Dot1x authentication - Switch 3650 / Polycom phone 430
Hi,
I have a switch 3650 with the IP base image IOS 12.2(25) SEE3, a polycom phone SoundPoint IP 430 SIP, A radius server IAS 2003 and a Windows XP PC.
I enabled the windows XP pc for wired authentication ( started the service Wired AutoConfig, added the registry entries AuthMode, SupplicantMode, choose Enable IEEE 802.1x authenticaiton with PEAP, then secured password EAP-MSCHAP-v2.
I configured the RADIUS server for ethernet authentication and domain users. In the profile I choose Eap, mschap v2
The port configuration of the switch is as following:
Switch#sh run int fa0/1
Building configuration...
Current configuration : 590 bytes
interface FastEthernet0/1
switchport access vlan 121
switchport mode access
switchport voice vlan 155
switchport priority extend trust
service-policy input QoS-Policy-LAN
speed 100
duplex full
spanning-tree portfast
end
I configured the switch as the following:
switch(config)#dot1x system-auth-control
Under the interface configuration mode:
switch(config-if)#dot1x port-control auto
switch(config-if)#dot1x pae authenticator
switch(config-if)#dot1x host-mode multi-host
I plugged the PC directly into the switch port, I got that additional credentials are required for the PC to connect to the network, So I put my username and password for windows and was successfully authenticated.
Then I plugged the PC to the phone( Polycom 430) and the phone into the switch port. the network card appears as attempting to authenticate but it doesn't prompt, and I am not able to access the network, neither I am able to use the phone.( the problem that the authentication packets sent from the PC do not reach the switch, as I see in the debug dot1x (on the switch) comparison when I was connecting the PC alone and when I connected the PC&Phone, the client ID trying to authenticate is different in each case. I will put the debug for both down, when it connects and when it was unable to connect)
I tried dot1x host-mode single-host
I did many changes , one time with single-host and then with multi-host: ( each time , I tried to disable/enable Network card of the PC, and make a phone call in order generate traffic)
First added dot1x mac-auth-bypass - disconnected and reconnected -- didn't work(neither phone , nor PC)
Second in addition to First , i added dot1x control-direction in --- didn't work (neither phone , nor PC).
Then I removed both these settings and I set:
dot1x guest-vlan 155 where 155 is the voice vlan
dot1x auth-fail vlan 155
Nothing was working
Then I added these 2 records, in addition to the dot1x mac-auth-bypass, nothing was working.
In the attachment, I marked with blue font, where I saw the ClientID, After that state-machine record that shows the client ID, I saw that the debug output of the debug changed
CDP is enabled on both the phone and the switch, and when I use show cdp , i see the phone connected to the port.
Thanks
Sayed
I run a test that I run was making the duplex to half on all switches/phone/PC,
I brought a small switch, connected to the the cisco 3650 with the port configuration
and I did two more tests:
test1,
dot1x port-control auto
dot1x authenticator pae
dot1x host-mode multi-host
the PC authenticated successfully and I was able to to access the network as well as to make phone calls.
Test2.
dot1x port-control auto
dot1x authenticator pae
dot1x host-mode single-host
The PC was able to authenticate and access the network but the phone was not able.
The problem that I am thinking is that the phone wants to try to authenticate, and doesn't let the authentication of the PC to pass.
I hope somebody can help me, regarding this problem
Thanks
Similar Messages
-
802.1x / dot1x Authentication, including Voice-Vlan and Guest-Vlan
Hello,
i have tried to configure a dot1x based Authentication.
With an single host including guest-vlan, everything works fine.
But i want to use an IP-Phone (wich is every times authenticated) and behind the Phone an Client.
Is there a possible solution? And unfortunately IP-Phones are Avaya-Phones.
i have just tried so...
interface GigabitEthernet0/4
switchport access vlan 121
switchport mode access
switchport voice vlan 200
authentication event fail action authorize vlan 99
authentication event server dead action authorize vlan 121
authentication event server alive action reinitialize
authentication host-mode multi-host
authentication order dot1x
authentication port-control auto
authentication periodic
authentication violation restrict
dot1x pae authenticator
dot1x timeout quiet-period 10
dot1x timeout tx-period 1
spanning-tree portfast
Thanks, for any possible solution!unfortunately because they are Avaya phones, the easy answer CDP-Bypass fails in this instance. When you plug in the phone, the switch will assume it's the 'single host' for this port, and restrict the port due to the authentication for the phone failing. Maybe you can just hard-code the voice-vlans on each phone, but that could get tedious depending on the amount of phones.
