Solved

802.1x for pc and MAB( MAC authentication bypass)  for phone: Full implementation plan

Posted on 2016-10-24
10
56 Views
Last Modified: 2016-10-31
Hi

NPS SERVER ----switch---phone( avaya) --pc
we need to implement 802.1x but phones does not authenticate we need them to bypass the authentication using MAB

we need phones should by pass the authentication but pc should be able to authentication using AD.
i am looking the config on the switch side and the config we have to do on the windows 2012 side to make it work

there are many article on this but nobody gives a clear and full implementation steps on windows side , configuring NPS server
i can do the Cisco side but windows is killing me...
0
Comment
Question by:mohannitin
  • 5
  • 5
10 Comments
 
LVL 42

Expert Comment

by:kevinhsieh
Comment Utility
I use 802.1x for several different model Avaya phones. Works fine.

The phones know to use 802.1x via DHCP options. We first boot phones on a port that is force-authenticated so they can boot. After they get initial settings, move to a different switch port with dot1x timeout 300 so there is enough time to boot phone and enter the username and password. Finally move phone to a regular port where I set dot1x timeout to 5 seconds.

Avaya only allows numbers for their password as I recall, so we needed to setup fine grained password policy in AD 2008 or greater to allow password thatvwas not complex.

For authentication of domain joined PCs, I needed to setup an internal certificate authority,  and then distribute the root CA to all computers via GPO. Turning on 802.1x on PCs via another GPO.

I am on my phone now, so I can't post sample config.
0
 
LVL 42

Accepted Solution

by:
kevinhsieh earned 500 total points
Comment Utility
Switch configuration for 802.1x
aaa new-model

aaa group server radius rad_eap
 server name DC1
 server name DC2

!
aaa authentication dot1x default group rad_eap

interface FastEthernet0/1
 switchport access vlan 10
 switchport mode access
 switchport voice vlan 26
 authentication control-direction in
 authentication event fail action authorize vlan 99
 authentication event no-response action authorize vlan 99
 authentication host-mode multi-domain
 authentication port-control auto
 authentication violation restrict
 mab eap
 dot1x pae authenticator
 dot1x timeout tx-period 5
 flowcontrol receive desired
 spanning-tree portfast


radius-server attribute 32 include-in-access-req format %h
radius-server retransmit 2
radius-server timeout 3
radius-server deadtime 1
radius-server key *
radius-server vsa send authentication
!
radius server DC1
 address ipv4 10.100.4.100 auth-port 1645 acct-port 1646
!
radius server DC2
 address ipv4 10.101.4.100 auth-port 1645 acct-port 1646

Open in new window


DHCP Options. Use the one that is required for your phone. These settings set the phone to use 802.1x, and to pass through authentication requests of any device connected through the phone. The phone will also notify the switch when the device disconnects from the phone.

Option 176
MCIPADD=10.10.10.10,MCPORT=1719,HTTPSRVR=10.10.10.20,DOT1X=1,DOT1XSTAT=1,L2Q=1,L2QVLAN=20


Option 242
MCIPADD=10.10.10.10,MCPORT=1719,HTTPSRVR=10.10.10.20,DOT1X=1,DOT1XSTAT=1
0
 

Author Comment

by:mohannitin
Comment Utility
Does the below information looks good ?  , Domain is showing as "DATA" ?

show authentication sessions interface gigabitEthernet 1/0/46

Interface MAC Address Method Domain Status Fg Session ID
----------------------------------------------------------------------
Gi1/0/46 001b.4f6f.0509 dot1x DATA Auth AC1E201400001131A48F54EA


Key to Session Events Status Flags:

  A - Applying Policy (multi-line status for details)
  D - Awaiting Deletion
  F - Final Removal in progress
  I - Awaiting IIF ID allocation
  P - Pushed Session (non-transient state)
  R - Removing User Profile (multi-line status for details)
  U - Applying User Profile (multi-line status for details)
  X - Unknown Blocker

Runnable methods list:
  Handle Priority Name
    10 5 dot1x
    12 10 mab
    6 15 webauth
0
 

Author Comment

by:mohannitin
Comment Utility
we are using NPS server:
in NPS server we have a Network policy --which i am using to authenticate the phone
i have created a AD users with username and password as 1234 and 1234 respectively
i can see the NPS autheticating the switch and mac address of of the Avaya Phone

then it goes to DHCP to get the ip address of the CALL Manager using option 176 and option 242.

Question : does DHCP request comes from Data Vlan and then it checks the options (176 and 242), then goes to voice VLAN ?
where i need to setup the Scope Options ? for DATA or for Voice SCOPE?
0
 
LVL 42

Expert Comment

by:kevinhsieh
Comment Utility
Personally, I set the DHCP options at the DHCP server level, and then all scopes inherit the settings. Any system that isn't a phone will ignore them. You definitely need the DHCP options on the voice VLAN, and considering that some phones use a DHCP option to know which vlan is the voice VLAN, they would need the DHCP options on the data vlan as well.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 42

Expert Comment

by:kevinhsieh
Comment Utility
If the phone authenticated on the DATA vlan, then it didn't switch to the voice vlan. When I do a "show auth" on my switches, phones show as having authenticated on VOICE, not DATA.
0
 

Author Closing Comment

by:mohannitin
Comment Utility
thanks for all your help ...i have made it work
there are fre other setting which i had to do , i have prepared a doc with screen shots of nps server and config
which i will share , please look for the doc and let me know if i can improve it further
0
 

Author Comment

by:mohannitin
Comment Utility
after a long struggle of 3 days i have made it work
Please find the document enclosed with screenshot to make the Avaya phone mab work with NPS server
0
 
LVL 42

Expert Comment

by:kevinhsieh
Comment Utility
I don't see your document.
0
 

Author Comment

by:mohannitin
Comment Utility
Please find the doc enclosed
mab-avayaphone-and-cisco-3650.docx
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

What is IRC? IRC (Internet Relay Chat) is a form of communication between multiple users. It is available freely to anyone with inernet access. IRC is a great way to communicate with others e.g. There is an IRC channel for Ubuntu Linux, which is fo…
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now