in advance,
  Peter

  You can configure the MSFT supplicant to send an EAPOL-Logoff:
  Software\Microsoft\EAPOL\Parameters\General\Global\AuthMode -- REG_DWORD
  0: Machine authentication mode in Windows XP Client RTM. When a user logs in, if the connection has already been authenticated with Machine credentials, the user’s credentials are not used for authentication.
  1: Machine authentication with re-authentication functionality. Whenever a user logs in, 802.1X authentication is performed using the user’s-credentials.
  2: Machine authentication only – Whenever a user logs in, it has no effect on the connection. 802.1X authentication is performed using machine credentials only.
  In the wired-Ethernet case you should set (SupplicantMode = 3) AND (AuthMode = 0) AND (disable Machine-Authentication OR ensure that there are no machine credentials on the client). This will ensure that when a user logs off, an EAPOL-Logoff will be sent out. So, AFAIK, this is the bad news .. you lose machine-auth.
  Actually, stay tuned for the ability for our IP Phones to be able to do this on behalf of a PC very soon. What will happen is when an IP Phone senses EAPOL through it, it will know who the supplicant is, and what port they're on (the phone's PC port). Assuming 2 conditions above, if link to phone's PC port goes down, IP Phone will transmit EAPOL-Logoff to PC immediately (on PCs behalf).
  Hope this helps.

• 3560G and 802.1X with Cisco IP Phone

  Hi,
  We have been doing some test on our 3560G switch with 802.1X. The switch port has a Cisco IP Phone 7940 connected and at the back of the IP Phone is the PC (802.1X client).
  The PC authenticates with the computer name or the username properly without any problems. However problem is that the port stays opened/authorized even after disconnecting the Laptop from the phone. Only disconnecting the phone from the switch disables the port and enforces authentication.
  This totally defeats the purpose for us.
  IOS: 12.2(20)SE3
  aaa new-model
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  dot1x system-auth-control
  interface GigabitEthernet0/40
  switchport access vlan 4
  switchport mode access
  switchport voice vlan 15
  dot1x port-control auto
  dot1x timeout quiet-period 15
  dot1x timeout reauth-period 30
  dot1x max-req 1
  dot1x reauthentication
  spanning-tree portfast
  spanning-tree link-type point-to-point
  Any ideas will be appreciated.
  Thanks,
  Cheers
  Kartik

  I believe the problem should be solved with the new phone firmware:
  Ref Cisco Document:
  http://www.cisco.com/en/US/products/hw/phones/ps379/prod_release_note09186a0080461f84.html
  "Firmware release 7.2(2) provides support for the Cisco IP Phone models 7960G and 7940G to monitor IEEE 802.1X messages between an authenticating switch and a connected PC (supplicant).
  When a PC is disconnected from the Cisco IP Phone, the phone issues an EAPOL-Logoff message on behalf of the PC to the authenticating switch.
  Hope This Helps
  Jarle Steffensen

• Cisco ip phone and wired user authenticate form ISE

  Hi dears,
  I configurate wired users from Cisco ISE. The authentication protocol is Eap-fast, the external device is DC. The wired user authenticate from ISE normally. I use labminutes web sites for configuration video.
  Now the customer also want the cisco phone is authenticate from ISE. the physical connection is that: the cable connect to phone from switch. and one cable is connec from phone to pc.(standard physiacl connection.)
  I create new authentication policy and use mab, and  new authorization police.
  The problem is : the phone is authenticate is normally but the wired user want to authenticate but it can not authenticate.
  Can someone provide me a best practice configuration on ise and switch for phone and wired user authentication. or please say the source of problem.
  Thanks.

  interface GigabitEthernet1/0/48
   switchport access vlan 10
   switchport mode access
   switchport voice vlan 14
   ip access-group ACL-ALLOW in
   authentication event fail action next-method
   authentication event server dead action authorize vlan 20
   authentication event server alive action reinitialize
   authentication host-mode multi-auth
   authentication open
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication port-control auto
   authentication periodic
   authentication timer reauthenticate server
   authentication violation restrict
   mab
   dot1x pae authenticator
   dot1x timeout tx-period 10
   spanning-tree portfast
  do you need ISE configuration??

