Using 802.1X and non-Cisco IP Phones

Hi there,
Having some questions about an 802.1x/non-Cisco ip phone setup and was hoping to find some answers/user-experience with this setup.
Main questions i'm facing:
1) When using non-Cisco ip phones (eg Nortel or Siemens) and a previous authorized client connected behind this ip phone gets disconnected. What will this action do with the authorized state of 802.1X on the switch port? WIll it stay authorized until the reauth timer expires or does it reject communication from any other device?
2) What about EAPOL-Logoff messages from the ip phone to the switch. Are these only used by Cisco phones when they experience a link-status change on data ports?
Thanks for sharing your thoughts

Overall, you need to try and deal with the fact that a machine can disappear from the network and the network may not know about it directly (i.e. Link doesn't go down).
I have no idea what other phones do, but Cisco phones send an EAPOL-Logoff when something is unplugged. This lets the switch know directly, and 1X session start is torn down immediately, closing what would be a security hole.
Fundamentally, re-auth is a workaround only, and this is not the reason to enable re-auth to begin with.
If your phone doesn't send an EAPOL-Logoff in this case, the switch might be left thinking an attack is underway when someone else tries to plug in (with presumably a different MAC). You do NOT want this to occur.
Hope this helps,

Similar Messages

  • Data source for application using both pooled and non pooled connections

    Hi guys.
    I am integrating Oracle's connection pooling into an existing application that had formerly used dbConnectionBroker. It looks like this task should be quite straightforward. However, for consistency, I would also like to replace other Connection logic within the application to use Oracle classes. This will involve using OracleDataSource to obtain a Connection object. ( without pooling ).
    So in this case, the application will use both pooled and non pooled Oracle connections. They will be connecting to the same database. The question I have is in regard to the use of data-sources.xml.
    Are there any special considerations for the required attribute values within data-sources.xml under this scenario ?
    Help will be greatly appreciated.
    Regards.
    Steve.

    Hi Steve -
    It should be feasible for you to define a single datasource using multiple location entries to indicate what sort of pooling behaviour you wish to use.
    If you lookup and use the "location" attribute, you will receive a javax.sql.DataSource object which will not provide connection pooling.
    If you lookup and use the "ejb-location" attribute you will receive a DataSource object that will support connection pooling operations.
    Note that this is using the emulated datasource approach, and transaction support is limited to a single resource (one database) for these datasources - you won't get 2PC support for transactions.
    If you need a transaction to span two separate resources (ie two databases in same tx) then you will need to use the non-emulated datasource approach.
    There is a chapter in the J2EE Services Guide which describes the datasource model we have with OC4J. This might provide you with some more useful information. See Chapter 11 - http://otn.oracle.com/docs/products/ias/doc_library/903doc_otn/generic.903/a97690/ds3.htm#1004903
    cheers
    -steve-

  • I am using dreamweaver cs6 and none of the menu's are showing up like the common, form, layout, spry etc...not sure why?

    i am using dreamweaver cs6 and none of the menu's are showing up like the common, form, layout, spry etc...not sure why?

    Which version of CC -- 13, 2014, or 2014.1?  You'll find it under the Help menu > About DW.
    Spry Menus are gone.
    Color is something you add with CSS.
    Nancy O.

  • 802.1x problem with non-Cisco IP Phone, VVID enabled.

    I am testing with a 3750 PoE switch running 12.2(25)SEE1 and trying to configure 802.1x to work with Mitel IP phones.
    I have voice and data vlans configured on each port. Turning on 802.1x causes the phone to hang and timeout in DHCP Discovery. The port status from the switch is "Unauthorized".
    interface FastEthernet1/0/2
    switchport access vlan 1
    switchport mode access
    switchport voice vlan 2
    dot1x pae authenticator
    dot1x port-control auto
    no mdix auto
    spanning-tree portfast
    end
    Should anything be configured besides the Voice VLAN to let phones onto the network? There is no computer behind the phone right now. The only information I can find says I need a VVID, and any clients behind it will cross the PVID.
    Thanks.

