Switches, Hubs, and Modems
1748284 Members
3436 Online
108761 Solutions
New Discussion юеВ

Re: 802.1X with Alcatel IP Phone

 
BOUE
New Member

802.1X with Alcatel IP Phone

Hello,

I'm tring to make working an Alcatel IP Phone with my 2610-24 PWR switch.

The problem is using the phone only support 802.1X MD5 and this makes a fault error on my NPS Serveur (Windows 2008).

I would disable authentication on voice VLAN. Is it possible ?

I found "aaa port-access [port] mixed" command but un can deal witch it.
14 REPLIES 14
Jeff Carrell
Honored Contributor

Re: 802.1X with Alcatel IP Phone

couple of comments:

1) you could add MD5 as a supported EAP type in your NPS policy...1 policy test for MD5 and voice windows group, and another policy test for any other EAP and computer windows group...

2) you cannot select 802.1X auth per vlan, it is per port...

3) i couldn't find a reference to that last command...hmm???

hth...jeff

ps, i have a mitel 5212 auth with MD5 and a computer connected to the phone that auth with PEAP...all on W2K8/NPS and separate policies...
BOUE Ludovic
Occasional Advisor

Re: 802.1X with Alcatel IP Phone

1) you could add MD5 as a supported EAP type in your NPS policy...1 policy test for MD5 and voice windows group, and another policy test for any other EAP and computer windows group...

> I already make a "IP Phone" group and policy for Phone and another for computers. But I have an internal error from NPS my Windows 2008 server. So authentication time-out because the RADIUS not respond.

2) you cannot select 802.1X auth per vlan, it is per port...

> Ok. It doesn't help me.

3) i couldn't find a reference to that last command...hmm???

> In the command line, it shows that this command allow authenticated and unauthenticated clients on the same port.

ps, i have a mitel 5212 auth with MD5 and a computer connected to the phone that auth with PEAP...all on W2K8/NPS and separate policies...

> I think the problem is into the ALCATEL phone. Could I see your config file ?

Ludovic,
Sietze Reitsma
Respected Contributor

Re: 802.1X with Alcatel IP Phone

seems that MD5 is not enabled by default in NPS. Maybe this is causing the problem.

see: http://social.technet.microsoft.com/Forums/en/winserverNAP/thread/e801bdac-9347-4efb-9d7c-bcf4d64aa927

Mac-auth is also a possibility, not very secure (spoofable) but from an automation point of view very handy.

Switches support concurrent 802.1x and MAC auth.
Jeff Carrell
Honored Contributor

Re: 802.1X with Alcatel IP Phone

good catch Sietze !!! i had forgotten about that...drove me crazy for many hours...

i followed the instructions on that same link provided and it worked for me :-)


MAC auth is how my aastra phones auth as they don't have an 802.1X supplicant...

but in active dir, both the UID and PW _must_ be the mac addr of the phone...however that will not pass the password complexity policy in AD...so you must change that...

see: http://forums.techarena.in/microsoft-security/1000801.htm


and i've sometimes had issues with 802.1X and mac auth working correctly on the same switch port...seems even tho the phone would mac auth ok, when the pc came online, the switch wouldn't auth the pc with its 802.1X credentials, it still wanted the pc to auth with mac addr...this was supposed to have been resolved last year, but i haven't tested it lately...


btw, every port configured for 802.1X auth (802.1X, mac, web) has a default client-limit of '1', so if you connect a pc to a phone, that switch port needs to have 'client-limit 3' set.....1 for phone in untag state, 1 for phone in tag state, 1 for pc in untag state...

cheers...jeff
BOUE Ludovic
Occasional Advisor

Re: 802.1X with Alcatel IP Phone

I know all of that.

I have managed to get enable MD5 working on NPS. It works with Windows XP but not witch my IP Phone.

I'm not interested in MD5 with the MAC address because I have to disable password security in my GPO.

I made some captures with Wireshark if you want.

I followed ProCurve Networking Application Note How to configure 802.1X authentication on ProCurve switches and have activated it on my switch

(config )# vlan 89
(vlan?1)#untagged 1-24
(vlan?1)# vlan 447
(vlan?2)# voice
(vlan?2)# tagged 1-24
(vlan?2)# exit
(config )# aaa port-access authenticator 1-24
(config )# aaa port-access authenticator 1-24 client-limit 3
(config )# aaa port-access authenticator active
(config )# write mem

But It want dynamic assignment VLAN and It works fine with HP IDM.
Sietze Reitsma
Respected Contributor

Re: 802.1X with Alcatel IP Phone

with 3500yl or 5400zl/8200zl you can configure a password which is compliant to the GPO. so the username=MAC address and the password is configured in the switch. another possibility is to use another radius server group for MAC-auth. In this case you can set up another infrastucture (radius and directory/flatfile) for Mac auth.

Hopefully HP will enhance this functionality also in the 2610 series.

the aaa port-access mixed command states that authenticated and unauthenticated users are allowed on the same port. I never checked how this works in reality, but I think this usefull to have unauthenticated users in a unsecure vlan and authenticated users get a dynamic secure vlan.

Maybe there are some other things to consider like the dual boot or fixed vlan config of the Alcatel phone. Unfortunally Alcatel does not support LLDP-MED (yet) which would make setup and config easier.
Jeff Carrell
Honored Contributor

Re: 802.1X with Alcatel IP Phone

for me, the next info to see would be what the "radius log: info indicates...

what is radius saying is the problem...

i'm thinking the issue is in radius[nps]/remote access policy area -or- between switch and radius...

that's why seeing what radius says as the problem helps...

(side note, i would not use MAC addr for MD5, i only mentioned MAC auth info as it was brought up later in this thread)...

also, i see that the "mixed" support is brand new in that 2610 code, and not (yet?) in the provision asic switches, that must be why i didn't see in the latest manual set...cool feature :-)

cheers...jeff
BOUE Ludovic
Occasional Advisor

Re: 802.1X with Alcatel IP Phone

You can find the radius log in attachment. Sorry, it's in French but except the XML part.
BOUE Ludovic
Occasional Advisor

Re: 802.1X with Alcatel IP Phone

This is a Wireshark capture between the switch and the NPS server (Radius).