• 802.1x (DOT1x) and Cisco Clean Access 3140

  Hi,
  We have about 300 remote sites and would like to implement an authentication mechanism to authenticate end-devices (Windows PCs) before allowing access to the network. We thought we could implement DOT1x on our Cisco 2960, 3750 and 4500 series switches and send the "PC-switch" access requests to our centrally located Cisco Clean Access 3140 NAC servers -back at the HQ sites. We understand the NAC servers will be used to authenticate (among other things) the end-users workstations to ensure each workstation is a company owned PC and all  the security parameters are installed and up today. -RIGHT?
  Can the Cisco Clean Access 3140 server perform the Authentication security checks from the 802.1x (DOT1x) enabled switches?
  Does the Cisco Clean Access 3140 server have to be inline (on the users subnet) and/or be centrally located?
  Is the Cisco Clean Access 3140 still usable?
  Thanks
  Frank

  unfortunately because they are Avaya phones, the easy answer CDP-Bypass fails in this instance. When you plug in the phone, the switch will assume it's the 'single host' for this port, and restrict the port due to the authentication for the phone failing. Maybe you can just hard-code the voice-vlans on each phone, but that could get tedious depending on the amount of phones.
  I believe there is a DHCP option you can pass back that indicates the phone should be running on vlan 200, but for this to work you'd also need to set up a pre-auth ACL that would allow DHCP to work in the unauthorized state. I think it's 147 off the top of my head.
  Another solution (which isn't what you originally wanted, but it would work) is to just use multi-domain instead of single-host, and authenticate both the phone and the PC. The raduis server should be able to distinguish between what is configured as a phone and what is a host, and will send back the appropriate vlan if configured correctly.
  What are using for a radius server?

• VPN Site-to-Site or VPN Client Server with Cisco IP Phone 8941 and 8945

  Hi everyone,
  I decide to deploy a CUCM (BE6K platform), SX20, and IP Phone 8941/8945 on Head Office and Cisco SX10 and IP Phone 8941/8945 for branch offices (actually 9 branch offices).
  The connection will use internet connection for HO and each branch offices.
  And the IT guy want to use kind a VPN client server or VPN site-to-site for the connection through internet,
  what kind of VPN client server or VPN site-to-site that recommended for this deployment?
  and what type of Cisco router that support that kind of VPN (the cheapest one will be great)?
  So the SX10 and IP Phone 8941/8945 in branch offices can work properly through internet connection?
  please advise
  Regards,
  Ovindo

  Hi Leo,
  technically, the ipsec users will not use up any premium license seats, so if you have 10 ipsec users connecting first, the premium seats are still free and so you can then still have 10 phones/anyconnect users connect.
  However, the 250 you mention is the global platform limit, so it refers to the sum of premium and non-premium connections. Or in other words, you can have 240 ipsec users and 10 phones,  but not 250 ipsec users and 10 phones.
  If 250 ipsec users and 10 phones would try to connect, it would be first-in, first-served, e.g. you could have 248 ipsec users and 2 phones connected.
  Note: since you have Essentials disabled I'm assuming you are referring to the legacy "Cisco vpnclient" (IKEv1 client) which does not require any license on the ASA. But for the benefit of others reading this thread: if  you do have Anyconnect clients (using SSL or IPsec/IKEv2) for which you currently have an Essentials license, then note that the Essentials and Premium license cannot co-exist. So for e.g. 240 Anyconnect users and no phones, you can use Essentials. For 240 Anyconnect users and 10 phones, you need a 250-seat Premium license (and a vpn phone license).
  hth
  Herbert

• Transfer VOIP Calls Between Cisco Desk Phone and Cisco Jabber For IPhone 9.5

  Does anyone know how to transfer an active voip call from a Cisco IP Desk Phone to Cisco Jabber for IPhone?  I can transfer a call from Cisco Jabber for IPhone to my Cisco IP Desk Phone no problem.  I put the call on hold and then click "Resume" on my Cisco IP Desk Phone.  However I cannot do the same but the other way around.  If I put the call on hold on my Cisco IP Desk Phone, I see "no active call" on my Jabber client.  The only information I could find slighlty relevant was using the Mobility Key/Remote Destination Profile feature however this defeats the object as this will forward to an external number, e.g. mobile and I just want to transfer the call within the VOIP environment between the two devices that are using the same directory number.
  I am using Cisco Call Manager 9.1(2), Cisco Presence 9.1 and Cisco Jabber for IPhone 9.5.
  Any help would be greatly appreciated.
  Kind Regards,
  Paul Parker.

  Did you ever find an answer to this ?
  I am seeing the same behavior and trying so see if I can put calls on hold and pick them up both ways also.
  The only answer I seem to have found is to use park instead
  That would/should work but I would just prefer to hold/unhold
  Just not sure why we would not be able to hold/unhold on what is essentially a "shared" line
  Does anyone have this working for them ?