    Yes it does.
    Apparently the Mitel phones (testing a 5215 dual-mode) we have support EAP-MD5, but we have a primarily PEAP/EAP-TTLS environment. Apparently the phones need to use a username/password entered on each phone before they will send that to a Radius server doing EAP-MD5. Our PEAP clients authenticate to a Microsoft Radius server, and our EAP-TTLS to a Funk box. Hopefully the Microsoft can support both EAP-MD5 phones and PEAP on the laptops, I'll have to find out.
    I was hoping this was a quick and easy Cisco configuration error... oh well.

  • Catalyst Express 500 802.1q with non-Cisco Phones

    This weekend we spent hours trying to get 802.1q tagging to work on a VLAN with ShoreTel phones. The user interface on this switch seems to only allow "Cisco-Voice" VLAN, without any specifics. This didn't work. The specs on this switch say that the .1q is supported, but we couldn't figure it out. The more expensive switches were easier to configure for Voip QoS.
    Can anyone advise me on the tricks to getting this to work with the lower end Catalyst Express 500? Or does this switch only support 802.1q with Cisco phones?

    Cisco IP Phone uses CDP to let the ip phone know what vlan it's suppose to be (via voice-vlan). shore tel would definitely not use CDP since CDP is cisco proprietory, so it's voice vlan must be defined on it, I rememer Avaya being the same way. So, having said that, just make sure that the Shore tel Ip phone are in the right vlan. what does not work anyway? shore Tel IP Phone will not come up? Will not get it's configuration from it's software PBX? Use the smartport configuration on CE500.
    Please rate all posts.

  • Having 1 router and multiple WCCP cache devices: cisco and non-cisco

    I have a 6500 running WCCPv1. I have two devices single connected to the 6500: a CE565 and a non-cisco device that does WCCPv1. The 6500 is configured for WCCP redirection. What happens to the requests ? Are they serviced by both devices in parallel ? Is only one device servicing the request ? Load balanced ? I know a cluster won't be formed because the device is non-cisco. BTW, the non-cisco device only support WCCP v1.

    Will this detection between devices work if the non-cisco device is not really a cache engine, but a web filter that uses WCCP? In reality, my ideal goal would be that traffic would be redirected to the web filter (non-Cisco), get filtered, and then redirected to the catalyst, and then again redirected to the cache engine to be cached. But I am not sure this will happen due to routing. So I guess is either one or the other, correct ? I don't have the option to connect the web filter in other box, neither the Cache Engine. I thoutht that they would not detect each other at all and the router would be doing a decision there. How do they detect each other ? via which protocol ? WCCP ?

  • Using 802.1x and 2 hosts (one physical and one virtual) on the same port

    Hello,
    We trying to utilize the following scenario:
    BYOD with users' windows based laptops and Apple Mac Books
    Virtual machines within each of the physical machines:  For Windows, the VMs will be Windows 7 VMs running within VM Workstation.  For Macs, users will be running Windows 7 VMs within Fusion.
    802.1x set for multi-host
    Using 802.1x, we have a guest network that places the user's physical machine in once it fails authentication.  The virtual machine runs the corporate image, and we'd like to have this VM connected to our corporate VLAN.
    We have been running into this scenario though:
    1.     User plugs his BYOD laptop from into the network.  His laptop gets attached to the guest network because it fails the 802.1x check.
    2.      The VM is powered on.  It successfully is connected to the corporate network.
    3.      Now,  the user unplugs his network cable from his host machine and waits 10 seconds.
    4.      He then re-plugs the network cable to his host machine.
    5.      The VM is the first to authenticate to the 802.1x network and it gains access to the corporate network.
           6.      Due to the VM being the first to authenticate on 802.1x, the host network connection piggybacks off of the VM, and therefore the host gains access to the corporate network
    Obviously this represents a no-go if the user's BYOD computer is able to access the corporate network.  Is there is any specific way that 802.1x can be configured to prevent this from happening?
    Thanks,
    Mooge

    Multi-Host is not the right option for you. In this Multi-Host only one device has to successfully authenticate to authenticate all device on that port.
    You need to set host-mode to  "multi-auth"

