Wired Intelligent Edge

I was looking for information about how to configure Alcatel IP Phone to do 802.1x authentication but couldn't find anything helpful by googling.

Has anyone implemented it ? The models are 4008,8008.

thanks in advance

Hi Stefano

years ago, I worked with Alcatel phones in the context of NAC. We authenticated the phones using 802.1x and X.509 certificates. The phones come with pre-installed certificates signed by an ALE CA and through the management you can replace them by your own ones if desired. That all worked quite well for me.

I tried to find information regarding your particular models. It seems as the models you have are quite old. So not sure whether or not 4004 models support dot1x, 8008 do for sure according to the datasheet. 

To make the long story short, I think there is a fair chance that it will work. What are your specific questions regarding the implementation?

Best, 
Thomas

I was looking for information about how to configure Alcatel IP Phone to do 802.1x authentication but couldn't find anything helpful by googling.

Has anyone implemented it ? The models are 4008,8008.

thanks in advance

Hi Stefano

years ago, I worked with Alcatel phones in the context of NAC. We authenticated the phones using 802.1x and X.509 certificates. The phones come with pre-installed certificates signed by an ALE CA and through the management you can replace them by your own ones if desired. That all worked quite well for me.

I tried to find information regarding your particular models. It seems as the models you have are quite old. So not sure whether or not 4004 models support dot1x, 8008 do for sure according to the datasheet. 

To make the long story short, I think there is a fair chance that it will work. What are your specific questions regarding the implementation?

Best, 
Thomas

I was looking for information about how to configure Alcatel IP Phone to do 802.1x authentication but couldn't find anything helpful by googling.

Has anyone implemented it ? The models are 4008,8008.

thanks in advance

Hi Stefano

years ago, I worked with Alcatel phones in the context of NAC. We authenticated the phones using 802.1x and X.509 certificates. The phones come with pre-installed certificates signed by an ALE CA and through the management you can replace them by your own ones if desired. That all worked quite well for me.

I tried to find information regarding your particular models. It seems as the models you have are quite old. So not sure whether or not 4004 models support dot1x, 8008 do for sure according to the datasheet. 

To make the long story short, I think there is a fair chance that it will work. What are your specific questions regarding the implementation?

Best, 
Thomas

I was looking for information about how to configure Alcatel IP Phone to do 802.1x authentication but couldn't find anything helpful by googling.

Has anyone implemented it ? The models are 4008,8008.

thanks in advance

Hi Thomas,

Can you please guide me how to use he factory certificates for authentication with ClearPass?

Thanks

Hi Stefano

years ago, I worked with Alcatel phones in the context of NAC. We authenticated the phones using 802.1x and X.509 certificates. The phones come with pre-installed certificates signed by an ALE CA and through the management you can replace them by your own ones if desired. That all worked quite well for me.

I tried to find information regarding your particular models. It seems as the models you have are quite old. So not sure whether or not 4004 models support dot1x, 8008 do for sure according to the datasheet. 

To make the long story short, I think there is a fair chance that it will work. What are your specific questions regarding the implementation?

Best, 
Thomas

I was looking for information about how to configure Alcatel IP Phone to do 802.1x authentication but couldn't find anything helpful by googling.

Has anyone implemented it ? The models are 4008,8008.

thanks in advance

We implemented NAC for Alcatel phones in a customer project a year ago. I don't know the phone model, but the dot1x authentication with certificates was activated on the phones by default. The customer just didn't know that. We noticed it when we activated authentication on the switch and the phones tried to authenticate.

What happens if you configure dot1x with MAC-Auth on the switch and activate authentication on the port? Does ClearPass then receive authentication requests?

If so, then you don't need to do anything else on the phones, just set up ClearPass.
You have to activate the Alcatel root certificates in ClearPass under Certificate Trust List and select EAP as usage. You also need a service for wired authentication with EAP-TLS.
By default, the phones use the username ALCICT or ALC for authentication, the password is "password". We created the user in the local user DB.

However, you need manufacturer documentation for the Alcatel IP Phone.

Hi Thomas,

Can you please guide me how to use he factory certificates for authentication with ClearPass?

Thanks

Hi Stefano

years ago, I worked with Alcatel phones in the context of NAC. We authenticated the phones using 802.1x and X.509 certificates. The phones come with pre-installed certificates signed by an ALE CA and through the management you can replace them by your own ones if desired. That all worked quite well for me.

I tried to find information regarding your particular models. It seems as the models you have are quite old. So not sure whether or not 4004 models support dot1x, 8008 do for sure according to the datasheet. 

To make the long story short, I think there is a fair chance that it will work. What are your specific questions regarding the implementation?

Best, 
Thomas

I was looking for information about how to configure Alcatel IP Phone to do 802.1x authentication but couldn't find anything helpful by googling.

Has anyone implemented it ? The models are 4008,8008.

thanks in advance

Because certificate based authentication is used, there is no user needed in the local user DB. The reason why to create an user is because if the authorization that is enabled in the EAP-TLS method by default. By disabling authorization in the EAP-TLS method, the user in the local user DB is not needed

We implemented NAC for Alcatel phones in a customer project a year ago. I don't know the phone model, but the dot1x authentication with certificates was activated on the phones by default. The customer just didn't know that. We noticed it when we activated authentication on the switch and the phones tried to authenticate.

What happens if you configure dot1x with MAC-Auth on the switch and activate authentication on the port? Does ClearPass then receive authentication requests?

If so, then you don't need to do anything else on the phones, just set up ClearPass.
You have to activate the Alcatel root certificates in ClearPass under Certificate Trust List and select EAP as usage. You also need a service for wired authentication with EAP-TLS.
By default, the phones use the username ALCICT or ALC for authentication, the password is "password". We created the user in the local user DB.

However, you need manufacturer documentation for the Alcatel IP Phone.

Hi Thomas,

Can you please guide me how to use he factory certificates for authentication with ClearPass?

Thanks

Hi Stefano

years ago, I worked with Alcatel phones in the context of NAC. We authenticated the phones using 802.1x and X.509 certificates. The phones come with pre-installed certificates signed by an ALE CA and through the management you can replace them by your own ones if desired. That all worked quite well for me.

I tried to find information regarding your particular models. It seems as the models you have are quite old. So not sure whether or not 4004 models support dot1x, 8008 do for sure according to the datasheet. 

To make the long story short, I think there is a fair chance that it will work. What are your specific questions regarding the implementation?

Best, 
Thomas

I was looking for information about how to configure Alcatel IP Phone to do 802.1x authentication but couldn't find anything helpful by googling.

Has anyone implemented it ? The models are 4008,8008.

thanks in advance

Only one TLS auth method can be used in the service. By editing the method, authorization is deactivated for all devices that are authenticated by this service. In this case, a separate service must be created for all devices that use EAP-TLS without authorization. If you do not want this, create a user so that EAP-TLS with authorization works and all devices are authenticated by a service.