• Using 802.1X and non-Cisco IP Phones

  Hi there,
  Having some questions about an 802.1x/non-Cisco ip phone setup and was hoping to find some answers/user-experience with this setup.
  Main questions i'm facing:
  1) When using non-Cisco ip phones (eg Nortel or Siemens) and a previous authorized client connected behind this ip phone gets disconnected. What will this action do with the authorized state of 802.1X on the switch port? WIll it stay authorized until the reauth timer expires or does it reject communication from any other device?
  2) What about EAPOL-Logoff messages from the ip phone to the switch. Are these only used by Cisco phones when they experience a link-status change on data ports?
  Thanks for sharing your thoughts

  Overall, you need to try and deal with the fact that a machine can disappear from the network and the network may not know about it directly (i.e. Link doesn't go down).
  I have no idea what other phones do, but Cisco phones send an EAPOL-Logoff when something is unplugged. This lets the switch know directly, and 1X session start is torn down immediately, closing what would be a security hole.
  Fundamentally, re-auth is a workaround only, and this is not the reason to enable re-auth to begin with.
  If your phone doesn't send an EAPOL-Logoff in this case, the switch might be left thinking an attack is underway when someone else tries to plug in (with presumably a different MAC). You do NOT want this to occur.
  Hope this helps,

• Cisco spa502G and spa525G ip phones hang

  Hi,
  our company have cisco SPA502G AND SPA525G ip phones. now the problem is some time its get hang and freeze.
  after that 2 or 3 times to restart to work. some time when dailing it shows service un available.
  current firmware for SPA502G IS    7.4.9c .
  Note: i need a stable firmware series for both these phones . its urgent because SPA525G is used in reception.
            when calling outside its can't connect.

  We have no problem with latest firmware (deployed on several hundreds of phones).
  Issues can be caused either by particular configuration or by network attacks.
  According network attacks:
  Phone should be accessible by PBX only. It should not be accessible from public Internet. It is better not to be accessible even from company's internal computers. So configure your network infrastructure (including the firewall) accordingly.
  There is no firmware that can survive network attack from either public Internet or from internal sources (including infected internal computers, curious local users and or technicians, ...)
  According particular configuration:
  Turn on debug&syslog messages and catch them. It may help you to analyze the issue.

• SD208P PoE and Pre-Standard Cisco IP Phones (eg. 7960)

  Well, I've been learning the eccentricities of Cisco's product lines the hard way!  Here's my situation:
  I've taken over for an office that has a hosted Cisco IP phone system using a variety of what seem to be older Cisco phones (the one at my desk is a 7960) these are normally powered by the PoE that gets delivered by some Cisco Catalyst 3750X switches.  Our office has grown to the point where we've had to place a few people into some semi-jury rigged seats in areas with limited network drops.  As a result I need to do something creative to get phones over there.
  I first went out and purchased a small 8 port switch with 4 PoE ports on it from a competitor and this was where I discovered that the models of Cisco phones I had needed something generally referred to as Cisco Pre-Standard PoE (or some variation on that theme).  I returned the switch and after doing some research decided to buy a Cisco SD208P switch, which a few messages out on the Interwebs led me to believe should be able to power the switch (possibly a firmware upgrade would be needed).
  So I got the switch today, and plugged my phone into it and... nothing.  No signs of life on the phone.  (And nothing as simple as plugging it into one of the non-PoE ports on the switch).  I went online to try and find a firmware update, and couldn't find anything.  It's also an unmanaged switch, so I'm not even sure how I'd update firmware on it if I wanted to (and there's nothing in the manual).
  I went back and double-checked some of  the sources that may have led me to believe that this would work and I found what turned out to mostly be people recommending this as a possible option, but not strictly saying it worked for them.  I found one person saying it worked for some Cisco phones, but he didn't specifically say they were prestandard ones.  Lastly, there is mention of 200 and 300 series switches being firmware upgradable to support prestandard PoE, but from looking around Cisco's site I'm not 100% sure that this switch is actually part of the 200 series despite the number in the name.  It seems to show up in a Small Business Unmanaged Switch category online rather than in any proper series.
  So, the question is - have I just missed something somewhere?  Is there any hope for me?  Or do I have to send this back and go for something else?  If so, what's recommended?  Perferably something in that price range or we might just give in and... gasp... buy power supplies.
  Thanks,
  Chris.

  Hi Chris,
       The SD208P is an unmanaged switch that does not have any web interface and you will not be able to upgrade firmwares on this switch. The unmanaged switch that you have gotten will only support 802.3af POE standard and does not support the Cisco pre-standard. Also, you did mention the 200 and 300 series switches which are managed switches and with the latest firmware of 1.1.2.0, you will be able to power up your 7960 phones. The models are called SF200, SF300, SG200, and SG300. Please make sure to get the models with the letter "P" for POE. For example, you can get the SF300-24P. I hope this information is helpful.
  Thanks,
  Brian Ng

