Dot1x authentication - Switch 3650 / Polycom phone 430

Similar Messages

• 802.1x / dot1x Authentication, including Voice-Vlan and Guest-Vlan

  Hello,
  i have tried to configure a dot1x based Authentication.
  With an single host including guest-vlan, everything works fine.
  But i want to use an IP-Phone (wich is every times authenticated) and behind the Phone an Client.
  Is there a possible solution? And unfortunately IP-Phones are Avaya-Phones.
  i have  just tried so...
  interface GigabitEthernet0/4
  switchport access vlan 121
  switchport mode access
  switchport voice vlan 200
  authentication event fail action authorize vlan 99
  authentication event server dead action authorize vlan 121
  authentication event server alive action reinitialize
  authentication host-mode multi-host
  authentication order dot1x
  authentication port-control auto
  authentication periodic
  authentication violation restrict
  dot1x pae authenticator
  dot1x timeout quiet-period 10
  dot1x timeout tx-period 1
  spanning-tree portfast
  Thanks, for any possible solution!

  unfortunately because they are Avaya phones, the easy answer CDP-Bypass fails in this instance. When you plug in the phone, the switch will assume it's the 'single host' for this port, and restrict the port due to the authentication for the phone failing. Maybe you can just hard-code the voice-vlans on each phone, but that could get tedious depending on the amount of phones.
  I believe there is a DHCP option you can pass back that indicates the phone should be running on vlan 200, but for this to work you'd also need to set up a pre-auth ACL that would allow DHCP to work in the unauthorized state. I think it's 147 off the top of my head.
  Another solution (which isn't what you originally wanted, but it would work) is to just use multi-domain instead of single-host, and authenticate both the phone and the PC. The raduis server should be able to distinguish between what is configured as a phone and what is a host, and will send back the appropriate vlan if configured correctly.
  What are using for a radius server?

• Delay the first dot1x authentication message after a port comes up

  Cisco ISE: 1.2
  Switch IOS: 15.0.2.EX4
  Hello,
  I have configured the APs to authenticate with 802.1X via the switch.
  When I shut the port on which the AP is connected and then no shut it, the port comes up a few seconds later and the switch sends a dot1x authentication.
  I feel that the AP has not finished to boot and that's why it fails because the AP doesn't answer that authentication request.
  I was wondering if it's possible to delay the first authentication message the switch sends just after a port comes up ?
  When I use debug commands I see
  %DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Gi3/0/18 AuditSessionID 00000000000006567DDB81C9
  %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (Unknown MAC) on Interface Gi3/0/18 AuditSessionID 00000000000006567DDB81C9
  %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (Unknown MAC) on Interface Gi3/0/18 AuditSessionID 00000000000006567DDB81C9
  %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (Unknown MAC) on Interface Gi3/0/18 AuditSessionID 00000000000006567DDB81C9
  %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (Unknown MAC) on Interface Gi3/0/18 AuditSessionID 00000000000006567DDB81C9
  NB: you'll see exhausted all authentication methods because I only configured dot1x on the port (no mab or anything else)
  Thank you for all answers

  Hello,
  Thank you for your reply. That document is very interesting.
  I've just read the chapter regarding the profiling with APs so far and got them working properly the way they showed it.
  However I'm not a big fan of MAB and profiling. Because ISE retieves CDP informations collected through SNMP.
  - You need CDP (or LLDP) enabled and you might not want that for different reasons (Security, Interoperability...)
  - A machine could lie about its identity and pretend through CDP that it's a controller, an AP, a printer and so on.
  That's why the best option, in my opinion would be that the AP sends its credentials and ISE accept it or reject is.
  It's possible to do this with the Cisco APs
  http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/99791-eapfast-wlc-rad-config.html
  I'm wondering why Cisco chooses a different EAP method for each of their devices (EAP-MD5 -> Cisco Phones, EAP-FAST -> AP)
  So in my humble opinion, the mab/profiling solution is good but not optimal.

• Dot1x, .1X and Cisco IP Phones

  Hi,
  We are busy performing dot1x tests on IP Phones. We chose the LSC approach and have generated CAPF CSRs which we have signed by our PKI infrastructure.
  Once all certificates and trust have been uploaded and when we update the CUCM CTL with the Cisco CTL client tool, we received the following error message
  “Could not get CAPF certificate(s).CAPF seems to be running on the CUCM Publisher but the certificate file(s) do not exist in the Certifiicate trust path on Server”
  We searched Neptro with an explanation on this and found that article:
  https://supportforums.cisco.com/thread/2067102
  In our setup we one issuing CA in the certification path has n key of 4096 bits. This is imposed by our Security Policy and can’t be workaround from a security policy point of view.
  We then had the CAPF CSR regenerated and had a test CA with an encryption key of only 2048 bit sign our certificate and Dot1x authentication. This worked just fine and test Ip Phones can now authenticate..
  My question is, is that a known limitation of Cisco Callmanager which is unable to handle certificates signed by a PKI in which one of the CA has a key of more that 2048 bits. Or is this a bug related to our 8.6.2.23900-10 CUCM version.
  Is there a way to bypass that limitation or a precise version of callmanager correcting it?
  THanks,
  Antoine

