Solved

802.1x for pc and MAB( MAC authentication bypass)  for phone: Full implementation plan

Posted on 2016-10-24
10
287 Views
Last Modified: 2016-10-31
Hi

NPS SERVER ----switch---phone( avaya) --pc
we need to implement 802.1x but phones does not authenticate we need them to bypass the authentication using MAB

we need phones should by pass the authentication but pc should be able to authentication using AD.
i am looking the config on the switch side and the config we have to do on the windows 2012 side to make it work

there are many article on this but nobody gives a clear and full implementation steps on windows side , configuring NPS server
i can do the Cisco side but windows is killing me...
0
Comment
Question by:mohannitin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
10 Comments
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 41858076
I use 802.1x for several different model Avaya phones. Works fine.

The phones know to use 802.1x via DHCP options. We first boot phones on a port that is force-authenticated so they can boot. After they get initial settings, move to a different switch port with dot1x timeout 300 so there is enough time to boot phone and enter the username and password. Finally move phone to a regular port where I set dot1x timeout to 5 seconds.

Avaya only allows numbers for their password as I recall, so we needed to setup fine grained password policy in AD 2008 or greater to allow password thatvwas not complex.

For authentication of domain joined PCs, I needed to setup an internal certificate authority,  and then distribute the root CA to all computers via GPO. Turning on 802.1x on PCs via another GPO.

I am on my phone now, so I can't post sample config.
0
 
LVL 42

Accepted Solution

by:
kevinhsieh earned 500 total points
ID: 41859625
Switch configuration for 802.1x
aaa new-model

aaa group server radius rad_eap
 server name DC1
 server name DC2

!
aaa authentication dot1x default group rad_eap

interface FastEthernet0/1
 switchport access vlan 10
 switchport mode access
 switchport voice vlan 26
 authentication control-direction in
 authentication event fail action authorize vlan 99
 authentication event no-response action authorize vlan 99
 authentication host-mode multi-domain
 authentication port-control auto
 authentication violation restrict
 mab eap
 dot1x pae authenticator
 dot1x timeout tx-period 5
 flowcontrol receive desired
 spanning-tree portfast


radius-server attribute 32 include-in-access-req format %h
radius-server retransmit 2
radius-server timeout 3
radius-server deadtime 1
radius-server key *
radius-server vsa send authentication
!
radius server DC1
 address ipv4 10.100.4.100 auth-port 1645 acct-port 1646
!
radius server DC2
 address ipv4 10.101.4.100 auth-port 1645 acct-port 1646

Open in new window


DHCP Options. Use the one that is required for your phone. These settings set the phone to use 802.1x, and to pass through authentication requests of any device connected through the phone. The phone will also notify the switch when the device disconnects from the phone.

Option 176
MCIPADD=10.10.10.10,MCPORT=1719,HTTPSRVR=10.10.10.20,DOT1X=1,DOT1XSTAT=1,L2Q=1,L2QVLAN=20


Option 242
MCIPADD=10.10.10.10,MCPORT=1719,HTTPSRVR=10.10.10.20,DOT1X=1,DOT1XSTAT=1
0
 

Author Comment

by:mohannitin
ID: 41860786
Does the below information looks good ?  , Domain is showing as "DATA" ?

show authentication sessions interface gigabitEthernet 1/0/46

Interface MAC Address Method Domain Status Fg Session ID
----------------------------------------------------------------------
Gi1/0/46 001b.4f6f.0509 dot1x DATA Auth AC1E201400001131A48F54EA


Key to Session Events Status Flags:

  A - Applying Policy (multi-line status for details)
  D - Awaiting Deletion
  F - Final Removal in progress
  I - Awaiting IIF ID allocation
  P - Pushed Session (non-transient state)
  R - Removing User Profile (multi-line status for details)
  U - Applying User Profile (multi-line status for details)
  X - Unknown Blocker

Runnable methods list:
  Handle Priority Name
    10 5 dot1x
    12 10 mab
    6 15 webauth
0
Transaction Monitoring Vs. Real User Monitoring

Synthetic Transaction Monitoring Vs. Real User Monitoring: When To Use Each Approach? In this article, we will discuss two major monitoring approaches: Synthetic Transaction and Real User Monitoring.

 

Author Comment

by:mohannitin
ID: 41860801
we are using NPS server:
in NPS server we have a Network policy --which i am using to authenticate the phone
i have created a AD users with username and password as 1234 and 1234 respectively
i can see the NPS autheticating the switch and mac address of of the Avaya Phone

then it goes to DHCP to get the ip address of the CALL Manager using option 176 and option 242.

Question : does DHCP request comes from Data Vlan and then it checks the options (176 and 242), then goes to voice VLAN ?
where i need to setup the Scope Options ? for DATA or for Voice SCOPE?
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 41860841
Personally, I set the DHCP options at the DHCP server level, and then all scopes inherit the settings. Any system that isn't a phone will ignore them. You definitely need the DHCP options on the voice VLAN, and considering that some phones use a DHCP option to know which vlan is the voice VLAN, they would need the DHCP options on the data vlan as well.
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 41860843
If the phone authenticated on the DATA vlan, then it didn't switch to the voice vlan. When I do a "show auth" on my switches, phones show as having authenticated on VOICE, not DATA.
0
 

Author Closing Comment

by:mohannitin
ID: 41864186
thanks for all your help ...i have made it work
there are fre other setting which i had to do , i have prepared a doc with screen shots of nps server and config
which i will share , please look for the doc and let me know if i can improve it further
0
 

Author Comment

by:mohannitin
ID: 41864201
after a long struggle of 3 days i have made it work
Please find the document enclosed with screenshot to make the Avaya phone mab work with NPS server
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 41864208
I don't see your document.
0
 

Author Comment

by:mohannitin
ID: 41866916
Please find the doc enclosed
mab-avayaphone-and-cisco-3650.docx
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question