I believe there is a DHCP option you can pass back that indicates the phone should be running on vlan 200, but for this to work you'd also need to set up a pre-auth ACL that would allow DHCP to work in the unauthorized state. I think it's 147 off the top of my head.
Another solution (which isn't what you originally wanted, but it would work) is to just use multi-domain instead of single-host, and authenticate both the phone and the PC. The raduis server should be able to distinguish between what is configured as a phone and what is a host, and will send back the appropriate vlan if configured correctly.
What are using for a radius server? -
Delay the first dot1x authentication message after a port comes up
Cisco ISE: 1.2
Switch IOS: 15.0.2.EX4
Hello,
I have configured the APs to authenticate with 802.1X via the switch.
When I shut the port on which the AP is connected and then no shut it, the port comes up a few seconds later and the switch sends a dot1x authentication.
I feel that the AP has not finished to boot and that's why it fails because the AP doesn't answer that authentication request.
I was wondering if it's possible to delay the first authentication message the switch sends just after a port comes up ?
When I use debug commands I see
%DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Gi3/0/18 AuditSessionID 00000000000006567DDB81C9
%AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (Unknown MAC) on Interface Gi3/0/18 AuditSessionID 00000000000006567DDB81C9
%AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (Unknown MAC) on Interface Gi3/0/18 AuditSessionID 00000000000006567DDB81C9
%AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (Unknown MAC) on Interface Gi3/0/18 AuditSessionID 00000000000006567DDB81C9
%AUTHMGR-5-FAIL: Authorization failed or unapplied for client (Unknown MAC) on Interface Gi3/0/18 AuditSessionID 00000000000006567DDB81C9
NB: you'll see exhausted all authentication methods because I only configured dot1x on the port (no mab or anything else)
Thank you for all answersHello,
Thank you for your reply. That document is very interesting.
I've just read the chapter regarding the profiling with APs so far and got them working properly the way they showed it.
However I'm not a big fan of MAB and profiling. Because ISE retieves CDP informations collected through SNMP.
- You need CDP (or LLDP) enabled and you might not want that for different reasons (Security, Interoperability...)
- A machine could lie about its identity and pretend through CDP that it's a controller, an AP, a printer and so on.
That's why the best option, in my opinion would be that the AP sends its credentials and ISE accept it or reject is.
It's possible to do this with the Cisco APs
http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/99791-eapfast-wlc-rad-config.html
I'm wondering why Cisco chooses a different EAP method for each of their devices (EAP-MD5 -> Cisco Phones, EAP-FAST -> AP)
So in my humble opinion, the mab/profiling solution is good but not optimal. -
Dot1x, .1X and Cisco IP Phones
Hi,
We are busy performing dot1x tests on IP Phones. We chose the LSC approach and have generated CAPF CSRs which we have signed by our PKI infrastructure.
Once all certificates and trust have been uploaded and when we update the CUCM CTL with the Cisco CTL client tool, we received the following error message
“Could not get CAPF certificate(s).CAPF seems to be running on the CUCM Publisher but the certificate file(s) do not exist in the Certifiicate trust path on Server”
We searched Neptro with an explanation on this and found that article:
https://supportforums.cisco.com/thread/2067102
In our setup we one issuing CA in the certification path has n key of 4096 bits. This is imposed by our Security Policy and can’t be workaround from a security policy point of view.
We then had the CAPF CSR regenerated and had a test CA with an encryption key of only 2048 bit sign our certificate and Dot1x authentication. This worked just fine and test Ip Phones can now authenticate..
My question is, is that a known limitation of Cisco Callmanager which is unable to handle certificates signed by a PKI in which one of the CA has a key of more that 2048 bits. Or is this a bug related to our 8.6.2.23900-10 CUCM version.
Is there a way to bypass that limitation or a precise version of callmanager correcting it?
THanks,
AntoineYou can configure the MSFT supplicant to send an EAPOL-Logoff:
Software\Microsoft\EAPOL\Parameters\General\Global\AuthMode -- REG_DWORD
0: Machine authentication mode in Windows XP Client RTM. When a user logs in, if the connection has already been authenticated with Machine credentials, the users credentials are not used for authentication.
1: Machine authentication with re-authentication functionality. Whenever a user logs in, 802.1X authentication is performed using the users-credentials.