  You can configure the MSFT supplicant to send an EAPOL-Logoff:
  Software\Microsoft\EAPOL\Parameters\General\Global\AuthMode -- REG_DWORD
  0: Machine authentication mode in Windows XP Client RTM. When a user logs in, if the connection has already been authenticated with Machine credentials, the user’s credentials are not used for authentication.
  1: Machine authentication with re-authentication functionality. Whenever a user logs in, 802.1X authentication is performed using the user’s-credentials.
  2: Machine authentication only – Whenever a user logs in, it has no effect on the connection. 802.1X authentication is performed using machine credentials only.
  In the wired-Ethernet case you should set (SupplicantMode = 3) AND (AuthMode = 0) AND (disable Machine-Authentication OR ensure that there are no machine credentials on the client). This will ensure that when a user logs off, an EAPOL-Logoff will be sent out. So, AFAIK, this is the bad news .. you lose machine-auth.
  Actually, stay tuned for the ability for our IP Phones to be able to do this on behalf of a PC very soon. What will happen is when an IP Phone senses EAPOL through it, it will know who the supplicant is, and what port they're on (the phone's PC port). Assuming 2 conditions above, if link to phone's PC port goes down, IP Phone will transmit EAPOL-Logoff to PC immediately (on PCs behalf).
  Hope this helps.

• ISE; machine based dot1x authentication not working

  Hi there,
  I'm currently trying out dot1x authentication with MDA. The phone is currently authenticated via MAB. I succeeded to do the same with a Win7 workstation, but now I have a problem with true dot1x auth. Whenever the client tries to authenticate to the ISE it is using the notorious "host/" prefix. I read in the ACS 5.2 user guide that there is an option to crop it. I tried to find the same feature in the ISE, but it seems there is none.
  I have the authentication policy configured to use a certificate authentication profile as identity source when the method is dot1x without any additional conditions.
  In this profile I tried several options, including the common name, subject, subject alternative name. Nothing helped.
  Does anybody have a tip on how to solve this?
  Thanks in advance

  If I understood correctly I don't need to create an external identity source when using the Certificate Authentication Profile feature.
  This is what I got from the documentation:
  "Certificate authentication profiles are used in  authentication policies for certificate-based authentications in place  of identity sources to verify the authenticity of the user."
  I intend to use machine based authentication without contacting an external identity source.
  I also ensured the root CA certificate is selected to be used for EAP-TLS authentication.
  This brings me to another question.
  If the CA issuing machine or user certificates is itself an intermediate CA do I have to install a chained certificate (intermediade CA+root CA) in the ISE or both CA certificates separately?
  Thanks in advance
  Regards,
  Patrick

• Dot1x authentication some problom

  HI
     helleo
     wo have a dot1x authentication  problom,
     When I enter the configuration of the dot1x configuration in the interface, User authentication interface into err-disable state
     Below is the interface configuration
  interface FastEthernet0/45
  switchport access vlan 21
  switchport mode access
  authentication host-mode multi-auth
  authentication port-control auto
  mab eap
  dot1x pae both
  dot1x timeout quiet-period 3
  dot1x timeout tx-period 5
  spanning-tree portfast
  Switch authentication failed log
  n  4 16:52:16.381: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
  Jun  4 16:52:16.381: %AUTHMGR-5-START: Starting 'mab' for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
  Jun  4 16:52:16.423: %MAB-5-FAIL: Authentication failed for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
  Jun  4 16:52:16.423: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
  Jun  4 16:52:16.423: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
  Jun  4 16:52:16.423: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
  Jun  4 16:52:16.423: %AUTHMGR-5-FAIL: Authorization failed for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
  Jun  4 16:53:17.165: %AUTHMGR-5-START: Starting 'dot1x' for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
  Jun  4 16:53:21.376: %DOT1X-5-SUCCESS: Authentication successful for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID
  Jun  4 16:53:21.376: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
  Jun  4 16:53:21.376: %DOT1X_SWITCH-5-ERR_ADDING_ADDRESS: Unable to add address 2c41.380f.f187 on Fa0/45 AuditSessionID 0A51F11D000000266273D33D
  Jun  4 16:53:21.376: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface FastEthernet0/45, new MAC address (2c41.380f.f187) is seen.AuditSessionID  0A51F11D000000266273D33D
  Jun  4 16:53:21.376: %PM-4-ERR_DISABLE: security-violation error detected on Fa0/45, putting Fa0/45 in err-disable state
  Jun  4 16:53:22.400: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/45, changed state to downn  4 16:52:16.381: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
  Jun  4 16:52:16.381: %AUTHMGR-5-START: Starting 'mab' for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
  Jun  4 16:52:16.423: %MAB-5-FAIL: Authentication failed for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
  Jun  4 16:52:16.423: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
  Jun  4 16:52:16.423: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
  Jun  4 16:52:16.423: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
  Jun  4 16:52:16.423: %AUTHMGR-5-FAIL: Authorization failed for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
  Jun  4 16:53:17.165: %AUTHMGR-5-START: Starting 'dot1x' for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
  Jun  4 16:53:21.376: %DOT1X-5-SUCCESS: Authentication successful for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID
  Jun  4 16:53:21.376: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
  Jun  4 16:53:21.376: %DOT1X_SWITCH-5-ERR_ADDING_ADDRESS: Unable to add address 2c41.380f.f187 on Fa0/45 AuditSessionID 0A51F11D000000266273D33D
  Jun  4 16:53:21.376: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface FastEthernet0/45, new MAC address (2c41.380f.f187) is seen.AuditSessionID  0A51F11D000000266273D33D
  Jun  4 16:53:21.376: %PM-4-ERR_DISABLE: security-violation error detected on Fa0/45, putting Fa0/45 in err-disable state
  Jun  4 16:53:22.400: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/45, changed state to down

  AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface FastEthernet0/45, new MAC address (2c41.380f.f187) is seen.AuditSessionID 0A51F11D000000266273D33D
  Interface host mode limits the number of hosts that can be attached to an interface. The limit was exceeded and caused a security violation. The interface is error disabled.
  Therefore what NAJAF has said, could be one reason, or the your CAM table is full, so try clear mac address-table command and clear port-security command if address is secured on a port.

• Why do I have to switch from Windows Phone to Andr...

  Why do I have to switch from Windows Phone to Android?
  [September 30, 2014]
  This year all my friends with Windows Phone (WP) had switched to Android. Why? The Apps. I continued with WP until now because the OS is very cool (particularly the 8.1 desktop) and because I love Nokia Phones. And the new 830 and 930 models look great.
  But I will buy a new Fuji X30 Camera, I need the Wifi remote app for some shoots,  I have no choice
  Now, I will give a list of reasons my friends left WP because lack or applications, maybe somebody at Microsoft is listening and can revert this tendency.
  1. Bank Applications (Bancolombia APP)
  2. Giro D’Italia app from La gazzetta dello sport.
  3. Stereopinic Concert app.
  4. General Motors - Chevrolet navigation/location app.
  Another annoying thing with Nokia phones in emerging markets is they don’t distribute all the accessories (headphones, wireless chargers, cases), so you have to buy them from another country make them expensive. I even met three months ago the commercial leader for Nokia here in Colombia, a group of people mentioned this, but nothing has changed since then. The updates came very late and right now I’m not able to use Cortana
  I hope Microsoft starts investing hard on apps and identify that little temporal applications for just one week or month (sport events/concerts) and start to create mechanisms to get things done. They just can’t waste the 6’000.000 consumers in US and the 10% share market in some countries in Europe and in emerging markets.

  I don't endorse any mobile phone brand nor receive any free stuff from them. Neither did I advertise anything. It was rather a recommendation if the starter of this thread would like ot purchase an Android phone. Censorship won't help to sell any more Lumia phones.
  I cannot blame anybody who's about to purchase an Android phone. Being a Windows Mobile & Phone user since 2006 I've seen those strategic mistakes Microsoft has made when the 1st and the 2nd generation of Windows Phones were released (the price of developer account etc. etc.). It's very hard to mend those things afterwards but I sincerely hope it won't be impossible.
  I'm blessed that I live in FInland because Nokia has always been considered as a Finnish mobile brand and therefore there are all those (well, almost all) necessary apps available for Windows Phone. IMO the best Nokia app has been Here Transit. I really don't need Here Drive+ because they don't bother to include speed cams and line assistance to their app. Just take a look at Navigation Europe and there you have the best possible navigation app for Windows Phone. Waze is also great and it's free. Hmm, I guess that sentence will be censored because I recommended something
  I've been quite pleased with the latest Windows Phones. They haven't crashed like my Dell Venue Pro did (first Windows Phone ever) or like my Android phone, tablet and TV box. But in order to increase the market share  of Windows Phones there are two ways:
  1) good (amount of) apps, great hardware and/or
  2) double booting phone where it's possible to choose whether to boot to Android or to Windows Phone. I'd love to have that kinda phone with the goods described in 1)
  Moderator's Note: Discussing or complaining about moderator actions on the forum is not allowed. If you feel that your posts have been moderated unfairly, please contact our Community Manager via private message.