Because certificate based authentication is used, there is no user needed in the local user DB. The reason why to create an user is because if the authorization that is enabled in the EAP-TLS method by default. By disabling authorization in the EAP-TLS method, the user in the local user DB is not needed

We implemented NAC for Alcatel phones in a customer project a year ago. I don't know the phone model, but the dot1x authentication with certificates was activated on the phones by default. The customer just didn't know that. We noticed it when we activated authentication on the switch and the phones tried to authenticate.

What happens if you configure dot1x with MAC-Auth on the switch and activate authentication on the port? Does ClearPass then receive authentication requests?

If so, then you don't need to do anything else on the phones, just set up ClearPass.
You have to activate the Alcatel root certificates in ClearPass under Certificate Trust List and select EAP as usage. You also need a service for wired authentication with EAP-TLS.
By default, the phones use the username ALCICT or ALC for authentication, the password is "password". We created the user in the local user DB.

However, you need manufacturer documentation for the Alcatel IP Phone.

Hi Thomas,

Can you please guide me how to use he factory certificates for authentication with ClearPass?

Thanks

Hi Stefano

years ago, I worked with Alcatel phones in the context of NAC. We authenticated the phones using 802.1x and X.509 certificates. The phones come with pre-installed certificates signed by an ALE CA and through the management you can replace them by your own ones if desired. That all worked quite well for me.

I tried to find information regarding your particular models. It seems as the models you have are quite old. So not sure whether or not 4004 models support dot1x, 8008 do for sure according to the datasheet. 

To make the long story short, I think there is a fair chance that it will work. What are your specific questions regarding the implementation?

Best, 
Thomas

I was looking for information about how to configure Alcatel IP Phone to do 802.1x authentication but couldn't find anything helpful by googling.

Has anyone implemented it ? The models are 4008,8008.

thanks in advance

I would take the opposite approach and disable authorization in the EAP-TLS method; then in your role mapping do you own authorization (check if the user is in one or more authorization sources) and enforcement for phones (or devices that don't need authorization) without checking, for users/laptops use the role as required to do the authorization.

But if different services for phones and other devices is useful anyway, you could take that approach as well.

Only one TLS auth method can be used in the service. By editing the method, authorization is deactivated for all devices that are authenticated by this service. In this case, a separate service must be created for all devices that use EAP-TLS without authorization. If you do not want this, create a user so that EAP-TLS with authorization works and all devices are authenticated by a service.

Because certificate based authentication is used, there is no user needed in the local user DB. The reason why to create an user is because if the authorization that is enabled in the EAP-TLS method by default. By disabling authorization in the EAP-TLS method, the user in the local user DB is not needed

We implemented NAC for Alcatel phones in a customer project a year ago. I don't know the phone model, but the dot1x authentication with certificates was activated on the phones by default. The customer just didn't know that. We noticed it when we activated authentication on the switch and the phones tried to authenticate.

What happens if you configure dot1x with MAC-Auth on the switch and activate authentication on the port? Does ClearPass then receive authentication requests?

If so, then you don't need to do anything else on the phones, just set up ClearPass.
You have to activate the Alcatel root certificates in ClearPass under Certificate Trust List and select EAP as usage. You also need a service for wired authentication with EAP-TLS.
By default, the phones use the username ALCICT or ALC for authentication, the password is "password". We created the user in the local user DB.

However, you need manufacturer documentation for the Alcatel IP Phone.

Hi Thomas,

Can you please guide me how to use he factory certificates for authentication with ClearPass?

Thanks

Hi Stefano

years ago, I worked with Alcatel phones in the context of NAC. We authenticated the phones using 802.1x and X.509 certificates. The phones come with pre-installed certificates signed by an ALE CA and through the management you can replace them by your own ones if desired. That all worked quite well for me.

I tried to find information regarding your particular models. It seems as the models you have are quite old. So not sure whether or not 4004 models support dot1x, 8008 do for sure according to the datasheet. 

To make the long story short, I think there is a fair chance that it will work. What are your specific questions regarding the implementation?

Best, 
Thomas

I was looking for information about how to configure Alcatel IP Phone to do 802.1x authentication but couldn't find anything helpful by googling.

Has anyone implemented it ? The models are 4008,8008.

thanks in advance

There are many paths that lead to the goal :). We just have to choose one.
It is important to clarify whether the phones authenticate with dot1x at all.

@Stefano Colombo is there anything new regarding the authentication or does the problem still exist?

I would take the opposite approach and disable authorization in the EAP-TLS method; then in your role mapping do you own authorization (check if the user is in one or more authorization sources) and enforcement for phones (or devices that don't need authorization) without checking, for users/laptops use the role as required to do the authorization.

But if different services for phones and other devices is useful anyway, you could take that approach as well.

Only one TLS auth method can be used in the service. By editing the method, authorization is deactivated for all devices that are authenticated by this service. In this case, a separate service must be created for all devices that use EAP-TLS without authorization. If you do not want this, create a user so that EAP-TLS with authorization works and all devices are authenticated by a service.

Because certificate based authentication is used, there is no user needed in the local user DB. The reason why to create an user is because if the authorization that is enabled in the EAP-TLS method by default. By disabling authorization in the EAP-TLS method, the user in the local user DB is not needed

We implemented NAC for Alcatel phones in a customer project a year ago. I don't know the phone model, but the dot1x authentication with certificates was activated on the phones by default. The customer just didn't know that. We noticed it when we activated authentication on the switch and the phones tried to authenticate.

What happens if you configure dot1x with MAC-Auth on the switch and activate authentication on the port? Does ClearPass then receive authentication requests?

If so, then you don't need to do anything else on the phones, just set up ClearPass.
You have to activate the Alcatel root certificates in ClearPass under Certificate Trust List and select EAP as usage. You also need a service for wired authentication with EAP-TLS.
By default, the phones use the username ALCICT or ALC for authentication, the password is "password". We created the user in the local user DB.

However, you need manufacturer documentation for the Alcatel IP Phone.

Hi Thomas,

Can you please guide me how to use he factory certificates for authentication with ClearPass?

Thanks

Hi Stefano

years ago, I worked with Alcatel phones in the context of NAC. We authenticated the phones using 802.1x and X.509 certificates. The phones come with pre-installed certificates signed by an ALE CA and through the management you can replace them by your own ones if desired. That all worked quite well for me.

I tried to find information regarding your particular models. It seems as the models you have are quite old. So not sure whether or not 4004 models support dot1x, 8008 do for sure according to the datasheet. 

To make the long story short, I think there is a fair chance that it will work. What are your specific questions regarding the implementation?

Best, 
Thomas

I was looking for information about how to configure Alcatel IP Phone to do 802.1x authentication but couldn't find anything helpful by googling.

Has anyone implemented it ? The models are 4008,8008.

thanks in advance

In my case, no matter what auth-method is used, the result is always time-out (Client did not complete EAP transaction)

There are many paths that lead to the goal :). We just have to choose one.
It is important to clarify whether the phones authenticate with dot1x at all.

@Stefano Colombo is there anything new regarding the authentication or does the problem still exist?

