Switches, Hubs, and Modems
1748194 Members
3659 Online
108759 Solutions
New Discussion юеВ

Re: 802.1X with Alcatel IP Phone

 
BOUE Ludovic
Occasional Advisor

Re: 802.1X with Alcatel IP Phone

Someone can explain the "aaa port-access authenticator control" command because I want to allow both 802.1X compliant client a not 802.1X compliant to acces netwok ?

I set it in auto mode and when I connect a not 802.1X compliant I doesn't have acces to the network.

I want that 802.1X compliant clients use dynamic attribution VLAN and use static VLAN defined on the port for not 802.1X compliant clients.

----------------------------------------
aaa port-access authenticator < port-list >
[control < authorized | auto | unauthorized >]

Controls authentication mode on the specified port:

authorized: Also termed "Force Authorized". Gives access to a device connected to the port. In this case, the device does not have to provide 802.1X credentials or support 802.1X authentication. (You can still
configure console, Telnet, or SSH security on the port.)

auto (the default): The device connected to the port must support 802.1X authentication and provide valid credentials to get network access. (Optional: You can use the Open VLAN mode to provide a path for clients without 802.1X supplicant software to down-load this
software and begin the authentication process. Refer to "802.1X Open VLAN Mode" on page 11-27.)

unauthorized: Also termed "Force Unauthorized". Do not grant access to the network, regardless of whether the device provides the correct credentials and has 802.1X support. In this state, the port blocks access to any connected device.
Jeff Carrell
Honored Contributor

Re: 802.1X with Alcatel IP Phone

BOUE said:
Someone can explain the "aaa port-access authenticator control" command because I want to allow both 802.1X compliant client a not 802.1X compliant to acces netwok ?

jeff reply:
this commands dictates how the switch will control 802.1X enabled ports...

default is auto, meaning if the device authenticates via radius, do what radius says...if device doesn't authenticate, then switch blocks that port...

on - means don't try to authenticate at all, just let all traffic pass...

off - don't allow traffic at all, even if the device trys to authenticate...


BOUE said:
I set it in auto mode and when I connect a not 802.1X compliant I doesn't have acces to the network.

jeff reply:
that is correct function


BOUE said:
I want that 802.1X compliant clients use dynamic attribution VLAN and use static VLAN defined on the port for not 802.1X compliant clients.

jeff reply, then the way to configure that 802.1X function is to define what is called the "unauthenticated vlan"...this is generally not the vlan the ports are statically assigned to, and i've never tried it to be, i always define a separate vlan...

so, to configure this:
1) create a vlan
2) control is access to the network via ACL(s)
3) provide the vlan with DHCP services and ip-helper on the vlan
4) then this command:

'aaa port-access authenticator unauth-vid'

hth...jeff


ps, i looked at the event info you provided earlier (running the french thru a translator on google), but the messages viewed didn't really tell me anything...it didn't look like they were the radius messages...

so i assume that is why you are looking at this other option...

cheers..jeff
BOUE Ludovic
Occasional Advisor

Re: 802.1X with Alcatel IP Phone

In fact I already user the unauth vlan for computers, so I can't user it for my phone.

They must have a function to no authenticate phones.

What could LLDP-MED compliance do for that if my phone was ?
Jeff Carrell
Honored Contributor

Re: 802.1X with Alcatel IP Phone

BOUE said:
In fact I already user the unauth vlan for computers, so I can't user it for my phone.

They must have a function to no authenticate phones.

jeff said: none that i've seen...


BOUE said: What could LLDP-MED compliance do for that if my phone was ?

jeff said: if you have LLDP-MED compliant phones, you can remove the phone ports for 802.1X control and instead put those ports into a "no use" vlan [ie, no ip addr on the vlan ,etc]...then when the phone connects, the switch will see that it is a phone (via LLDP-MED) and can assign that port to the "voice" vlan...however, the port in this case is no longer under 802.1X authentication control, and you have less security...

hth...jeff
BOUE Ludovic
Occasional Advisor

Re: 802.1X with Alcatel IP Phone

Are you sure ? What happen if I plug a computer on the phone ethernet switch ?

I read in "How to use LLDP-MED with IP phones and ProCurve switches" :

More security: LLDP-MED runs after 802.1X, to prevent unauthenticated devices from gaining access to the network.

So we need to pass the authentication before LLDP-MED runs.