• The iphone has been acting weird. my iphone doesnt charge whenever it is switched On. When I switch OFF the phone, it charges for 2 mins then comes back On and stops charging. I dont know what the problem is. trust me, the problem isnt from d charger

  the iphone has been acting weird. my iphone doesnt charge whenever it is switched On. When I switch OFF the phone, it charges for 2 mins then comes back On and stops charging. I dont know what the problem is. trust me, the problem isnt from d charger. PLS anyone with any solution

  @wetdro
  If your device has been jailbroken during the warranty, Apple will not service it.
  Maybe you missed that in this article:
  Inability to apply future software updates: Some unauthorized modifications have caused damage to iOS that is not repairable. This can result in the hacked iPhone, iPad, or iPod touch becoming permanently inoperable when a future Apple-supplied iOS update is installed.
  Apple strongly cautions against installing any software that hacks iOS. It is also important to note that unauthorized modification of iOS is a violation of the iOS end-user software license agreement and because of this, Apple may deny service for an iPhone, iPad, or iPod touch that has installed any unauthorized software.
  copied from Unauthorized modification of iOS can cause security vulnerabilities, instability, shortened battery life, and other issu…

• How do I switch on my phone back when my lock button is spoilt?

  My lock button isn't working for a few months already. I'm afraid my phone battery would died & I won't be able to switch it on back. Is there a solution for me to switch on my phone back when my lock button is spoilt? Other than changing to a new phone or send it for service.

  When your battery dies just connec it to your PC through data cable. It will turn on.
  You can also use Accessibility Shortcut once your device is on to lessen the use oh HOME as well as POWER button.
  Settings>General>Accessibility>Assistive Touch> Turn it on.
  You will have a small app like icon on the screen which can move freely throught the screen.
  It helps a lot trust me.

• How do i switch information and phone number when they both say no service

  how do i switch information and phone number when they both say no service

  Please re-phrase the question. This doesn't make a lot of sense.

• I do this after this instruction .. . when i switched on the phone first ask the language when i select english after ask region when i select silanka after it last menu is in the choose network ,connect to itunes menu|? iPhone 4S

  i do this after this instruction .. . when i switched on the phone first ask the language when i select english after ask region when i select silanka after it last menu is in the choose network ,connect to itunes menu|?
  iPhone 4S

  when i connect to the phone to pc the msg says    . .."
  There is no SIM card installed in the iPhone you are attempting to activate.
  Please disconnect and insert a SIM card in the iPhone.

• I bought  new iphone 5s locked  after i unlocked my iphone5s . when I switch on my phone it says enter your apple id but i forgot my icloud username. I cant access anything in my iphone. please help me? what shall i do .

  I bought  new iphone 5s locked  after i unlocked my iphone5s . when I switch on my phone it says enter your apple id but i forgot my icloud username. I cant access anything in my iphone. please help me? what shall i do .

  kitan47 wrote:
  I bought  new iphone 5s locked  after i unlocked my iphone5s
  Was it Officially Unlocked by the Carrier it was locked to...?
  If so... who is the carrier..?

• Question about lock switch for smart phones

  i would like to ask about the lock switch for smart phones like Nokia 5800 Xpressmusic or Nokia 5230.
  Will the lock switch loosen if we always slide to unlock it?

  i used my 5800 for 11 months and it didn't happen at all
  -you can show appreciation to my posts if it helped or useful by pressing the green Kudo star beside my post that hepled
  -if my answer was the solution , so click accept as solution button
  Started From Nokia 3310 , Now with Nokia N97 v.22.0.110 + N900 PR1.2

• I am not able to install apps from the Appstore in Iphone 5c. I tried to switch off my phone and switch it on again. But it still doesnt work

  I am not able to install apps from the Appstore in Iphone 5c. I tried to switch off my phone and switch it on again. But it still doesnt work

  Hello stuti1200
  Check out the troubleshooting article below for issues with access to the iTunes Store. Also there was a small amount of outage accessing the iTunes Store this past Wednesday.
  Can't connect to the iTunes Store
  http://support.apple.com/kb/TS1368
  Apple Services, Stores, and iCloud
  http://www.apple.com/support/systemstatus/
  Thanks for using Apple Support Communities.
  Regards,
  -Norm G.

• Can I switch my go phone iPhone 4 to an iPhone 6 witch already has a SIM card that isn't in use?

  Can I switch my go phone iPhone 4 to an iPhone 6 witch already has a SIM card that isn't in use? Or do I have to buy a whole new go phone SIM card to fit the iPhone 6

  Only if the SIM is a gophone SIM. If it is not a gophone sim, it will not work on gophone system. Go to a corporate store and they will give you the proper SIM to use on gophone service.