I would take the opposite approach and disable authorization in the EAP-TLS method; then in your role mapping do you own authorization (check if the user is in one or more authorization sources) and enforcement for phones (or devices that don't need authorization) without checking, for users/laptops use the role as required to do the authorization.

But if different services for phones and other devices is useful anyway, you could take that approach as well.

Only one TLS auth method can be used in the service. By editing the method, authorization is deactivated for all devices that are authenticated by this service. In this case, a separate service must be created for all devices that use EAP-TLS without authorization. If you do not want this, create a user so that EAP-TLS with authorization works and all devices are authenticated by a service.

Because certificate based authentication is used, there is no user needed in the local user DB. The reason why to create an user is because if the authorization that is enabled in the EAP-TLS method by default. By disabling authorization in the EAP-TLS method, the user in the local user DB is not needed

We implemented NAC for Alcatel phones in a customer project a year ago. I don't know the phone model, but the dot1x authentication with certificates was activated on the phones by default. The customer just didn't know that. We noticed it when we activated authentication on the switch and the phones tried to authenticate.

What happens if you configure dot1x with MAC-Auth on the switch and activate authentication on the port? Does ClearPass then receive authentication requests?

If so, then you don't need to do anything else on the phones, just set up ClearPass.
You have to activate the Alcatel root certificates in ClearPass under Certificate Trust List and select EAP as usage. You also need a service for wired authentication with EAP-TLS.
By default, the phones use the username ALCICT or ALC for authentication, the password is "password". We created the user in the local user DB.

However, you need manufacturer documentation for the Alcatel IP Phone.

Hi Thomas,

Can you please guide me how to use he factory certificates for authentication with ClearPass?

Thanks

Hi Stefano

years ago, I worked with Alcatel phones in the context of NAC. We authenticated the phones using 802.1x and X.509 certificates. The phones come with pre-installed certificates signed by an ALE CA and through the management you can replace them by your own ones if desired. That all worked quite well for me.

I tried to find information regarding your particular models. It seems as the models you have are quite old. So not sure whether or not 4004 models support dot1x, 8008 do for sure according to the datasheet. 

To make the long story short, I think there is a fair chance that it will work. What are your specific questions regarding the implementation?

Best, 
Thomas

I was looking for information about how to configure Alcatel IP Phone to do 802.1x authentication but couldn't find anything helpful by googling.

Has anyone implemented it ? The models are 4008,8008.

thanks in advance

This is usually sign that client does not trust RADIUS certificate. Did you enable Alcatel CA with EAP?

Best, Gorazd

In my case, no matter what auth-method is used, the result is always time-out (Client did not complete EAP transaction)

There are many paths that lead to the goal :). We just have to choose one.
It is important to clarify whether the phones authenticate with dot1x at all.

@Stefano Colombo is there anything new regarding the authentication or does the problem still exist?

I would take the opposite approach and disable authorization in the EAP-TLS method; then in your role mapping do you own authorization (check if the user is in one or more authorization sources) and enforcement for phones (or devices that don't need authorization) without checking, for users/laptops use the role as required to do the authorization.

But if different services for phones and other devices is useful anyway, you could take that approach as well.

Only one TLS auth method can be used in the service. By editing the method, authorization is deactivated for all devices that are authenticated by this service. In this case, a separate service must be created for all devices that use EAP-TLS without authorization. If you do not want this, create a user so that EAP-TLS with authorization works and all devices are authenticated by a service.

Because certificate based authentication is used, there is no user needed in the local user DB. The reason why to create an user is because if the authorization that is enabled in the EAP-TLS method by default. By disabling authorization in the EAP-TLS method, the user in the local user DB is not needed

We implemented NAC for Alcatel phones in a customer project a year ago. I don't know the phone model, but the dot1x authentication with certificates was activated on the phones by default. The customer just didn't know that. We noticed it when we activated authentication on the switch and the phones tried to authenticate.

What happens if you configure dot1x with MAC-Auth on the switch and activate authentication on the port? Does ClearPass then receive authentication requests?

If so, then you don't need to do anything else on the phones, just set up ClearPass.
You have to activate the Alcatel root certificates in ClearPass under Certificate Trust List and select EAP as usage. You also need a service for wired authentication with EAP-TLS.
By default, the phones use the username ALCICT or ALC for authentication, the password is "password". We created the user in the local user DB.

However, you need manufacturer documentation for the Alcatel IP Phone.

Hi Thomas,

Can you please guide me how to use he factory certificates for authentication with ClearPass?

Thanks

Hi Stefano

years ago, I worked with Alcatel phones in the context of NAC. We authenticated the phones using 802.1x and X.509 certificates. The phones come with pre-installed certificates signed by an ALE CA and through the management you can replace them by your own ones if desired. That all worked quite well for me.

I tried to find information regarding your particular models. It seems as the models you have are quite old. So not sure whether or not 4004 models support dot1x, 8008 do for sure according to the datasheet. 

To make the long story short, I think there is a fair chance that it will work. What are your specific questions regarding the implementation?

Best, 
Thomas

I was looking for information about how to configure Alcatel IP Phone to do 802.1x authentication but couldn't find anything helpful by googling.

Has anyone implemented it ? The models are 4008,8008.

thanks in advance

Yes, all of them enabled with EAP usage.

This is usually sign that client does not trust RADIUS certificate. Did you enable Alcatel CA with EAP?

Best, Gorazd

In my case, no matter what auth-method is used, the result is always time-out (Client did not complete EAP transaction)

There are many paths that lead to the goal :). We just have to choose one.
It is important to clarify whether the phones authenticate with dot1x at all.

@Stefano Colombo is there anything new regarding the authentication or does the problem still exist?

I would take the opposite approach and disable authorization in the EAP-TLS method; then in your role mapping do you own authorization (check if the user is in one or more authorization sources) and enforcement for phones (or devices that don't need authorization) without checking, for users/laptops use the role as required to do the authorization.

But if different services for phones and other devices is useful anyway, you could take that approach as well.

Only one TLS auth method can be used in the service. By editing the method, authorization is deactivated for all devices that are authenticated by this service. In this case, a separate service must be created for all devices that use EAP-TLS without authorization. If you do not want this, create a user so that EAP-TLS with authorization works and all devices are authenticated by a service.

Because certificate based authentication is used, there is no user needed in the local user DB. The reason why to create an user is because if the authorization that is enabled in the EAP-TLS method by default. By disabling authorization in the EAP-TLS method, the user in the local user DB is not needed

We implemented NAC for Alcatel phones in a customer project a year ago. I don't know the phone model, but the dot1x authentication with certificates was activated on the phones by default. The customer just didn't know that. We noticed it when we activated authentication on the switch and the phones tried to authenticate.

What happens if you configure dot1x with MAC-Auth on the switch and activate authentication on the port? Does ClearPass then receive authentication requests?

