Link to home
Start Free TrialLog in
Avatar of fat cat
fat cat

asked on

VoIP device authenticating via MAB and PC authenticating via dot1x

Hi,
I would like to understand this process a bit more and the authentication flow.  Using ClearPass (similar to ISE) as a RADIUS server.

PC authenticates successfully via dot1x (EAP-TLS) when plugged into jack.  However, when plugged in via VoIP, it fails.   Discovered that the pC is not able to auth via MAB because the MAC is not in the MAC Address table.   Once added MAC to MAC Address table, PC successfully authenticates via dot1x and MAB.

What is the relation to VoIP here?  If the PC can auth successfully via dot1x(EAP-TLS) on its own, what triggers the PC to roll over to MAB and fail?
Avatar of noci
noci

If a VOIP phone is inserted into the switch then there is dot1x between Phone & Switch.
When the PC is inserted into the Phone there is dot1x between the phone and the PC...
(IF the phone does do dot1x and is configured for it at all....).

One cannot use dot1x enabled on a device upstream of the edge switch to do the dot1x.
(When dot1x is communicated between edge device and connected endpoint, the endpoint is actualy NOT connected to the network at all.
It is the edge-switch that handles all network communication between itself and the RADIUS server, and it receives the intended configuration for the network setup from the RADIUS server, after authentication is successful.
During the authentication phase the connected endpoint device and the edge switch are talking in private.
(i.e. there is NOT communication between RADIUS and the connected (here PC) device directly).
The switch needs to be configured to allow multiple 802.1x authentications  on the physical port. That is not the default Cisco configuration. Some Cisco switches only allow a single 802.1x on the data access VLAN, and one more on the voice VLAN. Other switches all multiple 802.1x devices on the data VLAN, which would come into play if there was an unmanaged switch or VM host, for example.

In addition to correct switch configuration, the IP phone also needs proper configuration to allow 802.1x passthrough to the upstream switch, and behavior on how to tell the switch that the connected device is no longer connected and should be deauthenticated.
Avatar of fat cat

ASKER

Thank you for the comments @noci and @kevinhsieh.  Really appreciate it....

@kevinhsieh @noci

So i guess i was looking for more what happens with the authentication flow.

-Switch is configured for mulit Auth
-PC is configured to do dot1x EAP-TLS . (machine/user certs)
-Phone is configured to do MAB (Phone attempt dot1x but will failover to mab - that is the setup we want)

So, noticed that the PC MAC was not in the MAC Auth dB so it would fail MAB.
--So basically, when PC was connected to the port/jack, it was successfully authenticating via EAP-TLS . (what we want it to do),
--but when we plugged it into the phone, it would try MAB and fail.   So when i added the PC MAC to the MAC Auth dB, it would successfully auth via phone.

So my question was to understand what happens with the flow here.  
-e.g, if the PC is able to do EAP-TLS directly connected to the port, why does it fail when it is behind the phone.
--does the phone re-trigger a auth ?
--the phone is meant to fail dot1x and failover to MAB, does this also make the PC do the same?
--it it is multi-auth domain, shouldn't each device act independatly when trying to authenticate ?  
--How does VoIP affect the PC's authentication?


Thanks guys, really appreciate the response.
ASKER CERTIFIED SOLUTION
Avatar of noci
noci

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of fat cat

ASKER

Thank you both for your help.  Still a bit unclear but def helped me understand it better.