I've got a Cisco Catalyst 2960 that I'm trying to configure for a remote office with 802.1X wired authentication.
The setup I'm going for is
Switch -> VoIP Phone via Internal Switch -> PC/Laptop (Domain Joined Win 7/8).
Our authentication server is NPS on Windows Server 2008 R2.
We are using Snom 300 handsets which do support 802.1X but it's not really feasible for us to configure it on all the handsets, so I've configured the switch to use MAB (MAC Authentication Bypass) for the phones.
This for the most part is working brilliantly, the handsets get authenticated and put into the VOICE domain and the VLAN policy is displaying 501, which is our voice VLAN.
But, the phones can still fully access the data VLAN - what am I doing wrong?
Here is the 802.1x session into for that connected port:
int-remote-sw-1#show auth sessions int Fa0/9 Interface: FastEthernet0/9 MAC Address: 0004.133d.69cc IP Address: Unknown User-Name: 0004133d69cc Status: Authz Success Domain: VOICE Oper host mode: multi-domain Oper control dir: both Authorized By: Authentication Server Vlan Policy: 501 Session timeout: 600s (local), Remaining: 409s Timeout action: Reauthenticate Idle timeout: N/A Common Session ID: 0A9402F50000005F094C7DC3 Acct Session ID: 0x0000007D Handle: 0xD6000060 Runnable methods list: Method State mab Authc Success dot1x Not run
Switch config related to 802.1x :
aaa new-model ! ! aaa authentication dot1x default group radius aaa authorization network default group radius ! ! aaa session-id common ! ! dot1x system-auth-control ! ! errdisable detect cause security-violation shutdown vlan ! ! vlan 501 name VOICE-LAN ! ! interface FastEthernet0/9 switchport access vlan 502 switchport mode access switchport voice vlan 501 authentication event fail action authorize vlan 503 authentication event server dead action reinitialize vlan 503 authentication event no-response action authorize vlan 503 authentication event server alive action reinitialize authentication host-mode multi-domain authentication order mab dot1x authentication port-control auto authentication periodic authentication timer reauthenticate 600 mab mls qos trust cos dot1x pae authenticator spanning-tree portfast ! ! radius-server dead-criteria time 30 tries 10 radius-server host 10.***.***.*** radius-server host 10.***.***.*** radius-server retry method reorder radius-server key ******************
int-remote-sw-1#show ver Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 15.0(2)SE7, RELEASE SOFTWARE (fc1)
NPS Server Config:
I'm not sure it's the best answer to the question of how to make this work, but in the absence of a better answer, I figured out a way to make it work myself.
Basically, I went with the idea that if you are using what is essentially dynamic VLAN assignment (even though it's termed a voice feature), you have to use it for both the VOICE and DATA domains to get the result I was looking for.
I changed the access VLAN to a VLAN that doesn't route outside the switch, so in my case
switchport access vlan 504
I then modified the policy on our NPS server to pass a VLAN assignment to computers when they authenticate.
This has the effect of putting phones or any device MAC spoofing as one without a VLAN configured being put into what is essentially a blackhole network so they can't access anything - but if configured with the correct VLAN ID, they can access the more locked down voice network.
But if a computer is attached and authenticated either directly or via the switch on the phone in the DATA domain, the switch changes the access or native VLAN to our internal network as instructed by the NPS server.
This is the result I was looking for - it just meant having to change the config on other switches that make use of the policy server in a more basic form which I was trying to avoid.
User contributions licensed under CC BY-SA 3.0