• Recording for Cisco IP Phones and Cisco C90 Codec

  Hello
  We are looking for a solution that is capable to record both Cisco IP Phones and Cisco Codec C90.
  We are using CUCM 9.X for IP Phones and VCS 7.X for Cisco Codecs.
  Is their any third party solution available for both the requirements or do i have to go with TCS and any other third party recording solution.
  Thanks & Regards
  Aniket Patil

  My reply may be too late to be of any help to you, but for the benefit of others:
  Be sure you understand the different types of PoE out there. The Linksys PoE switch only supports the newer IEEE 802.3af PoE standard.
  The 7940, 7960, 7905 and other older Cisco phones only support Cisco pre-standard PoE and thus will not work with the 802.3af Linksys Switch.
  To use this switch, you will need to make sure you are using the newer 7070, 7961, 7941 phones with support both pre-standard and 802.3af PoE.
  All the best,
  John

• Cisco 6807 and 6800ia Swtich QOS for Cisco ip phones

  Does anyone have an example of configuring a 6800ia switch port connected to a 6807VSS parent for cisco ip phones qos.  Normally we'd use auto qos voip  but auto qos is not supported on 6800IA switches.
  Cant find any cisco documentation of what the IA switches port config should look like for a cisco ip phone.
  Any help would be appreciated.
  Thanks,
  Dave

  I'd leave QoS alone.

• Dot1x authentication - Switch 3650 / Polycom phone 430

  Hi,
  I have a switch 3650 with the IP base image IOS 12.2(25) SEE3, a polycom phone SoundPoint IP 430 SIP, A radius server IAS 2003 and a Windows XP PC.
  I enabled the windows XP pc for wired authentication ( started the service Wired AutoConfig, added the registry entries AuthMode, SupplicantMode,  choose Enable IEEE 802.1x authenticaiton with PEAP, then secured password EAP-MSCHAP-v2.
  I configured the RADIUS server for ethernet authentication and domain users. In the profile I choose Eap, mschap v2
  The port configuration of the switch is as following:
  Switch#sh run int fa0/1
  Building configuration...
  Current configuration : 590 bytes
  interface FastEthernet0/1
  switchport access vlan 121
  switchport mode access
  switchport voice vlan 155
  switchport priority extend trust
  service-policy input QoS-Policy-LAN
  speed 100
  duplex full
  spanning-tree portfast
  end
  I configured the switch as the following:
  switch(config)#dot1x system-auth-control
  Under the interface configuration mode:
  switch(config-if)#dot1x port-control auto
  switch(config-if)#dot1x pae authenticator
  switch(config-if)#dot1x host-mode multi-host
  I plugged the PC directly into the switch port, I got that additional credentials are required for the PC to connect to the network, So I put my username and password for windows and was successfully authenticated.
  Then I plugged the PC to the phone( Polycom 430) and the phone into the switch port. the network card appears as attempting to authenticate but it doesn't prompt, and I am not able to access the network, neither I am able to use the phone.( the problem that the authentication packets sent from the PC do not reach the switch, as I see in the debug dot1x (on the switch) comparison when I was connecting the PC alone and when I connected the PC&Phone, the client ID trying to authenticate is different in each case. I will put the debug for both down, when it connects and when it was unable to connect)
  I tried dot1x host-mode single-host
  I did many changes , one time with single-host and then with multi-host: ( each time , I tried to disable/enable Network card of the PC, and make a phone call in order generate traffic)
  First added dot1x mac-auth-bypass  - disconnected and reconnected -- didn't work(neither phone , nor PC)
  Second in addition to First , i added dot1x control-direction in   --- didn't work (neither phone , nor PC).
  Then I removed both these settings and I set:
  dot1x guest-vlan 155 where 155 is the voice vlan
  dot1x auth-fail vlan 155
  Nothing was working
  Then I added these 2 records, in addition to the dot1x mac-auth-bypass, nothing was working.
  In the attachment, I marked with blue font, where I saw the ClientID, After that state-machine record that shows the client ID, I saw that the debug output of the debug changed
  CDP is enabled on both the phone and the switch, and when I use show cdp , i see the phone connected to the port.
  Thanks
  Sayed

  I run a  test that I run was making the duplex to half on all switches/phone/PC,
  I brought a small switch, connected to the the cisco 3650 with the port configuration
  and I did two more tests:
  test1,     
       dot1x port-control auto
       dot1x authenticator pae
       dot1x host-mode multi-host
  the PC authenticated successfully and I was able to to access the network as well as to make phone calls.
  Test2.
       dot1x port-control auto
       dot1x authenticator pae
       dot1x host-mode single-host
  The PC was able to authenticate  and access the network but the phone was not able.
  The problem that I am thinking is that the phone wants to try to authenticate, and doesn't let the authentication of the PC to pass.
  I hope somebody can help me, regarding this problem
  Thanks