Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

802.1x question combined tagged/untagged port

Alen Ahja
Frequent Advisor

802.1x question combined tagged/untagged port

Hi!

We have several VoIP-Phones connected to our switches. They alle are in a VoIP Vlan which is tagged to the switch.
The Workstations are conected to the VOIP Phone and their VLAN is untagged on the Switch Port.

What will happen if I activate 802.1x on this switchport? Must the IP-Phone authenitcate or does only the Workstation do it?

I will only realize that the Workstation will be authenticated while 802.1x.

Thanx for helping.

Kind Regards.

Alen Ahja
4 REPLIES
cenk sasmaztin
Honored Contributor

Re: 802.1x question combined tagged/untagged port

hi Alen

two advice for you

1- go to unauthentication user dynamically assing voip vlan whit 802.1x config

for example config

vlan 1
name "DEFAULT_VLAN"
untagged 1-26
ip address 10.0.0.1 255.255.255.0
exit
vlan 3
name "voip"
ip address 192.168.1.1 255.255.255.0
exit
aaa authentication port-access eap-radius
aaa accounting network start-stop radius
radius-server host 10.0.0.2 key procurve
aaa port-access authenticator 1-10
aaa port-access authenticator 1 unauth-vid 3
aaa port-access authenticator 2 unauth-vid 3
aaa port-access authenticator 3 unauth-vid 3
aaa port-access authenticator 4 unauth-vid 3
aaa port-access authenticator 5 unauth-vid 3
aaa port-access authenticator 6 unauth-vid 3
aaa port-access authenticator 7 unauth-vid 3
aaa port-access authenticator 8 unauth-vid 3
aaa port-access authenticator 9 unauth-vid 3
aaa port-access authenticator 10 unauth-vid 3
aaa port-access authenticator active
aaa port-access 1-10


this config all authentication user go to vlan 1 and all unauthentication users go to vlan 3 not need tag port all port waiting vlan 1 untag member

but this process very dancer because all malicious user go to dynamically voip vlan




2- connect ip phone voip vlan untag port
namely connect different switch port ip phone
cenk

Jeff Carrell
Honored Contributor

Re: 802.1x question combined tagged/untagged port

good questions...here's some info:

1) if you config a port for 802.1X, bascially each device/user (mac addr) should auth via 802.1X........however, lots of VoIP phones don't support 802.1X...

2) you can config the switch like you describe - tag the port in the voip vlan and untag wherever, but until the computer authenticates, the phone won't work - unless you do like cenk suggested with the unauth-vid......but like he said, you then open the port for attack on a vlan that doesn't require authentication, so i never recommend this option...

3) the next best option would be to chose phones that can do 802.1X...tag the port in the voip vlan, untag the port into a non-use vlan...when the phone auth's, 802.1X will open the port and the phone will work in tagged mode, and then when the computer/user auth's have the user vlan dynamically assigned via radius to the switch...

4) the best option of all, use a ProVision ASIC switch (3500/6200/5400/8212) and WindowsServer2008-NAP or freeRADIUS v2.x+ and then you can dynamically assign the vlan for voip -and- set it to tagged as well from radius (this is an enhancement to 802.1X called RFC-4675, that's why you need a newer asic switch and newer radius server)...and then when the computer/user auth's have the user vlan dynamically assigned via radius to the switch...

5) or like cenk said, put phone in 1 port and pc in another...

--------

btw, when you configure the switch to support 802.1X and you connect mulitple devices to a port (pc and phone), you need to add a parm to the config:

aaa port-access authenticator 19 client-limit 3

...client-limit = 1 for the pc, and 2 for the phone (if it starts in untag state then moves to tag after it gets its config)...this is not very well documented...but i now from experience...the default is set to client-limit 1...

hth...jeff
Alen Ahja
Frequent Advisor

Re: 802.1x question combined tagged/untagged port

Hi @ all,

thanx for the lot of informations.
I found now the infomrations that the IP Phones work as multisuplicant. But they can only authenticate with EAP-MD5.
All IP-Phones are connected to 2610-48-PWR Switches so we cannot take the Option with the newset ASIC and W2k8.
The way which Cenk has described is not accectable because it's not secure. Unauth access will go in the guest VLAN with additional authentication. So we need to try out the behavior of all components I think.


Alen
Jeff Carrell
Honored Contributor

Re: 802.1x question combined tagged/untagged port

in my travels, most VoIP phones that can do 802.1X cab only auth via EAP-MD5, altho some are starting to do EAP-PEAP...

even tho the phone can only do EAP-MD5, that is way better than putting their ports in an unauth vlan first...

my recommendation:
1) auth the phones with what they can do
2) tag the phone ports in the voip vlan
2) auth the computers with stronger encryption
3) create a "dead/non-use" vlan for the unauth state, and also untag all computer/phone ports into that vlan...that way no matter what connects, it must auth via 802.1X
4) control the access of the voip vlan (in & out) with acl's to restrict access only to what's needed

this is the way i do 802.1X with voip/data combo connections...

ps, don't forget the 'client-limit 3' config...

hth...jeff