If so, then you don't need to do anything else on the phones, just set up ClearPass.
You have to activate the Alcatel root certificates in ClearPass under Certificate Trust List and select EAP as usage. You also need a service for wired authentication with EAP-TLS.
By default, the phones use the username ALCICT or ALC for authentication, the password is "password". We created the user in the local user DB.

However, you need manufacturer documentation for the Alcatel IP Phone.

Hi Thomas,

Can you please guide me how to use he factory certificates for authentication with ClearPass?

Thanks

Hi Stefano

years ago, I worked with Alcatel phones in the context of NAC. We authenticated the phones using 802.1x and X.509 certificates. The phones come with pre-installed certificates signed by an ALE CA and through the management you can replace them by your own ones if desired. That all worked quite well for me.

I tried to find information regarding your particular models. It seems as the models you have are quite old. So not sure whether or not 4004 models support dot1x, 8008 do for sure according to the datasheet. 

To make the long story short, I think there is a fair chance that it will work. What are your specific questions regarding the implementation?

Best, 
Thomas

I was looking for information about how to configure Alcatel IP Phone to do 802.1x authentication but couldn't find anything helpful by googling.

Has anyone implemented it ? The models are 4008,8008.

thanks in advance

Just a stupid question. what certificate your RADIUS server is using? The problem is that client does not trust RADIUS server certificate.

Best, Gorazd 

Yes, all of them enabled with EAP usage.

This is usually sign that client does not trust RADIUS certificate. Did you enable Alcatel CA with EAP?

Best, Gorazd

In my case, no matter what auth-method is used, the result is always time-out (Client did not complete EAP transaction)

There are many paths that lead to the goal :). We just have to choose one.
It is important to clarify whether the phones authenticate with dot1x at all.

@Stefano Colombo is there anything new regarding the authentication or does the problem still exist?

I would take the opposite approach and disable authorization in the EAP-TLS method; then in your role mapping do you own authorization (check if the user is in one or more authorization sources) and enforcement for phones (or devices that don't need authorization) without checking, for users/laptops use the role as required to do the authorization.

But if different services for phones and other devices is useful anyway, you could take that approach as well.

Only one TLS auth method can be used in the service. By editing the method, authorization is deactivated for all devices that are authenticated by this service. In this case, a separate service must be created for all devices that use EAP-TLS without authorization. If you do not want this, create a user so that EAP-TLS with authorization works and all devices are authenticated by a service.

Because certificate based authentication is used, there is no user needed in the local user DB. The reason why to create an user is because if the authorization that is enabled in the EAP-TLS method by default. By disabling authorization in the EAP-TLS method, the user in the local user DB is not needed

We implemented NAC for Alcatel phones in a customer project a year ago. I don't know the phone model, but the dot1x authentication with certificates was activated on the phones by default. The customer just didn't know that. We noticed it when we activated authentication on the switch and the phones tried to authenticate.

What happens if you configure dot1x with MAC-Auth on the switch and activate authentication on the port? Does ClearPass then receive authentication requests?

If so, then you don't need to do anything else on the phones, just set up ClearPass.
You have to activate the Alcatel root certificates in ClearPass under Certificate Trust List and select EAP as usage. You also need a service for wired authentication with EAP-TLS.
By default, the phones use the username ALCICT or ALC for authentication, the password is "password". We created the user in the local user DB.

However, you need manufacturer documentation for the Alcatel IP Phone.

Hi Thomas,

Can you please guide me how to use he factory certificates for authentication with ClearPass?

Thanks

Hi Stefano

years ago, I worked with Alcatel phones in the context of NAC. We authenticated the phones using 802.1x and X.509 certificates. The phones come with pre-installed certificates signed by an ALE CA and through the management you can replace them by your own ones if desired. That all worked quite well for me.

I tried to find information regarding your particular models. It seems as the models you have are quite old. So not sure whether or not 4004 models support dot1x, 8008 do for sure according to the datasheet. 

To make the long story short, I think there is a fair chance that it will work. What are your specific questions regarding the implementation?

Best, 
Thomas

I was looking for information about how to configure Alcatel IP Phone to do 802.1x authentication but couldn't find anything helpful by googling.

Has anyone implemented it ? The models are 4008,8008.

thanks in advance

It has a public certificate.

Just a stupid question. what certificate your RADIUS server is using? The problem is that client does not trust RADIUS server certificate.

Best, Gorazd 

Yes, all of them enabled with EAP usage.

This is usually sign that client does not trust RADIUS certificate. Did you enable Alcatel CA with EAP?

Best, Gorazd

In my case, no matter what auth-method is used, the result is always time-out (Client did not complete EAP transaction)

There are many paths that lead to the goal :). We just have to choose one.
It is important to clarify whether the phones authenticate with dot1x at all.

@Stefano Colombo is there anything new regarding the authentication or does the problem still exist?

I would take the opposite approach and disable authorization in the EAP-TLS method; then in your role mapping do you own authorization (check if the user is in one or more authorization sources) and enforcement for phones (or devices that don't need authorization) without checking, for users/laptops use the role as required to do the authorization.

But if different services for phones and other devices is useful anyway, you could take that approach as well.

Only one TLS auth method can be used in the service. By editing the method, authorization is deactivated for all devices that are authenticated by this service. In this case, a separate service must be created for all devices that use EAP-TLS without authorization. If you do not want this, create a user so that EAP-TLS with authorization works and all devices are authenticated by a service.

Because certificate based authentication is used, there is no user needed in the local user DB. The reason why to create an user is because if the authorization that is enabled in the EAP-TLS method by default. By disabling authorization in the EAP-TLS method, the user in the local user DB is not needed

We implemented NAC for Alcatel phones in a customer project a year ago. I don't know the phone model, but the dot1x authentication with certificates was activated on the phones by default. The customer just didn't know that. We noticed it when we activated authentication on the switch and the phones tried to authenticate.

What happens if you configure dot1x with MAC-Auth on the switch and activate authentication on the port? Does ClearPass then receive authentication requests?

If so, then you don't need to do anything else on the phones, just set up ClearPass.
You have to activate the Alcatel root certificates in ClearPass under Certificate Trust List and select EAP as usage. You also need a service for wired authentication with EAP-TLS.
By default, the phones use the username ALCICT or ALC for authentication, the password is "password". We created the user in the local user DB.

However, you need manufacturer documentation for the Alcatel IP Phone.

Hi Thomas,

Can you please guide me how to use he factory certificates for authentication with ClearPass?

Thanks

Hi Stefano

years ago, I worked with Alcatel phones in the context of NAC. We authenticated the phones using 802.1x and X.509 certificates. The phones come with pre-installed certificates signed by an ALE CA and through the management you can replace them by your own ones if desired. That all worked quite well for me.

I tried to find information regarding your particular models. It seems as the models you have are quite old. So not sure whether or not 4004 models support dot1x, 8008 do for sure according to the datasheet. 

To make the long story short, I think there is a fair chance that it will work. What are your specific questions regarding the implementation?

Best, 
Thomas

I was looking for information about how to configure Alcatel IP Phone to do 802.1x authentication but couldn't find anything helpful by googling.

