Cisco Voice VLAN with 802.1X Authentication
I've got a Cisco Catalyst 2960 that I'm trying to configure for a remote office with 802.1X wired authentication.
The setup I'm going for is Switch -> VoIP Phone via Internal Switch -> PC/Laptop (Domain Joined Win 7/8).
Our authentication server is NPS on Windows Server 2008 R2.
We are using Snom 300 handsets which do support 802.1X but it's not really feasible for us to configure it on all the handsets, so I've configured the switch to use MAB (MAC Authentication Bypass) for the phones.
This for the most part is working brilliantly, the handsets get authenticated and put into the VOICE domain and the VLAN policy is displaying 501, which is our voice VLAN.
But, the phones can still fully access the data VLAN - what am I doing wrong?
Here is the 802.1x session into for that connected port:
int-remote-sw-1#show auth sessions int Fa0/9
Interface: FastEthernet0/9
MAC Address: 0004.133d.69cc
IP Address: Unknown
User-Name: 0004133d69cc
Status: Authz Success
Domain: VOICE
Oper host mode: multi-domain
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: 501
Session timeout: 600s (local), Remaining: 409s
Timeout action: Reauthenticate
Idle timeout: N/A
Common Session ID: 0A9402F50000005F094C7DC3
Acct Session ID: 0x0000007D
Handle: 0xD6000060
Runnable methods list:
Method State
mab Authc Success
dot1x Not run
Switch config related to 802.1x :
aaa new-model
!
!
aaa authentication dot1x default group radius
aaa authorization network default group radius
!
!
aaa session-id common
!
!
dot1x system-auth-control
!
!
errdisable detect cause security-violation shutdown vlan
!
!
vlan 501
name VOICE-LAN
!
!
interface FastEthernet0/9
switchport access vlan 502
switchport mode access
switchport voice vlan 501
authentication event fail action authorize vlan 503
authentication event server dead action reinitialize vlan 503
authentication event no-response action authorize vlan 503
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order mab dot1x
authentication port-control auto
authentication periodic
authentication timer reauthenticate 600
mab
mls qos trust cos
dot1x pae authenticator
spanning-tree portfast
!
!
radius-server dead-criteria time 30 tries 10
radius-server host 10.***.***.***
radius-server host 10.***.***.***
radius-server retry method reorder
radius-server key ******************
Switch version:
int-remote-sw-1#show ver
Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 15.0(2)SE7, RELEASE SOFTWARE (fc1)
NPS Server Config:
1 Answer
I'm not sure it's the best answer to the question of how to make this work, but in the absence of a better answer, I figured out a way to make it work myself.
Basically, I went with the idea that if you are using what is essentially dynamic VLAN assignment (even though it's termed a voice feature), you have to use it for both the VOICE and DATA domains to get the result I was looking for.
I changed the access VLAN to a VLAN that doesn't route outside the switch, so in my case switchport access vlan 504
I then modified the policy on our NPS server to pass a VLAN assignment to computers when they authenticate.
This has the effect of putting phones or any device MAC spoofing as one without a VLAN configured being put into what is essentially a blackhole network so they can't access anything - but if configured with the correct VLAN ID, they can access the more locked down voice network.
But if a computer is attached and authenticated either directly or via the switch on the phone in the DATA domain, the switch changes the access or native VLAN to our internal network as instructed by the NPS server.
This is the result I was looking for - it just meant having to change the config on other switches that make use of the policy server in a more basic form which I was trying to avoid.
iamacarpetUser contributions licensed under CC BY-SA 3.0