2: Machine authentication only Whenever a user logs in, it has no effect on the connection. 802.1X authentication is performed using machine credentials only.
In the wired-Ethernet case you should set (SupplicantMode = 3) AND (AuthMode = 0) AND (disable Machine-Authentication OR ensure that there are no machine credentials on the client). This will ensure that when a user logs off, an EAPOL-Logoff will be sent out. So, AFAIK, this is the bad news .. you lose machine-auth.
Actually, stay tuned for the ability for our IP Phones to be able to do this on behalf of a PC very soon. What will happen is when an IP Phone senses EAPOL through it, it will know who the supplicant is, and what port they're on (the phone's PC port). Assuming 2 conditions above, if link to phone's PC port goes down, IP Phone will transmit EAPOL-Logoff to PC immediately (on PCs behalf).
Hope this helps. -
ISE; machine based dot1x authentication not working
Hi there,
I'm currently trying out dot1x authentication with MDA. The phone is currently authenticated via MAB. I succeeded to do the same with a Win7 workstation, but now I have a problem with true dot1x auth. Whenever the client tries to authenticate to the ISE it is using the notorious "host/" prefix. I read in the ACS 5.2 user guide that there is an option to crop it. I tried to find the same feature in the ISE, but it seems there is none.
I have the authentication policy configured to use a certificate authentication profile as identity source when the method is dot1x without any additional conditions.
In this profile I tried several options, including the common name, subject, subject alternative name. Nothing helped.
Does anybody have a tip on how to solve this?
Thanks in advanceIf I understood correctly I don't need to create an external identity source when using the Certificate Authentication Profile feature.
This is what I got from the documentation:
"Certificate authentication profiles are used in authentication policies for certificate-based authentications in place of identity sources to verify the authenticity of the user."
I intend to use machine based authentication without contacting an external identity source.
I also ensured the root CA certificate is selected to be used for EAP-TLS authentication.
This brings me to another question.
If the CA issuing machine or user certificates is itself an intermediate CA do I have to install a chained certificate (intermediade CA+root CA) in the ISE or both CA certificates separately?
Thanks in advance
Regards,
Patrick -
Dot1x authentication some problom
HI
helleo
wo have a dot1x authentication problom,
When I enter the configuration of the dot1x configuration in the interface, User authentication interface into err-disable state
Below is the interface configuration
interface FastEthernet0/45
switchport access vlan 21
switchport mode access
authentication host-mode multi-auth
authentication port-control auto
mab eap
dot1x pae both
dot1x timeout quiet-period 3
dot1x timeout tx-period 5
spanning-tree portfast
Switch authentication failed log
n 4 16:52:16.381: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
Jun 4 16:52:16.381: %AUTHMGR-5-START: Starting 'mab' for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
Jun 4 16:52:16.423: %MAB-5-FAIL: Authentication failed for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
Jun 4 16:52:16.423: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
Jun 4 16:52:16.423: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
Jun 4 16:52:16.423: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
Jun 4 16:52:16.423: %AUTHMGR-5-FAIL: Authorization failed for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
Jun 4 16:53:17.165: %AUTHMGR-5-START: Starting 'dot1x' for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
Jun 4 16:53:21.376: %DOT1X-5-SUCCESS: Authentication successful for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID
Jun 4 16:53:21.376: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
Jun 4 16:53:21.376: %DOT1X_SWITCH-5-ERR_ADDING_ADDRESS: Unable to add address 2c41.380f.f187 on Fa0/45 AuditSessionID 0A51F11D000000266273D33D
Jun 4 16:53:21.376: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface FastEthernet0/45, new MAC address (2c41.380f.f187) is seen.AuditSessionID 0A51F11D000000266273D33D
Jun 4 16:53:21.376: %PM-4-ERR_DISABLE: security-violation error detected on Fa0/45, putting Fa0/45 in err-disable state
Jun 4 16:53:22.400: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/45, changed state to downn 4 16:52:16.381: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
Jun 4 16:52:16.381: %AUTHMGR-5-START: Starting 'mab' for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
Jun 4 16:52:16.423: %MAB-5-FAIL: Authentication failed for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
Jun 4 16:52:16.423: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
Jun 4 16:52:16.423: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
Jun 4 16:52:16.423: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
Jun 4 16:52:16.423: %AUTHMGR-5-FAIL: Authorization failed for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
Jun 4 16:53:17.165: %AUTHMGR-5-START: Starting 'dot1x' for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
Jun 4 16:53:21.376: %DOT1X-5-SUCCESS: Authentication successful for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID
Jun 4 16:53:21.376: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
Jun 4 16:53:21.376: %DOT1X_SWITCH-5-ERR_ADDING_ADDRESS: Unable to add address 2c41.380f.f187 on Fa0/45 AuditSessionID 0A51F11D000000266273D33D
Jun 4 16:53:21.376: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface FastEthernet0/45, new MAC address (2c41.380f.f187) is seen.AuditSessionID 0A51F11D000000266273D33D
Jun 4 16:53:21.376: %PM-4-ERR_DISABLE: security-violation error detected on Fa0/45, putting Fa0/45 in err-disable state
Jun 4 16:53:22.400: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/45, changed state to downAUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface FastEthernet0/45, new MAC address (2c41.380f.f187) is seen.AuditSessionID 0A51F11D000000266273D33D
Interface host mode limits the number of hosts that can be attached to an interface. The limit was exceeded and caused a security violation. The interface is error disabled.
