Cisco Voice VLAN with 802.1X Authentication

cisco vlan voip 802.1 nps

7,527

I'm not sure it's the best answer to the question of how to make this work, but in the absence of a better answer, I figured out a way to make it work myself.

Basically, I went with the idea that if you are using what is essentially dynamic VLAN assignment (even though it's termed a voice feature), you have to use it for both the VOICE and DATA domains to get the result I was looking for.

I changed the access VLAN to a VLAN that doesn't route outside the switch, so in my case switchport access vlan 504

I then modified the policy on our NPS server to pass a VLAN assignment to computers when they authenticate.

This has the effect of putting phones or any device MAC spoofing as one without a VLAN configured being put into what is essentially a blackhole network so they can't access anything - but if configured with the correct VLAN ID, they can access the more locked down voice network.

But if a computer is attached and authenticated either directly or via the switch on the phone in the DATA domain, the switch changes the access or native VLAN to our internal network as instructed by the NPS server.

This is the result I was looking for - it just meant having to change the config on other switches that make use of the policy server in a more basic form which I was trying to avoid.

7,527

iamacarpet

Updated on September 18, 2022

Comments

iamacarpet almost 2 years
I've got a Cisco Catalyst 2960 that I'm trying to configure for a remote office with 802.1X wired authentication.

The setup I'm going for is Switch -> VoIP Phone via Internal Switch -> PC/Laptop (Domain Joined Win 7/8).

Our authentication server is NPS on Windows Server 2008 R2.

We are using Snom 300 handsets which do support 802.1X but it's not really feasible for us to configure it on all the handsets, so I've configured the switch to use MAB (MAC Authentication Bypass) for the phones.

This for the most part is working brilliantly, the handsets get authenticated and put into the VOICE domain and the VLAN policy is displaying 501, which is our voice VLAN.

But, the phones can still fully access the data VLAN - what am I doing wrong?

Here is the 802.1x session into for that connected port:
```
int-remote-sw-1#show auth sessions int Fa0/9
        Interface:  FastEthernet0/9
      MAC Address:  0004.133d.69cc
       IP Address:  Unknown
        User-Name:  0004133d69cc
           Status:  Authz Success
           Domain:  VOICE
   Oper host mode:  multi-domain
 Oper control dir:  both
    Authorized By:  Authentication Server
      Vlan Policy:  501
  Session timeout:  600s (local), Remaining: 409s
   Timeout action:  Reauthenticate
     Idle timeout:  N/A
Common Session ID:  0A9402F50000005F094C7DC3
  Acct Session ID:  0x0000007D
           Handle:  0xD6000060

Runnable methods list:
   Method   State
   mab      Authc Success
   dot1x    Not run
```
Switch config related to 802.1x :
```
aaa new-model
!
!
aaa authentication dot1x default group radius
aaa authorization network default group radius
!
!
aaa session-id common
!
!
dot1x system-auth-control
!
!
errdisable detect cause security-violation shutdown vlan
!
!
vlan 501
    name VOICE-LAN
!
!
interface FastEthernet0/9
    switchport access vlan 502
    switchport mode access
    switchport voice vlan 501
    authentication event fail action authorize vlan 503
    authentication event server dead action reinitialize vlan 503
    authentication event no-response action authorize vlan 503
    authentication event server alive action reinitialize
    authentication host-mode multi-domain
    authentication order mab dot1x
    authentication port-control auto
    authentication periodic
    authentication timer reauthenticate 600
    mab
    mls qos trust cos
    dot1x pae authenticator
    spanning-tree portfast
!
!
radius-server dead-criteria time 30 tries 10
radius-server host 10.***.***.***
radius-server host 10.***.***.***
radius-server retry method reorder
radius-server key ******************
```
Switch version:
```
int-remote-sw-1#show ver
    Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 15.0(2)SE7, RELEASE SOFTWARE (fc1)
```
NPS Server Config:
- Jason Seemann over 9 years
  
  Canyou clarify what you mean 'the phones can still fully access the data vlan'?
- cpt_fink over 9 years
  
  You might consider testing the authentication priority dot1x mab command, it can help weird .1x/MAB authentication issues. I don't think it's related to what's posted so far though.
- iamacarpet over 9 years
  
  @JasonSeemann Sure. So when I connect a phone that's been configured for MAB by the RADIUS server (it's sending data-traffic-class=voice and Tunnel-Private-Group-ID = VOICE-LAN to put it on the VOICE domain), if I've configured the phone to use the voice VLAN by ID on the handset itself, it'll access that network fine. But if I don't, it'll carry on using the access VLAN and I'd expect this traffic to be blocked, but it can get DHCP and transfer data just fine. I've tried it with a laptop configured as voice device via MAB and it can access both VLANs at once (get DHCP and transfer data).
- iamacarpet over 9 years
  
  @cpt_fink Thanks for the suggestion. I've given it a try but it doesn't seem to work I'm afraid.
Jason Seemann about 9 years

Interesting. I'm not sure if your NPS server can do it, but did you consider pushing a downloadable ACL to any phone device that passes MAB ? I ask because generally changing the VLAN out from underneath a computer isn't always handled gracefully by the O/S (though I guess in your case it will work since the computers are completely blackholed when not authenticated). Thanks for sharing your solution.