802.1x for pc and MAB( MAC authentication bypass)  for phone: Full implementation plan

Posted on 2016-10-24
Medium Priority
Last Modified: 2016-10-31

NPS SERVER ----switch---phone( avaya) --pc
we need to implement 802.1x but phones does not authenticate we need them to bypass the authentication using MAB

we need phones should by pass the authentication but pc should be able to authentication using AD.
i am looking the config on the switch side and the config we have to do on the windows 2012 side to make it work

there are many article on this but nobody gives a clear and full implementation steps on windows side , configuring NPS server
i can do the Cisco side but windows is killing me...
Question by:mohannitin
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
LVL 42

Expert Comment

ID: 41858076
I use 802.1x for several different model Avaya phones. Works fine.

The phones know to use 802.1x via DHCP options. We first boot phones on a port that is force-authenticated so they can boot. After they get initial settings, move to a different switch port with dot1x timeout 300 so there is enough time to boot phone and enter the username and password. Finally move phone to a regular port where I set dot1x timeout to 5 seconds.

Avaya only allows numbers for their password as I recall, so we needed to setup fine grained password policy in AD 2008 or greater to allow password thatvwas not complex.

For authentication of domain joined PCs, I needed to setup an internal certificate authority,  and then distribute the root CA to all computers via GPO. Turning on 802.1x on PCs via another GPO.

I am on my phone now, so I can't post sample config.
LVL 42

Accepted Solution

kevinhsieh earned 2000 total points
ID: 41859625
Switch configuration for 802.1x
aaa new-model

aaa group server radius rad_eap
 server name DC1
 server name DC2

aaa authentication dot1x default group rad_eap

interface FastEthernet0/1
 switchport access vlan 10
 switchport mode access
 switchport voice vlan 26
 authentication control-direction in
 authentication event fail action authorize vlan 99
 authentication event no-response action authorize vlan 99
 authentication host-mode multi-domain
 authentication port-control auto
 authentication violation restrict
 mab eap
 dot1x pae authenticator
 dot1x timeout tx-period 5
 flowcontrol receive desired
 spanning-tree portfast

radius-server attribute 32 include-in-access-req format %h
radius-server retransmit 2
radius-server timeout 3
radius-server deadtime 1
radius-server key *
radius-server vsa send authentication
radius server DC1
 address ipv4 auth-port 1645 acct-port 1646
radius server DC2
 address ipv4 auth-port 1645 acct-port 1646

Open in new window

DHCP Options. Use the one that is required for your phone. These settings set the phone to use 802.1x, and to pass through authentication requests of any device connected through the phone. The phone will also notify the switch when the device disconnects from the phone.

Option 176

Option 242

Author Comment

ID: 41860786
Does the below information looks good ?  , Domain is showing as "DATA" ?

show authentication sessions interface gigabitEthernet 1/0/46

Interface MAC Address Method Domain Status Fg Session ID
Gi1/0/46 001b.4f6f.0509 dot1x DATA Auth AC1E201400001131A48F54EA

Key to Session Events Status Flags:

  A - Applying Policy (multi-line status for details)
  D - Awaiting Deletion
  F - Final Removal in progress
  I - Awaiting IIF ID allocation
  P - Pushed Session (non-transient state)
  R - Removing User Profile (multi-line status for details)
  U - Applying User Profile (multi-line status for details)
  X - Unknown Blocker

Runnable methods list:
  Handle Priority Name
    10 5 dot1x
    12 10 mab
    6 15 webauth
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.


Author Comment

ID: 41860801
we are using NPS server:
in NPS server we have a Network policy --which i am using to authenticate the phone
i have created a AD users with username and password as 1234 and 1234 respectively
i can see the NPS autheticating the switch and mac address of of the Avaya Phone

then it goes to DHCP to get the ip address of the CALL Manager using option 176 and option 242.

Question : does DHCP request comes from Data Vlan and then it checks the options (176 and 242), then goes to voice VLAN ?
where i need to setup the Scope Options ? for DATA or for Voice SCOPE?
LVL 42

Expert Comment

ID: 41860841
Personally, I set the DHCP options at the DHCP server level, and then all scopes inherit the settings. Any system that isn't a phone will ignore them. You definitely need the DHCP options on the voice VLAN, and considering that some phones use a DHCP option to know which vlan is the voice VLAN, they would need the DHCP options on the data vlan as well.
LVL 42

Expert Comment

ID: 41860843
If the phone authenticated on the DATA vlan, then it didn't switch to the voice vlan. When I do a "show auth" on my switches, phones show as having authenticated on VOICE, not DATA.

Author Closing Comment

ID: 41864186
thanks for all your help ...i have made it work
there are fre other setting which i had to do , i have prepared a doc with screen shots of nps server and config
which i will share , please look for the doc and let me know if i can improve it further

Author Comment

ID: 41864201
after a long struggle of 3 days i have made it work
Please find the document enclosed with screenshot to make the Avaya phone mab work with NPS server
LVL 42

Expert Comment

ID: 41864208
I don't see your document.

Author Comment

ID: 41866916
Please find the doc enclosed

Featured Post

Will your db performance match your db growth?

In Percona’s white paper “Performance at Scale: Keeping Your Database on Its Toes,” we take a high-level approach to what you need to think about when planning for database scalability.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question