Has anyone implemented it ? The models are 4008,8008.

thanks in advance

For the authentication timeout you have to troubleshoot ad the client side. In ClearPass you can only see that the client is not responding. 

Does the phone filter the Radius server certificate according to the CA or the content of the subject field or something similar?
If in doubt, you will need support from a service provider who is familiar with the phones.

It has a public certificate.

Just a stupid question. what certificate your RADIUS server is using? The problem is that client does not trust RADIUS server certificate.

Best, Gorazd 

Yes, all of them enabled with EAP usage.

This is usually sign that client does not trust RADIUS certificate. Did you enable Alcatel CA with EAP?

Best, Gorazd

In my case, no matter what auth-method is used, the result is always time-out (Client did not complete EAP transaction)

There are many paths that lead to the goal :). We just have to choose one.
It is important to clarify whether the phones authenticate with dot1x at all.

@Stefano Colombo is there anything new regarding the authentication or does the problem still exist?

I would take the opposite approach and disable authorization in the EAP-TLS method; then in your role mapping do you own authorization (check if the user is in one or more authorization sources) and enforcement for phones (or devices that don't need authorization) without checking, for users/laptops use the role as required to do the authorization.

But if different services for phones and other devices is useful anyway, you could take that approach as well.

Only one TLS auth method can be used in the service. By editing the method, authorization is deactivated for all devices that are authenticated by this service. In this case, a separate service must be created for all devices that use EAP-TLS without authorization. If you do not want this, create a user so that EAP-TLS with authorization works and all devices are authenticated by a service.

Because certificate based authentication is used, there is no user needed in the local user DB. The reason why to create an user is because if the authorization that is enabled in the EAP-TLS method by default. By disabling authorization in the EAP-TLS method, the user in the local user DB is not needed

We implemented NAC for Alcatel phones in a customer project a year ago. I don't know the phone model, but the dot1x authentication with certificates was activated on the phones by default. The customer just didn't know that. We noticed it when we activated authentication on the switch and the phones tried to authenticate.

What happens if you configure dot1x with MAC-Auth on the switch and activate authentication on the port? Does ClearPass then receive authentication requests?

If so, then you don't need to do anything else on the phones, just set up ClearPass.
You have to activate the Alcatel root certificates in ClearPass under Certificate Trust List and select EAP as usage. You also need a service for wired authentication with EAP-TLS.
By default, the phones use the username ALCICT or ALC for authentication, the password is "password". We created the user in the local user DB.

However, you need manufacturer documentation for the Alcatel IP Phone.

Hi Thomas,

Can you please guide me how to use he factory certificates for authentication with ClearPass?

Thanks

Hi Stefano

years ago, I worked with Alcatel phones in the context of NAC. We authenticated the phones using 802.1x and X.509 certificates. The phones come with pre-installed certificates signed by an ALE CA and through the management you can replace them by your own ones if desired. That all worked quite well for me.

I tried to find information regarding your particular models. It seems as the models you have are quite old. So not sure whether or not 4004 models support dot1x, 8008 do for sure according to the datasheet. 

To make the long story short, I think there is a fair chance that it will work. What are your specific questions regarding the implementation?

Best, 
Thomas

I was looking for information about how to configure Alcatel IP Phone to do 802.1x authentication but couldn't find anything helpful by googling.

Has anyone implemented it ? The models are 4008,8008.

thanks in advance

Phones are factroy default in this regard, and what I understood that no changes are needed at phone side as it has factory certificate.

Secutiy is not really the objective here, as we are good with mac-auth and limited access; we need to stop getting time-out requests, because there are an aweful lot, about 500 times more than the actual phones count, this of course unnecessarily utilize server resources, and polluting access tracker.

The only remaining piece of this head-scratching-puzzle is the server certificate, is there any special requirement or limitation? Like subject-alt-Name, TLS version, public key algorithm/length, signature algorithm, extended key usage, or seperate cert/full chain? 

For the authentication timeout you have to troubleshoot ad the client side. In ClearPass you can only see that the client is not responding. 

Does the phone filter the Radius server certificate according to the CA or the content of the subject field or something similar?
If in doubt, you will need support from a service provider who is familiar with the phones.

It has a public certificate.

Just a stupid question. what certificate your RADIUS server is using? The problem is that client does not trust RADIUS server certificate.

Best, Gorazd 

Yes, all of them enabled with EAP usage.

This is usually sign that client does not trust RADIUS certificate. Did you enable Alcatel CA with EAP?

Best, Gorazd

In my case, no matter what auth-method is used, the result is always time-out (Client did not complete EAP transaction)

There are many paths that lead to the goal :). We just have to choose one.
It is important to clarify whether the phones authenticate with dot1x at all.

@Stefano Colombo is there anything new regarding the authentication or does the problem still exist?

I would take the opposite approach and disable authorization in the EAP-TLS method; then in your role mapping do you own authorization (check if the user is in one or more authorization sources) and enforcement for phones (or devices that don't need authorization) without checking, for users/laptops use the role as required to do the authorization.

But if different services for phones and other devices is useful anyway, you could take that approach as well.

Only one TLS auth method can be used in the service. By editing the method, authorization is deactivated for all devices that are authenticated by this service. In this case, a separate service must be created for all devices that use EAP-TLS without authorization. If you do not want this, create a user so that EAP-TLS with authorization works and all devices are authenticated by a service.

Because certificate based authentication is used, there is no user needed in the local user DB. The reason why to create an user is because if the authorization that is enabled in the EAP-TLS method by default. By disabling authorization in the EAP-TLS method, the user in the local user DB is not needed

We implemented NAC for Alcatel phones in a customer project a year ago. I don't know the phone model, but the dot1x authentication with certificates was activated on the phones by default. The customer just didn't know that. We noticed it when we activated authentication on the switch and the phones tried to authenticate.

What happens if you configure dot1x with MAC-Auth on the switch and activate authentication on the port? Does ClearPass then receive authentication requests?

If so, then you don't need to do anything else on the phones, just set up ClearPass.
You have to activate the Alcatel root certificates in ClearPass under Certificate Trust List and select EAP as usage. You also need a service for wired authentication with EAP-TLS.
By default, the phones use the username ALCICT or ALC for authentication, the password is "password". We created the user in the local user DB.

However, you need manufacturer documentation for the Alcatel IP Phone.

Hi Thomas,

Can you please guide me how to use he factory certificates for authentication with ClearPass?

Thanks

Hi Stefano

years ago, I worked with Alcatel phones in the context of NAC. We authenticated the phones using 802.1x and X.509 certificates. The phones come with pre-installed certificates signed by an ALE CA and through the management you can replace them by your own ones if desired. That all worked quite well for me.

I tried to find information regarding your particular models. It seems as the models you have are quite old. So not sure whether or not 4004 models support dot1x, 8008 do for sure according to the datasheet. 

To make the long story short, I think there is a fair chance that it will work. What are your specific questions regarding the implementation?