  • Premiere Pro CC only using 30% CPU and none of the GPU

    Hi,
    I’m very new to video editing (actually I have no Idea what H264, or avi or mp4 or mov is, I just need the video to work) and I have never used Premiere Pro before. Now I'm trying the CC 7.0 trial.
    My goal is to achieve the fastest rendering times possible.
    Today I have upgraded my PC for maximal performance in video editing:
    Intel i7 4930K (12threads)
    Radeon 6950 (2GB)
    16GB RAM
    SSD
    I have a recorded video of me playing a PC game in .avi 2552*1348 resolution (2560*1440 monitor without some borders).
    I have set export to H.264 and settings to match source (resolution 2552*1348, 30 FPS, Progressive, Square pixels, NTSC, main, 5.0).
    But when rendering (no effects, just cutting) the program only uses 22-45% of the entire CPU and none of the GPU.
    The best result with this stress was cca 1:1 rendering:movie length. I'm using 16GB RAM, I tried 32GB and 64GB and the stress on CPU and GPU was the same and the rendering times changed only slightly.
    I have an SSD and the read write speeds during rendering are 1-9 MB/s so there is plenty of performance left.
    Frankly, this 1:1 performance offers Power Director 11 which I have been using so far. (When editing 1080p the ratio in PP is cca 1:2,5, the same as in Power Director.)
    So when the disks are idle, the GPU is idle, more RAM changes nothing and the CPU only works on 1/3 its capacity, what is the bottleneck?
    I want to use 100% of the CPU and 100% of the GPU and have the rendering:movie say 0,3:1 or so.
    What can I change to fully use the processing power of my computer?
    Thanks

    Start reading here: Tweakers Page

  • Technical Monitoring one template used for production and non-production system.

    Dear All,
    Is there a way to have one template in Solman Technical Monitoring for production system and non-production system with different alerts ? For example if it exceeds a threshold for production system it will trigger red alert or set automatically an incident and if it's non prod system it will go to yellow warning alert ?
    Regards
    Lukasz Goral 

    Hi Likasz,
    You first create and customize the template, and then assign to a system.
    If it was selecting a system and then customizing a template, then may be such functionality makes sense.
    So, I don't think that is possible.
    Better would be copy the template used for production to non-production and make the adjustment to it.
    Regards,
    Divyanshu

  • AP1240 and non Cisco

    We have some non Cisco AP's that I am trying to configure a Cisco AP 1240 to associate with.
    The radio will not come out of "disabled"
    Antenna is connected and I have done the basic config, there is no security set up at all on the existing untit.
    What are the basic setup parameters for the raido to assiciate with teh other side?
    are there any debugs I could look at?

    Hello,
    The issue is that Cisco IOS Autonomous APs will only bridge with other Cisco model APs and Bridges. If these APs can act like client then the Cisco AP will associate as a client but this is not common for an AP. Hope this helps.
    Regards,
    Aaron

  • Using 802.1x and vpn on t-mobile hotspot

    hi all,
    how do i configure 802.1x and vpn to enhance security on t-mobile hotspot?
    thanx for your help.

    Multi-Host is not the right option for you. In this Multi-Host only one device has to successfully authenticate to authenticate all device on that port.
    You need to set host-mode to  "multi-auth"

  • 802.1X single-host; workstation attached to non-cisco IP Phone

    Hello everyone,
    I am doing some design piece of work and I need to understand (because I couldn't find it clearly written anywhere) the following thing:
    If I am using LLDP-MED in order to assign the VVID (Voice Vlan), instead of Cisco's CDP,  will that be just fine with the Single-Host mode? I want to bypass phone authentication, if it is recognized by the LLDP-MED, but to keep authenticating the workstation that is attached physically to the phone.
    If that has any mater - the phones will be Avaya.
    Cheers & thanks in advance!
    Dani

    Hi Danail,
    In addition to the private message I replied to you, I think MAB is more feasible way to depoly VOIP in dot1x network environment than LLDP-MED for the following reason:
    1. MAB complies with dot1x framework, it works in very simliar way as dot1x.
    2. MAB has been widely deployed on Cisco switches and works fine.
    3. MAB can be deployed for any kind of endpoints which doesn't support dot1x supplicant function in dot1x network environment.
    While LLDP-MED IMO is a revision of LLDP, you may have the capablity to bypass the phone on switches of some vendors with LLDP-MED, but it will be higher risk on deployment than MAB on Cisco switches.
    BTW, generate 2000 MAC for VOIP phone is not biggy as normally you can ask the vendor send you the list of MAC. The OUI check with wildcard is definitely doable but it is Radius software related. IMO these two questions actually are not design questions, they are more likely deployment questions which should be considered after your high level design.
    Which can win the race: increasing bandwidth with new technologies VS QoS?

