802.1x for pc and MAB( MAC authentication bypass)  for phone: Full implementation plan

Posted on 2016-10-24
Medium Priority
Last Modified: 2016-10-31

NPS SERVER ----switch---phone( avaya) --pc
we need to implement 802.1x but phones does not authenticate we need them to bypass the authentication using MAB

we need phones should by pass the authentication but pc should be able to authentication using AD.
i am looking the config on the switch side and the config we have to do on the windows 2012 side to make it work

there are many article on this but nobody gives a clear and full implementation steps on windows side , configuring NPS server
i can do the Cisco side but windows is killing me...
Question by:mohannitin
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
LVL 42

Expert Comment

ID: 41858076
I use 802.1x for several different model Avaya phones. Works fine.

The phones know to use 802.1x via DHCP options. We first boot phones on a port that is force-authenticated so they can boot. After they get initial settings, move to a different switch port with dot1x timeout 300 so there is enough time to boot phone and enter the username and password. Finally move phone to a regular port where I set dot1x timeout to 5 seconds.

Avaya only allows numbers for their password as I recall, so we needed to setup fine grained password policy in AD 2008 or greater to allow password thatvwas not complex.

For authentication of domain joined PCs, I needed to setup an internal certificate authority,  and then distribute the root CA to all computers via GPO. Turning on 802.1x on PCs via another GPO.

I am on my phone now, so I can't post sample config.
LVL 42

Accepted Solution

kevinhsieh earned 2000 total points
ID: 41859625
Switch configuration for 802.1x
aaa new-model

aaa group server radius rad_eap
 server name DC1
 server name DC2

aaa authentication dot1x default group rad_eap

interface FastEthernet0/1
 switchport access vlan 10
 switchport mode access
 switchport voice vlan 26
 authentication control-direction in
 authentication event fail action authorize vlan 99
 authentication event no-response action authorize vlan 99
 authentication host-mode multi-domain
 authentication port-control auto
 authentication violation restrict
 mab eap
 dot1x pae authenticator
 dot1x timeout tx-period 5
 flowcontrol receive desired
 spanning-tree portfast

radius-server attribute 32 include-in-access-req format %h
radius-server retransmit 2
radius-server timeout 3
radius-server deadtime 1
radius-server key *
radius-server vsa send authentication
radius server DC1
 address ipv4 auth-port 1645 acct-port 1646
radius server DC2
 address ipv4 auth-port 1645 acct-port 1646

Open in new window

DHCP Options. Use the one that is required for your phone. These settings set the phone to use 802.1x, and to pass through authentication requests of any device connected through the phone. The phone will also notify the switch when the device disconnects from the phone.

Option 176

Option 242

Author Comment

ID: 41860786
Does the below information looks good ?  , Domain is showing as "DATA" ?

show authentication sessions interface gigabitEthernet 1/0/46

Interface MAC Address Method Domain Status Fg Session ID
Gi1/0/46 001b.4f6f.0509 dot1x DATA Auth AC1E201400001131A48F54EA

Key to Session Events Status Flags:

  A - Applying Policy (multi-line status for details)
  D - Awaiting Deletion
  F - Final Removal in progress
  I - Awaiting IIF ID allocation
  P - Pushed Session (non-transient state)
  R - Removing User Profile (multi-line status for details)
  U - Applying User Profile (multi-line status for details)
  X - Unknown Blocker

Runnable methods list:
  Handle Priority Name
    10 5 dot1x
    12 10 mab
    6 15 webauth
Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more


Author Comment

ID: 41860801
we are using NPS server:
in NPS server we have a Network policy --which i am using to authenticate the phone
i have created a AD users with username and password as 1234 and 1234 respectively
i can see the NPS autheticating the switch and mac address of of the Avaya Phone

then it goes to DHCP to get the ip address of the CALL Manager using option 176 and option 242.

Question : does DHCP request comes from Data Vlan and then it checks the options (176 and 242), then goes to voice VLAN ?
where i need to setup the Scope Options ? for DATA or for Voice SCOPE?
LVL 42

Expert Comment

ID: 41860841
Personally, I set the DHCP options at the DHCP server level, and then all scopes inherit the settings. Any system that isn't a phone will ignore them. You definitely need the DHCP options on the voice VLAN, and considering that some phones use a DHCP option to know which vlan is the voice VLAN, they would need the DHCP options on the data vlan as well.
LVL 42

Expert Comment

ID: 41860843
If the phone authenticated on the DATA vlan, then it didn't switch to the voice vlan. When I do a "show auth" on my switches, phones show as having authenticated on VOICE, not DATA.

Author Closing Comment

ID: 41864186
thanks for all your help ...i have made it work
there are fre other setting which i had to do , i have prepared a doc with screen shots of nps server and config
which i will share , please look for the doc and let me know if i can improve it further

Author Comment

ID: 41864201
after a long struggle of 3 days i have made it work
Please find the document enclosed with screenshot to make the Avaya phone mab work with NPS server
LVL 42

Expert Comment

ID: 41864208
I don't see your document.

Author Comment

ID: 41866916
Please find the doc enclosed

Featured Post

Want to be a Web Developer? Get Certified Today!

Enroll in the Certified Web Development Professional course package to learn HTML, Javascript, and PHP. Build a solid foundation to work toward your dream job!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question