Solved

802.1x for pc and MAB( MAC authentication bypass)  for phone: Full implementation plan

Posted on 2016-10-24
10
230 Views
Last Modified: 2016-10-31
Hi

NPS SERVER ----switch---phone( avaya) --pc
we need to implement 802.1x but phones does not authenticate we need them to bypass the authentication using MAB

we need phones should by pass the authentication but pc should be able to authentication using AD.
i am looking the config on the switch side and the config we have to do on the windows 2012 side to make it work

there are many article on this but nobody gives a clear and full implementation steps on windows side , configuring NPS server
i can do the Cisco side but windows is killing me...
0
Comment
Question by:mohannitin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
10 Comments
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 41858076
I use 802.1x for several different model Avaya phones. Works fine.

The phones know to use 802.1x via DHCP options. We first boot phones on a port that is force-authenticated so they can boot. After they get initial settings, move to a different switch port with dot1x timeout 300 so there is enough time to boot phone and enter the username and password. Finally move phone to a regular port where I set dot1x timeout to 5 seconds.

Avaya only allows numbers for their password as I recall, so we needed to setup fine grained password policy in AD 2008 or greater to allow password thatvwas not complex.

For authentication of domain joined PCs, I needed to setup an internal certificate authority,  and then distribute the root CA to all computers via GPO. Turning on 802.1x on PCs via another GPO.

I am on my phone now, so I can't post sample config.
0
 
LVL 42

Accepted Solution

by:
kevinhsieh earned 500 total points
ID: 41859625
Switch configuration for 802.1x
aaa new-model

aaa group server radius rad_eap
 server name DC1
 server name DC2

!
aaa authentication dot1x default group rad_eap

interface FastEthernet0/1
 switchport access vlan 10
 switchport mode access
 switchport voice vlan 26
 authentication control-direction in
 authentication event fail action authorize vlan 99
 authentication event no-response action authorize vlan 99
 authentication host-mode multi-domain
 authentication port-control auto
 authentication violation restrict
 mab eap
 dot1x pae authenticator
 dot1x timeout tx-period 5
 flowcontrol receive desired
 spanning-tree portfast


radius-server attribute 32 include-in-access-req format %h
radius-server retransmit 2
radius-server timeout 3
radius-server deadtime 1
radius-server key *
radius-server vsa send authentication
!
radius server DC1
 address ipv4 10.100.4.100 auth-port 1645 acct-port 1646
!
radius server DC2
 address ipv4 10.101.4.100 auth-port 1645 acct-port 1646

Open in new window


DHCP Options. Use the one that is required for your phone. These settings set the phone to use 802.1x, and to pass through authentication requests of any device connected through the phone. The phone will also notify the switch when the device disconnects from the phone.

Option 176
MCIPADD=10.10.10.10,MCPORT=1719,HTTPSRVR=10.10.10.20,DOT1X=1,DOT1XSTAT=1,L2Q=1,L2QVLAN=20


Option 242
MCIPADD=10.10.10.10,MCPORT=1719,HTTPSRVR=10.10.10.20,DOT1X=1,DOT1XSTAT=1
0
 

Author Comment

by:mohannitin
ID: 41860786
Does the below information looks good ?  , Domain is showing as "DATA" ?

show authentication sessions interface gigabitEthernet 1/0/46

Interface MAC Address Method Domain Status Fg Session ID
----------------------------------------------------------------------
Gi1/0/46 001b.4f6f.0509 dot1x DATA Auth AC1E201400001131A48F54EA


Key to Session Events Status Flags:

  A - Applying Policy (multi-line status for details)
  D - Awaiting Deletion
  F - Final Removal in progress
  I - Awaiting IIF ID allocation
  P - Pushed Session (non-transient state)
  R - Removing User Profile (multi-line status for details)
  U - Applying User Profile (multi-line status for details)
  X - Unknown Blocker

Runnable methods list:
  Handle Priority Name
    10 5 dot1x
    12 10 mab
    6 15 webauth
0
Report: Liquid Web beats Amazon, Rackspace & More

A study by performance analyst firm Cloud Spectator finds that Liquid Web beats rivals Amazon, Rackspace and DigitalOcean when it comes to website and cloud application performance.

 

Author Comment

by:mohannitin
ID: 41860801
we are using NPS server:
in NPS server we have a Network policy --which i am using to authenticate the phone
i have created a AD users with username and password as 1234 and 1234 respectively
i can see the NPS autheticating the switch and mac address of of the Avaya Phone

then it goes to DHCP to get the ip address of the CALL Manager using option 176 and option 242.

Question : does DHCP request comes from Data Vlan and then it checks the options (176 and 242), then goes to voice VLAN ?
where i need to setup the Scope Options ? for DATA or for Voice SCOPE?
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 41860841
Personally, I set the DHCP options at the DHCP server level, and then all scopes inherit the settings. Any system that isn't a phone will ignore them. You definitely need the DHCP options on the voice VLAN, and considering that some phones use a DHCP option to know which vlan is the voice VLAN, they would need the DHCP options on the data vlan as well.
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 41860843
If the phone authenticated on the DATA vlan, then it didn't switch to the voice vlan. When I do a "show auth" on my switches, phones show as having authenticated on VOICE, not DATA.
0
 

Author Closing Comment

by:mohannitin
ID: 41864186
thanks for all your help ...i have made it work
there are fre other setting which i had to do , i have prepared a doc with screen shots of nps server and config
which i will share , please look for the doc and let me know if i can improve it further
0
 

Author Comment

by:mohannitin
ID: 41864201
after a long struggle of 3 days i have made it work
Please find the document enclosed with screenshot to make the Avaya phone mab work with NPS server
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 41864208
I don't see your document.
0
 

Author Comment

by:mohannitin
ID: 41866916
Please find the doc enclosed
mab-avayaphone-and-cisco-3650.docx
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How to disable sflow Cisco nexus 9k 3 47
IP Jumping 6 64
X.509 Cert Upload to Cisco WAP 6 50
Having trouble with the ISCSI connection on my Lenovo 300D-IX4 6 56
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
Arrow Electronics was searching for a KVM  (Keyboard/Video/Mouse) switch that could display on one single monitor the current status of all units being tested on the rack.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question