  • Use ear buds and blue tooth ear phones at same time

    My wife and I want to listen to a walking tour at the same time using my iPhone 5S.  Can I plug in a set of wired ear buds into my iPhone for me, and at the same time have my wife listen to the same recording using a blue tooth head phones?

    No. But you  pick up a "Y" splitter for the headphone jack for just a few bucks and use two sets of earbuds.

  • Using FCoE connection to non Cisco switches

    Hello,
    does anyone know what port configuration needs to be configured on a Nexus switch that is connected to say Brocade switch or any other vendor that supports FCoE. I have created VLAN to VSAN mapping, i assume next step is to create a vfc device ? Since this is not connection to an initiator or a target but another FCoE capable switch, how do i need to configure this vfc ?  Any tips ?
    Thanks

    Hi,
    Looks like from the document that you referenced that this switch runs in NPV mode for FCoE:
    FCoE features
    Fibre Channel over Ethernet (FCoE*)
    FIP & FCoE packets are all forwarded when DCB is configured
    * FCoE frames as defined by T11 Committee
    So, I would configure the Cisco Nexus switch for FCoE and NPIV
    Configure the Nexus 5000 for FCoE and NPIV
    There are several procedures that are required in order to configure the Nexus 5000 for FCoE and NPIV:
        Enable Feature FCoE
        Enable N Port Identifier Virtualization (NPIV) on the Nexus 5000
        Enable Nexus 5000 Quality of Service (QoS) for FCoE
        Enable Link Layer Discovery Protocol (LLDP)
        Configure VLAN
        Configure VSAN
        Map the VLAN to VSAN
    Example:
    feature lldp
    feature fcoe
    feature npiv
    interface vfc130
      bind interface Ethernet1/30
      switchport mode F
      no shutdown
    interface Ethernet1/30
      switchport mode trunk
      switchport trunk allowed vlan 1,100
      spanning-tree port type edge trunk
    vsan database
      vsan 100 interface vfc130
    vlan 100
      fcoe vsan 100
    Example of QOS:
     system qos
      service-policy type qos input fcoe-default-in-policy
      service-policy type queuing input fcoe-default-in-policy
      service-policy type queuing output fcoe-default-out-policy
      service-policy type network-qos fcoe-default-nq-policy
    Best regards,
    Jim

  • Is there any way to remotely wipe an iPhone 4 without the use of iCloud and the find my phone app?

    Hey, my phones been taken off me and i need to wipe it asap. i havnt downloaded and set up the find my phone app though. Can it be done?

    check out www.icloud.com an log in there. Then, go to 'Find my iphone' and see if your device is listed

Maybe you are looking for

  • Check box as output of ALV grid display

    Hello Experts, I have an internal table consiting of 3 fields which i need to display this  using the grid display. The requirement is to place a check box before the 1 and the 3rd line item. Thanks in advance.

  • Partner Profit Center in MIGO

    Dear Friends I met a problem of partner profit center in MIGO. We have cross company STO transactions.  I checked some STO purchase order and MIGO transactions. For one purchase order, there are two MIGO transactions for one purchase item. However, w

  • Iphoto: problem with background color on Calendar.  Help!

    I have made 4 calendars using iphoto now.  The first time I did it, I was able to custom background color the pages, including the bottom half with month and days.  Since then, the only page that works for making background color changes is the top p

  • How can find the schema name

    Hi, I just want to know, based on the sql statements in v$sql, want to know the schema from which the queries are being executed. and one more thing, one sql procedure/function got failed from the application , I want to know from which schema it got

  • Can't find frmcmp_batch.sh in my new Classic 11g Installation

    Hi All. I've installed Classic(Portal, Forms, Reports and Discoverer) 11G Application Server 11.1.3 on a linux box. The idea is to transfer source files (.FMB, .RDF) an have them compiled on the Linux box. These files were built on 10g. I just want t