Best, 
Thomas

I was looking for information about how to configure Alcatel IP Phone to do 802.1x authentication but couldn't find anything helpful by googling.

Has anyone implemented it ? The models are 4008,8008.

thanks in advance

Hi Sam.

Unfortunately this is a client issue. Even when you have a public certificate on the RADIUS server, it is not a guarantee that client has all required CA certificates loaded by default.

Radius certificate need to have CN a hostname of Clearpass server, no wild card certificates. In SAN it need to have IP=<ip address clearpass>. You can include DNS=<fqdn_clearapss>, IP=<vip ip address>, DNS=<fqdn_vip> in it.

If you have more than one clearpass server in the cluster, you can create on certificate that has SAN fields for all names and ip addresses of all cluster members.

Extended Key usage should be TLS Web Server Authentication, Code Signing and 1.3.6.1.5.5.7.3.14 (typical server cert).

If you are fine with MAC authentication, just disable dot1x on phones.

Best, Gorazd

Phones are factroy default in this regard, and what I understood that no changes are needed at phone side as it has factory certificate.

Secutiy is not really the objective here, as we are good with mac-auth and limited access; we need to stop getting time-out requests, because there are an aweful lot, about 500 times more than the actual phones count, this of course unnecessarily utilize server resources, and polluting access tracker.

The only remaining piece of this head-scratching-puzzle is the server certificate, is there any special requirement or limitation? Like subject-alt-Name, TLS version, public key algorithm/length, signature algorithm, extended key usage, or seperate cert/full chain? 

For the authentication timeout you have to troubleshoot ad the client side. In ClearPass you can only see that the client is not responding. 

Does the phone filter the Radius server certificate according to the CA or the content of the subject field or something similar?
If in doubt, you will need support from a service provider who is familiar with the phones.

It has a public certificate.

Just a stupid question. what certificate your RADIUS server is using? The problem is that client does not trust RADIUS server certificate.

Best, Gorazd 

Yes, all of them enabled with EAP usage.

This is usually sign that client does not trust RADIUS certificate. Did you enable Alcatel CA with EAP?

Best, Gorazd

In my case, no matter what auth-method is used, the result is always time-out (Client did not complete EAP transaction)

There are many paths that lead to the goal :). We just have to choose one.
It is important to clarify whether the phones authenticate with dot1x at all.

@Stefano Colombo is there anything new regarding the authentication or does the problem still exist?

I would take the opposite approach and disable authorization in the EAP-TLS method; then in your role mapping do you own authorization (check if the user is in one or more authorization sources) and enforcement for phones (or devices that don't need authorization) without checking, for users/laptops use the role as required to do the authorization.

But if different services for phones and other devices is useful anyway, you could take that approach as well.

Only one TLS auth method can be used in the service. By editing the method, authorization is deactivated for all devices that are authenticated by this service. In this case, a separate service must be created for all devices that use EAP-TLS without authorization. If you do not want this, create a user so that EAP-TLS with authorization works and all devices are authenticated by a service.

Because certificate based authentication is used, there is no user needed in the local user DB. The reason why to create an user is because if the authorization that is enabled in the EAP-TLS method by default. By disabling authorization in the EAP-TLS method, the user in the local user DB is not needed

We implemented NAC for Alcatel phones in a customer project a year ago. I don't know the phone model, but the dot1x authentication with certificates was activated on the phones by default. The customer just didn't know that. We noticed it when we activated authentication on the switch and the phones tried to authenticate.

What happens if you configure dot1x with MAC-Auth on the switch and activate authentication on the port? Does ClearPass then receive authentication requests?

If so, then you don't need to do anything else on the phones, just set up ClearPass.
You have to activate the Alcatel root certificates in ClearPass under Certificate Trust List and select EAP as usage. You also need a service for wired authentication with EAP-TLS.
By default, the phones use the username ALCICT or ALC for authentication, the password is "password". We created the user in the local user DB.

However, you need manufacturer documentation for the Alcatel IP Phone.

Hi Thomas,

Can you please guide me how to use he factory certificates for authentication with ClearPass?

Thanks

Hi Stefano

years ago, I worked with Alcatel phones in the context of NAC. We authenticated the phones using 802.1x and X.509 certificates. The phones come with pre-installed certificates signed by an ALE CA and through the management you can replace them by your own ones if desired. That all worked quite well for me.

I tried to find information regarding your particular models. It seems as the models you have are quite old. So not sure whether or not 4004 models support dot1x, 8008 do for sure according to the datasheet. 

To make the long story short, I think there is a fair chance that it will work. What are your specific questions regarding the implementation?

Best, 
Thomas

I was looking for information about how to configure Alcatel IP Phone to do 802.1x authentication but couldn't find anything helpful by googling.

Has anyone implemented it ? The models are 4008,8008.

thanks in advance

dot1x cannot be disabled as there is a computer behind the phone.

I'm aware of the certificate requirements mentioned, I was just wondering if there is something specific only for ALE phones.

Going back to my original post, I was asking Thomas to share his experience.

Since dot1x configuration cannot be changed centrally, all of this means we have to configure them one by one, and there are many, but it seems the only way forward.

I appreciate your responses guys, thanks for your time!

Hi Sam.

Unfortunately this is a client issue. Even when you have a public certificate on the RADIUS server, it is not a guarantee that client has all required CA certificates loaded by default.

Radius certificate need to have CN a hostname of Clearpass server, no wild card certificates. In SAN it need to have IP=<ip address clearpass>. You can include DNS=<fqdn_clearapss>, IP=<vip ip address>, DNS=<fqdn_vip> in it.

If you have more than one clearpass server in the cluster, you can create on certificate that has SAN fields for all names and ip addresses of all cluster members.

Extended Key usage should be TLS Web Server Authentication, Code Signing and 1.3.6.1.5.5.7.3.14 (typical server cert).

If you are fine with MAC authentication, just disable dot1x on phones.

Best, Gorazd

Phones are factroy default in this regard, and what I understood that no changes are needed at phone side as it has factory certificate.

Secutiy is not really the objective here, as we are good with mac-auth and limited access; we need to stop getting time-out requests, because there are an aweful lot, about 500 times more than the actual phones count, this of course unnecessarily utilize server resources, and polluting access tracker.

The only remaining piece of this head-scratching-puzzle is the server certificate, is there any special requirement or limitation? Like subject-alt-Name, TLS version, public key algorithm/length, signature algorithm, extended key usage, or seperate cert/full chain? 

For the authentication timeout you have to troubleshoot ad the client side. In ClearPass you can only see that the client is not responding. 

Does the phone filter the Radius server certificate according to the CA or the content of the subject field or something similar?
If in doubt, you will need support from a service provider who is familiar with the phones.

It has a public certificate.

Just a stupid question. what certificate your RADIUS server is using? The problem is that client does not trust RADIUS server certificate.

Best, Gorazd 

Yes, all of them enabled with EAP usage.

This is usually sign that client does not trust RADIUS certificate. Did you enable Alcatel CA with EAP?

Best, Gorazd

In my case, no matter what auth-method is used, the result is always time-out (Client did not complete EAP transaction)

There are many paths that lead to the goal :). We just have to choose one.
It is important to clarify whether the phones authenticate with dot1x at all.

@Stefano Colombo is there anything new regarding the authentication or does the problem still exist?

I would take the opposite approach and disable authorization in the EAP-TLS method; then in your role mapping do you own authorization (check if the user is in one or more authorization sources) and enforcement for phones (or devices that don't need authorization) without checking, for users/laptops use the role as required to do the authorization.

But if different services for phones and other devices is useful anyway, you could take that approach as well.

Only one TLS auth method can be used in the service. By editing the method, authorization is deactivated for all devices that are authenticated by this service. In this case, a separate service must be created for all devices that use EAP-TLS without authorization. If you do not want this, create a user so that EAP-TLS with authorization works and all devices are authenticated by a service.

Because certificate based authentication is used, there is no user needed in the local user DB. The reason why to create an user is because if the authorization that is enabled in the EAP-TLS method by default. By disabling authorization in the EAP-TLS method, the user in the local user DB is not needed

We implemented NAC for Alcatel phones in a customer project a year ago. I don't know the phone model, but the dot1x authentication with certificates was activated on the phones by default. The customer just didn't know that. We noticed it when we activated authentication on the switch and the phones tried to authenticate.

What happens if you configure dot1x with MAC-Auth on the switch and activate authentication on the port? Does ClearPass then receive authentication requests?

If so, then you don't need to do anything else on the phones, just set up ClearPass.
You have to activate the Alcatel root certificates in ClearPass under Certificate Trust List and select EAP as usage. You also need a service for wired authentication with EAP-TLS.
By default, the phones use the username ALCICT or ALC for authentication, the password is "password". We created the user in the local user DB.

However, you need manufacturer documentation for the Alcatel IP Phone.

Hi Thomas,

Can you please guide me how to use he factory certificates for authentication with ClearPass?

Thanks

Hi Stefano

years ago, I worked with Alcatel phones in the context of NAC. We authenticated the phones using 802.1x and X.509 certificates. The phones come with pre-installed certificates signed by an ALE CA and through the management you can replace them by your own ones if desired. That all worked quite well for me.

I tried to find information regarding your particular models. It seems as the models you have are quite old. So not sure whether or not 4004 models support dot1x, 8008 do for sure according to the datasheet. 

To make the long story short, I think there is a fair chance that it will work. What are your specific questions regarding the implementation?

Best, 
Thomas

I was looking for information about how to configure Alcatel IP Phone to do 802.1x authentication but couldn't find anything helpful by googling.

Has anyone implemented it ? The models are 4008,8008.

thanks in advance

dot1x cannot be disabled as there is a computer behind the phone.

I'm aware of the certificate requirements mentioned, I was just wondering if there is something specific only for ALE phones.

Going back to my original post, I was asking Thomas to share his experience.

Since dot1x configuration cannot be changed centrally, all of this means we have to configure them one by one, and there are many, but it seems the only way forward.

I appreciate your responses guys, thanks for your time!

Hi Sam.

Unfortunately this is a client issue. Even when you have a public certificate on the RADIUS server, it is not a guarantee that client has all required CA certificates loaded by default.

Radius certificate need to have CN a hostname of Clearpass server, no wild card certificates. In SAN it need to have IP=<ip address clearpass>. You can include DNS=<fqdn_clearapss>, IP=<vip ip address>, DNS=<fqdn_vip> in it.

If you have more than one clearpass server in the cluster, you can create on certificate that has SAN fields for all names and ip addresses of all cluster members.

Extended Key usage should be TLS Web Server Authentication, Code Signing and 1.3.6.1.5.5.7.3.14 (typical server cert).

If you are fine with MAC authentication, just disable dot1x on phones.

Best, Gorazd

Phones are factroy default in this regard, and what I understood that no changes are needed at phone side as it has factory certificate.

Secutiy is not really the objective here, as we are good with mac-auth and limited access; we need to stop getting time-out requests, because there are an aweful lot, about 500 times more than the actual phones count, this of course unnecessarily utilize server resources, and polluting access tracker.

The only remaining piece of this head-scratching-puzzle is the server certificate, is there any special requirement or limitation? Like subject-alt-Name, TLS version, public key algorithm/length, signature algorithm, extended key usage, or seperate cert/full chain? 

For the authentication timeout you have to troubleshoot ad the client side. In ClearPass you can only see that the client is not responding. 

Does the phone filter the Radius server certificate according to the CA or the content of the subject field or something similar?
If in doubt, you will need support from a service provider who is familiar with the phones.

It has a public certificate.

Just a stupid question. what certificate your RADIUS server is using? The problem is that client does not trust RADIUS server certificate.

Best, Gorazd 

Yes, all of them enabled with EAP usage.

This is usually sign that client does not trust RADIUS certificate. Did you enable Alcatel CA with EAP?

Best, Gorazd

In my case, no matter what auth-method is used, the result is always time-out (Client did not complete EAP transaction)

There are many paths that lead to the goal :). We just have to choose one.
It is important to clarify whether the phones authenticate with dot1x at all.

@Stefano Colombo is there anything new regarding the authentication or does the problem still exist?

I would take the opposite approach and disable authorization in the EAP-TLS method; then in your role mapping do you own authorization (check if the user is in one or more authorization sources) and enforcement for phones (or devices that don't need authorization) without checking, for users/laptops use the role as required to do the authorization.

But if different services for phones and other devices is useful anyway, you could take that approach as well.

Only one TLS auth method can be used in the service. By editing the method, authorization is deactivated for all devices that are authenticated by this service. In this case, a separate service must be created for all devices that use EAP-TLS without authorization. If you do not want this, create a user so that EAP-TLS with authorization works and all devices are authenticated by a service.

Because certificate based authentication is used, there is no user needed in the local user DB. The reason why to create an user is because if the authorization that is enabled in the EAP-TLS method by default. By disabling authorization in the EAP-TLS method, the user in the local user DB is not needed

We implemented NAC for Alcatel phones in a customer project a year ago. I don't know the phone model, but the dot1x authentication with certificates was activated on the phones by default. The customer just didn't know that. We noticed it when we activated authentication on the switch and the phones tried to authenticate.

What happens if you configure dot1x with MAC-Auth on the switch and activate authentication on the port? Does ClearPass then receive authentication requests?

If so, then you don't need to do anything else on the phones, just set up ClearPass.
You have to activate the Alcatel root certificates in ClearPass under Certificate Trust List and select EAP as usage. You also need a service for wired authentication with EAP-TLS.
By default, the phones use the username ALCICT or ALC for authentication, the password is "password". We created the user in the local user DB.

However, you need manufacturer documentation for the Alcatel IP Phone.

Hi Thomas,

Can you please guide me how to use he factory certificates for authentication with ClearPass?

