- Community Home
- >
- Networking
- >
- Legacy
- >
- Switches, Hubs, Modems
- >
- Re: 802.1X with Alcatel IP Phone
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-10-2009 05:21 AM
тАО11-10-2009 05:21 AM
802.1X with Alcatel IP Phone
I'm tring to make working an Alcatel IP Phone with my 2610-24 PWR switch.
The problem is using the phone only support 802.1X MD5 and this makes a fault error on my NPS Serveur (Windows 2008).
I would disable authentication on voice VLAN. Is it possible ?
I found "aaa port-access [port] mixed" command but un can deal witch it.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-10-2009 09:33 AM
тАО11-10-2009 09:33 AM
Re: 802.1X with Alcatel IP Phone
1) you could add MD5 as a supported EAP type in your NPS policy...1 policy test for MD5 and voice windows group, and another policy test for any other EAP and computer windows group...
2) you cannot select 802.1X auth per vlan, it is per port...
3) i couldn't find a reference to that last command...hmm???
hth...jeff
ps, i have a mitel 5212 auth with MD5 and a computer connected to the phone that auth with PEAP...all on W2K8/NPS and separate policies...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-10-2009 09:48 AM
тАО11-10-2009 09:48 AM
Re: 802.1X with Alcatel IP Phone
> I already make a "IP Phone" group and policy for Phone and another for computers. But I have an internal error from NPS my Windows 2008 server. So authentication time-out because the RADIUS not respond.
2) you cannot select 802.1X auth per vlan, it is per port...
> Ok. It doesn't help me.
3) i couldn't find a reference to that last command...hmm???
> In the command line, it shows that this command allow authenticated and unauthenticated clients on the same port.
ps, i have a mitel 5212 auth with MD5 and a computer connected to the phone that auth with PEAP...all on W2K8/NPS and separate policies...
> I think the problem is into the ALCATEL phone. Could I see your config file ?
Ludovic,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-10-2009 05:28 PM
тАО11-10-2009 05:28 PM
Re: 802.1X with Alcatel IP Phone
see: http://social.technet.microsoft.com/Forums/en/winserverNAP/thread/e801bdac-9347-4efb-9d7c-bcf4d64aa927
Mac-auth is also a possibility, not very secure (spoofable) but from an automation point of view very handy.
Switches support concurrent 802.1x and MAC auth.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-10-2009 09:02 PM
тАО11-10-2009 09:02 PM
Re: 802.1X with Alcatel IP Phone
i followed the instructions on that same link provided and it worked for me :-)
MAC auth is how my aastra phones auth as they don't have an 802.1X supplicant...
but in active dir, both the UID and PW _must_ be the mac addr of the phone...however that will not pass the password complexity policy in AD...so you must change that...
see: http://forums.techarena.in/microsoft-security/1000801.htm
and i've sometimes had issues with 802.1X and mac auth working correctly on the same switch port...seems even tho the phone would mac auth ok, when the pc came online, the switch wouldn't auth the pc with its 802.1X credentials, it still wanted the pc to auth with mac addr...this was supposed to have been resolved last year, but i haven't tested it lately...
btw, every port configured for 802.1X auth (802.1X, mac, web) has a default client-limit of '1', so if you connect a pc to a phone, that switch port needs to have 'client-limit 3' set.....1 for phone in untag state, 1 for phone in tag state, 1 for pc in untag state...
cheers...jeff
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-11-2009 02:48 AM
тАО11-11-2009 02:48 AM
Re: 802.1X with Alcatel IP Phone
I have managed to get enable MD5 working on NPS. It works with Windows XP but not witch my IP Phone.
I'm not interested in MD5 with the MAC address because I have to disable password security in my GPO.
I made some captures with Wireshark if you want.
I followed ProCurve Networking Application Note How to configure 802.1X authentication on ProCurve switches and have activated it on my switch
(config )# vlan 89
(vlan?1)#untagged 1-24
(vlan?1)# vlan 447
(vlan?2)# voice
(vlan?2)# tagged 1-24
(vlan?2)# exit
(config )# aaa port-access authenticator 1-24
(config )# aaa port-access authenticator 1-24 client-limit 3
(config )# aaa port-access authenticator active
(config )# write mem
But It want dynamic assignment VLAN and It works fine with HP IDM.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-11-2009 07:29 AM
тАО11-11-2009 07:29 AM
Re: 802.1X with Alcatel IP Phone
Hopefully HP will enhance this functionality also in the 2610 series.
the aaa port-access mixed command states that authenticated and unauthenticated users are allowed on the same port. I never checked how this works in reality, but I think this usefull to have unauthenticated users in a unsecure vlan and authenticated users get a dynamic secure vlan.
Maybe there are some other things to consider like the dual boot or fixed vlan config of the Alcatel phone. Unfortunally Alcatel does not support LLDP-MED (yet) which would make setup and config easier.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-11-2009 12:17 PM
тАО11-11-2009 12:17 PM
Re: 802.1X with Alcatel IP Phone
what is radius saying is the problem...
i'm thinking the issue is in radius[nps]/remote access policy area -or- between switch and radius...
that's why seeing what radius says as the problem helps...
(side note, i would not use MAC addr for MD5, i only mentioned MAC auth info as it was brought up later in this thread)...
also, i see that the "mixed" support is brand new in that 2610 code, and not (yet?) in the provision asic switches, that must be why i didn't see in the latest manual set...cool feature :-)
cheers...jeff
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-12-2009 12:24 AM
тАО11-12-2009 12:24 AM
Re: 802.1X with Alcatel IP Phone
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-12-2009 12:40 AM
тАО11-12-2009 12:40 AM