Security

Reply
Frequent Contributor I
Posts: 82
Registered: ‎05-28-2010

dot1x authentication of Cisco IP phone on mobility controller

Can the 3600 mobility controller be configured for wired 802.1x authentication when a Cisco IP Phone is connected to the wired port of a RAP? Said phones are set-up in AD with a username/PWD that we use for MAB device authentication on our Cisco switches, but would like to get it to work on 3600 mobility controller as well. This is the output of the authtrace of the client:

 

Dec 27 12:51:50 station-up * 00:1b:d4:a0:38:de 01:80:c2:00:00:03 - - open system
Dec 27 12:51:50 station-up * 00:1b:d4:a0:38:de 01:80:c2:00:00:03 - - wired station
Dec 27 12:51:50 eap-id-req <- 00:1b:d4:a0:38:de 01:80:c2:00:00:03 1 5
Dec 27 12:51:55 eap-id-req <- 00:1b:d4:a0:38:de 01:80:c2:00:00:03 1 5
Dec 27 12:52:00 eap-id-req <- 00:1b:d4:a0:38:de 01:80:c2:00:00:03 1 5
Dec 27 12:52:05 eap-id-req <- 00:1b:d4:a0:38:de 01:80:c2:00:00:03 2 5
Dec 27 12:52:10 eap-id-req <- 00:1b:d4:a0:38:de 01:80:c2:00:00:03 2 5
Dec 27 12:52:15 eap-id-req <- 00:1b:d4:a0:38:de 01:80:c2:00:00:03 2 5
Dec 27 12:52:20 eap-id-req <- 00:1b:d4:a0:38:de 01:80:c2:00:00:03 3 5
Dec 27 12:52:25 eap-id-req <- 00:1b:d4:a0:38:de 01:80:c2:00:00:03 3 5
Dec 27 12:52:30 eap-id-req <- 00:1b:d4:a0:38:de 01:80:c2:00:00:03 3 5
Dec 27 12:52:35 eap-id-req <- 00:1b:d4:a0:38:de 01:80:c2:00:00:03 4 5
Dec 27 12:52:40 eap-id-req <- 00:1b:d4:a0:38:de 01:80:c2:00:00:03 4 5
Dec 27 12:52:45 eap-id-req <- 00:1b:d4:a0:38:de 01:80:c2:00:00:03 4 5
Dec 27 12:52:50 eap-id-req <- 00:1b:d4:a0:38:de 01:80:c2:00:00:03 5 5
Dec 27 12:52:55 eap-id-req <- 00:1b:d4:a0:38:de 01:80:c2:00:00:03 5 5
Dec 27 12:53:00 eap-id-req <- 00:1b:d4:a0:38:de 01:80:c2:00:00:03 5 5

 

 

Never see the client send a eap-id-resp packet.

 

Regards,

Tony Marques

Guru Elite
Posts: 8,338
Registered: ‎09-08-2010

Re: dot1x authentication of Cisco IP phone on mobility controller

Is the phone's supplicant configured for PEAPv0/EAP-MSCHAPv2?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I
Posts: 82
Registered: ‎05-28-2010

Re: dot1x authentication of Cisco IP phone on mobility controller

Unencrypted authentication (PAP, SPAP)

Frequent Contributor I
Posts: 82
Registered: ‎05-28-2010

Re: dot1x authentication of Cisco IP phone on mobility controller

Hi Tim,

 

My apologies, there is no supplicant on the phone. In Cisco world, switches will allow the 802.1x timeout and proceed to MAC Authentication Bypass (MAB).The switch crafts a RADISU access-request packet using the MAC Address of the phone as the username/pwd.

 

Therefore, wondering if there is a way of mimicing that in the Aruba Mobility controller world.

 

Regards,

Tony Marques

Guru Elite
Posts: 8,338
Registered: ‎09-08-2010

Re: dot1x authentication of Cisco IP phone on mobility controller

What model phone? Most newer Cisco IP phones support 802.1X.

 

In terms of your original question, you can configure a MAC-Authentication profile for your wired-ap config.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I
Posts: 82
Registered: ‎05-28-2010

Re: dot1x authentication of Cisco IP phone on mobility controller

7961. I've tired a mac authetication profile, but the event viewer shows that it fails. I'm thinking I don't have the appropriate attributes define in the NAS policy that the phone is sending in comparison to what a Cisco swtich sends.

Search Airheads
Showing results for 
Search instead for 
Did you mean: