Cisco Voice VLAN with 802.1X Authentication
I'm not sure it's the best answer to the question of how to make this work, but in the absence of a better answer, I figured out a way to make it work myself.
Basically, I went with the idea that if you are using what is essentially dynamic VLAN assignment (even though it's termed a voice feature), you have to use it for both the VOICE and DATA domains to get the result I was looking for.
I changed the access VLAN to a VLAN that doesn't route outside the switch, so in my case switchport access vlan 504
I then modified the policy on our NPS server to pass a VLAN assignment to computers when they authenticate.
This has the effect of putting phones or any device MAC spoofing as one without a VLAN configured being put into what is essentially a blackhole network so they can't access anything - but if configured with the correct VLAN ID, they can access the more locked down voice network.
But if a computer is attached and authenticated either directly or via the switch on the phone in the DATA domain, the switch changes the access or native VLAN to our internal network as instructed by the NPS server.
This is the result I was looking for - it just meant having to change the config on other switches that make use of the policy server in a more basic form which I was trying to avoid.
Related videos on Youtube
iamacarpet
Updated on September 18, 2022Comments
-
iamacarpet almost 2 years
I've got a Cisco Catalyst 2960 that I'm trying to configure for a remote office with 802.1X wired authentication.
The setup I'm going for is
Switch -> VoIP Phone via Internal Switch -> PC/Laptop (Domain Joined Win 7/8).
Our authentication server is NPS on Windows Server 2008 R2.
We are using Snom 300 handsets which do support 802.1X but it's not really feasible for us to configure it on all the handsets, so I've configured the switch to use MAB (MAC Authentication Bypass) for the phones.
This for the most part is working brilliantly, the handsets get authenticated and put into the VOICE domain and the VLAN policy is displaying 501, which is our voice VLAN.
But, the phones can still fully access the data VLAN - what am I doing wrong?
Here is the 802.1x session into for that connected port:
int-remote-sw-1#show auth sessions int Fa0/9 Interface: FastEthernet0/9 MAC Address: 0004.133d.69cc IP Address: Unknown User-Name: 0004133d69cc Status: Authz Success Domain: VOICE Oper host mode: multi-domain Oper control dir: both Authorized By: Authentication Server Vlan Policy: 501 Session timeout: 600s (local), Remaining: 409s Timeout action: Reauthenticate Idle timeout: N/A Common Session ID: 0A9402F50000005F094C7DC3 Acct Session ID: 0x0000007D Handle: 0xD6000060 Runnable methods list: Method State mab Authc Success dot1x Not run
Switch config related to 802.1x :
aaa new-model ! ! aaa authentication dot1x default group radius aaa authorization network default group radius ! ! aaa session-id common ! ! dot1x system-auth-control ! ! errdisable detect cause security-violation shutdown vlan ! ! vlan 501 name VOICE-LAN ! ! interface FastEthernet0/9 switchport access vlan 502 switchport mode access switchport voice vlan 501 authentication event fail action authorize vlan 503 authentication event server dead action reinitialize vlan 503 authentication event no-response action authorize vlan 503 authentication event server alive action reinitialize authentication host-mode multi-domain authentication order mab dot1x authentication port-control auto authentication periodic authentication timer reauthenticate 600 mab mls qos trust cos dot1x pae authenticator spanning-tree portfast ! ! radius-server dead-criteria time 30 tries 10 radius-server host 10.***.***.*** radius-server host 10.***.***.*** radius-server retry method reorder radius-server key ******************
Switch version:
int-remote-sw-1#show ver Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 15.0(2)SE7, RELEASE SOFTWARE (fc1)
NPS Server Config:
-
Jason Seemann over 9 yearsCanyou clarify what you mean 'the phones can still fully access the data vlan'?
-
cpt_fink over 9 yearsYou might consider testing the
authentication priority dot1x mab
command, it can help weird .1x/MAB authentication issues. I don't think it's related to what's posted so far though. -
iamacarpet over 9 years@JasonSeemann Sure. So when I connect a phone that's been configured for MAB by the RADIUS server (it's sending data-traffic-class=voice and Tunnel-Private-Group-ID = VOICE-LAN to put it on the VOICE domain), if I've configured the phone to use the voice VLAN by ID on the handset itself, it'll access that network fine. But if I don't, it'll carry on using the access VLAN and I'd expect this traffic to be blocked, but it can get DHCP and transfer data just fine. I've tried it with a laptop configured as voice device via MAB and it can access both VLANs at once (get DHCP and transfer data).
-
iamacarpet over 9 years@cpt_fink Thanks for the suggestion. I've given it a try but it doesn't seem to work I'm afraid.
-
-
Jason Seemann about 9 yearsInteresting. I'm not sure if your NPS server can do it, but did you consider pushing a downloadable ACL to any phone device that passes MAB ? I ask because generally changing the VLAN out from underneath a computer isn't always handled gracefully by the O/S (though I guess in your case it will work since the computers are completely blackholed when not authenticated). Thanks for sharing your solution.