Therefore what NAJAF has said, could be one reason, or the your CAM table is full, so try clear mac address-table command and clear port-security command if address is secured on a port. -
Why do I have to switch from Windows Phone to Andr...
Why do I have to switch from Windows Phone to Android?
[September 30, 2014]
This year all my friends with Windows Phone (WP) had switched to Android. Why? The Apps. I continued with WP until now because the OS is very cool (particularly the 8.1 desktop) and because I love Nokia Phones. And the new 830 and 930 models look great.
But I will buy a new Fuji X30 Camera, I need the Wifi remote app for some shoots, I have no choice
Now, I will give a list of reasons my friends left WP because lack or applications, maybe somebody at Microsoft is listening and can revert this tendency.
1. Bank Applications (Bancolombia APP)
2. Giro D’Italia app from La gazzetta dello sport.
3. Stereopinic Concert app.
4. General Motors - Chevrolet navigation/location app.
Another annoying thing with Nokia phones in emerging markets is they don’t distribute all the accessories (headphones, wireless chargers, cases), so you have to buy them from another country make them expensive. I even met three months ago the commercial leader for Nokia here in Colombia, a group of people mentioned this, but nothing has changed since then. The updates came very late and right now I’m not able to use Cortana
I hope Microsoft starts investing hard on apps and identify that little temporal applications for just one week or month (sport events/concerts) and start to create mechanisms to get things done. They just can’t waste the 6’000.000 consumers in US and the 10% share market in some countries in Europe and in emerging markets.I don't endorse any mobile phone brand nor receive any free stuff from them. Neither did I advertise anything. It was rather a recommendation if the starter of this thread would like ot purchase an Android phone. Censorship won't help to sell any more Lumia phones.
I cannot blame anybody who's about to purchase an Android phone. Being a Windows Mobile & Phone user since 2006 I've seen those strategic mistakes Microsoft has made when the 1st and the 2nd generation of Windows Phones were released (the price of developer account etc. etc.). It's very hard to mend those things afterwards but I sincerely hope it won't be impossible.
I'm blessed that I live in FInland because Nokia has always been considered as a Finnish mobile brand and therefore there are all those (well, almost all) necessary apps available for Windows Phone. IMO the best Nokia app has been Here Transit. I really don't need Here Drive+ because they don't bother to include speed cams and line assistance to their app. Just take a look at Navigation Europe and there you have the best possible navigation app for Windows Phone. Waze is also great and it's free. Hmm, I guess that sentence will be censored because I recommended something
I've been quite pleased with the latest Windows Phones. They haven't crashed like my Dell Venue Pro did (first Windows Phone ever) or like my Android phone, tablet and TV box. But in order to increase the market share of Windows Phones there are two ways:
1) good (amount of) apps, great hardware and/or
2) double booting phone where it's possible to choose whether to boot to Android or to Windows Phone. I'd love to have that kinda phone with the goods described in 1)
Moderator's Note: Discussing or complaining about moderator actions on the forum is not allowed. If you feel that your posts have been moderated unfairly, please contact our Community Manager via private message. -
the iphone has been acting weird. my iphone doesnt charge whenever it is switched On. When I switch OFF the phone, it charges for 2 mins then comes back On and stops charging. I dont know what the problem is. trust me, the problem isnt from d charger. PLS anyone with any solution
@wetdro
If your device has been jailbroken during the warranty, Apple will not service it.
Maybe you missed that in this article:
Inability to apply future software updates: Some unauthorized modifications have caused damage to iOS that is not repairable. This can result in the hacked iPhone, iPad, or iPod touch becoming permanently inoperable when a future Apple-supplied iOS update is installed.
Apple strongly cautions against installing any software that hacks iOS. It is also important to note that unauthorized modification of iOS is a violation of the iOS end-user software license agreement and because of this, Apple may deny service for an iPhone, iPad, or iPod touch that has installed any unauthorized software.
copied from Unauthorized modification of iOS can cause security vulnerabilities, instability, shortened battery life, and other issu… -
How do I switch on my phone back when my lock button is spoilt?
My lock button isn't working for a few months already. I'm afraid my phone battery would died & I won't be able to switch it on back. Is there a solution for me to switch on my phone back when my lock button is spoilt? Other than changing to a new phone or send it for service.
When your battery dies just connec it to your PC through data cable. It will turn on.
You can also use Accessibility Shortcut once your device is on to lessen the use oh HOME as well as POWER button.
Settings>General>Accessibility>Assistive Touch> Turn it on.
You will have a small app like icon on the screen which can move freely throught the screen.
It helps a lot trust me. -
How do i switch information and phone number when they both say no service
how do i switch information and phone number when they both say no service
Please re-phrase the question. This doesn't make a lot of sense.
-
i do this after this instruction .. . when i switched on the phone first ask the language when i select english after ask region when i select silanka after it last menu is in the choose network ,connect to itunes menu|?
iPhone 4Swhen i connect to the phone to pc the msg says . .."
There is no SIM card installed in the iPhone you are attempting to activate.
Please disconnect and insert a SIM card in the iPhone. -
I bought new iphone 5s locked after i unlocked my iphone5s . when I switch on my phone it says enter your apple id but i forgot my icloud username. I cant access anything in my iphone. please help me? what shall i do .
kitan47 wrote:
I bought new iphone 5s locked after i unlocked my iphone5s
Was it Officially Unlocked by the Carrier it was locked to...?
If so... who is the carrier..? -
Question about lock switch for smart phones
i would like to ask about the lock switch for smart phones like Nokia 5800 Xpressmusic or Nokia 5230.
Will the lock switch loosen if we always slide to unlock it?i used my 5800 for 11 months and it didn't happen at all
-you can show appreciation to my posts if it helped or useful by pressing the green Kudo star beside my post that hepled
-if my answer was the solution , so click accept as solution button
Started From Nokia 3310 , Now with Nokia N97 v.22.0.110 + N900 PR1.2 -
I am not able to install apps from the Appstore in Iphone 5c. I tried to switch off my phone and switch it on again. But it still doesnt work
Hello stuti1200
Check out the troubleshooting article below for issues with access to the iTunes Store. Also there was a small amount of outage accessing the iTunes Store this past Wednesday.
Can't connect to the iTunes Store
http://support.apple.com/kb/TS1368
Apple Services, Stores, and iCloud
http://www.apple.com/support/systemstatus/
Thanks for using Apple Support Communities.
Regards,
-Norm G. -
Can I switch my go phone iPhone 4 to an iPhone 6 witch already has a SIM card that isn't in use? Or do I have to buy a whole new go phone SIM card to fit the iPhone 6
Only if the SIM is a gophone SIM. If it is not a gophone sim, it will not work on gophone system. Go to a corporate store and they will give you the proper SIM to use on gophone service.
Maybe you are looking for
-
My iphone has the spinning ball of death and I dont know what to do
Well, the story begins like this... my phone died while i was in a bar with my friends. I was the designated driver, so I often use the GPS for our location. Well anyway, it died, and I gave it to the bartender to charge. 2 hours later, I get my phon
-
My phone is not working because of water damage what should i do?
my phone is not working because of water damage what should i do?
-
HT1725 My phone reboot and now my ringtone are gone how I get them back
My phone reboot and now my ringtone are gone how I get them back
-
My iPhoto library is corrupt. How can I fix it?
The library disappeared from iPhoto so I restored it and now its fragmented my events, they are out of date sequence, some photos appear as individuals outside of events for no reason, there are triplicates and they are all named with strange numbers
-
Remove 8.0.2 patch
Is there a way to remove the 8.0.2 patch? Seems that I'm having problems with anchored frames and tables. I would like to remove it to see if that is the problem. Dennis