Thanks

Hi Stefano

years ago, I worked with Alcatel phones in the context of NAC. We authenticated the phones using 802.1x and X.509 certificates. The phones come with pre-installed certificates signed by an ALE CA and through the management you can replace them by your own ones if desired. That all worked quite well for me.

I tried to find information regarding your particular models. It seems as the models you have are quite old. So not sure whether or not 4004 models support dot1x, 8008 do for sure according to the datasheet. 

To make the long story short, I think there is a fair chance that it will work. What are your specific questions regarding the implementation?

Best, 
Thomas

I was looking for information about how to configure Alcatel IP Phone to do 802.1x authentication but couldn't find anything helpful by googling.

Has anyone implemented it ? The models are 4008,8008.

thanks in advance

Hi.

Maybe I was not really clear of what I mean by disabling dot1x. Try to disable dot1x on phone not on the switch. Then phone won't send EAP requests to the switch.

Best, Gorazd

dot1x cannot be disabled as there is a computer behind the phone.

I'm aware of the certificate requirements mentioned, I was just wondering if there is something specific only for ALE phones.

Going back to my original post, I was asking Thomas to share his experience.

Since dot1x configuration cannot be changed centrally, all of this means we have to configure them one by one, and there are many, but it seems the only way forward.

I appreciate your responses guys, thanks for your time!

Hi Sam.

Unfortunately this is a client issue. Even when you have a public certificate on the RADIUS server, it is not a guarantee that client has all required CA certificates loaded by default.

Radius certificate need to have CN a hostname of Clearpass server, no wild card certificates. In SAN it need to have IP=<ip address clearpass>. You can include DNS=<fqdn_clearapss>, IP=<vip ip address>, DNS=<fqdn_vip> in it.

If you have more than one clearpass server in the cluster, you can create on certificate that has SAN fields for all names and ip addresses of all cluster members.

Extended Key usage should be TLS Web Server Authentication, Code Signing and 1.3.6.1.5.5.7.3.14 (typical server cert).

If you are fine with MAC authentication, just disable dot1x on phones.

Best, Gorazd

Phones are factroy default in this regard, and what I understood that no changes are needed at phone side as it has factory certificate.

Secutiy is not really the objective here, as we are good with mac-auth and limited access; we need to stop getting time-out requests, because there are an aweful lot, about 500 times more than the actual phones count, this of course unnecessarily utilize server resources, and polluting access tracker.

The only remaining piece of this head-scratching-puzzle is the server certificate, is there any special requirement or limitation? Like subject-alt-Name, TLS version, public key algorithm/length, signature algorithm, extended key usage, or seperate cert/full chain? 

For the authentication timeout you have to troubleshoot ad the client side. In ClearPass you can only see that the client is not responding. 

Does the phone filter the Radius server certificate according to the CA or the content of the subject field or something similar?
If in doubt, you will need support from a service provider who is familiar with the phones.

It has a public certificate.

Just a stupid question. what certificate your RADIUS server is using? The problem is that client does not trust RADIUS server certificate.

Best, Gorazd 

Yes, all of them enabled with EAP usage.

This is usually sign that client does not trust RADIUS certificate. Did you enable Alcatel CA with EAP?

Best, Gorazd

In my case, no matter what auth-method is used, the result is always time-out (Client did not complete EAP transaction)

There are many paths that lead to the goal :). We just have to choose one.
It is important to clarify whether the phones authenticate with dot1x at all.

@Stefano Colombo is there anything new regarding the authentication or does the problem still exist?

I would take the opposite approach and disable authorization in the EAP-TLS method; then in your role mapping do you own authorization (check if the user is in one or more authorization sources) and enforcement for phones (or devices that don't need authorization) without checking, for users/laptops use the role as required to do the authorization.

But if different services for phones and other devices is useful anyway, you could take that approach as well.

Only one TLS auth method can be used in the service. By editing the method, authorization is deactivated for all devices that are authenticated by this service. In this case, a separate service must be created for all devices that use EAP-TLS without authorization. If you do not want this, create a user so that EAP-TLS with authorization works and all devices are authenticated by a service.

Because certificate based authentication is used, there is no user needed in the local user DB. The reason why to create an user is because if the authorization that is enabled in the EAP-TLS method by default. By disabling authorization in the EAP-TLS method, the user in the local user DB is not needed

We implemented NAC for Alcatel phones in a customer project a year ago. I don't know the phone model, but the dot1x authentication with certificates was activated on the phones by default. The customer just didn't know that. We noticed it when we activated authentication on the switch and the phones tried to authenticate.

What happens if you configure dot1x with MAC-Auth on the switch and activate authentication on the port? Does ClearPass then receive authentication requests?

If so, then you don't need to do anything else on the phones, just set up ClearPass.
You have to activate the Alcatel root certificates in ClearPass under Certificate Trust List and select EAP as usage. You also need a service for wired authentication with EAP-TLS.
By default, the phones use the username ALCICT or ALC for authentication, the password is "password". We created the user in the local user DB.

However, you need manufacturer documentation for the Alcatel IP Phone.

Hi Thomas,

Can you please guide me how to use he factory certificates for authentication with ClearPass?

Thanks

Hi Stefano

years ago, I worked with Alcatel phones in the context of NAC. We authenticated the phones using 802.1x and X.509 certificates. The phones come with pre-installed certificates signed by an ALE CA and through the management you can replace them by your own ones if desired. That all worked quite well for me.

I tried to find information regarding your particular models. It seems as the models you have are quite old. So not sure whether or not 4004 models support dot1x, 8008 do for sure according to the datasheet. 

To make the long story short, I think there is a fair chance that it will work. What are your specific questions regarding the implementation?

Best, 
Thomas

I was looking for information about how to configure Alcatel IP Phone to do 802.1x authentication but couldn't find anything helpful by googling.

Has anyone implemented it ? The models are 4008,8008.

thanks in advance

Based on "Since dot1x configuration cannot be changed centrally, all of this means we have to configure them one by one, and there are many, but it seems the only way forward."; I think that's considered not feasible.

Hi.

Maybe I was not really clear of what I mean by disabling dot1x. Try to disable dot1x on phone not on the switch. Then phone won't send EAP requests to the switch.

Best, Gorazd

dot1x cannot be disabled as there is a computer behind the phone.

I'm aware of the certificate requirements mentioned, I was just wondering if there is something specific only for ALE phones.

Going back to my original post, I was asking Thomas to share his experience.

Since dot1x configuration cannot be changed centrally, all of this means we have to configure them one by one, and there are many, but it seems the only way forward.

I appreciate your responses guys, thanks for your time!

Hi Sam.

Unfortunately this is a client issue. Even when you have a public certificate on the RADIUS server, it is not a guarantee that client has all required CA certificates loaded by default.

Radius certificate need to have CN a hostname of Clearpass server, no wild card certificates. In SAN it need to have IP=<ip address clearpass>. You can include DNS=<fqdn_clearapss>, IP=<vip ip address>, DNS=<fqdn_vip> in it.

If you have more than one clearpass server in the cluster, you can create on certificate that has SAN fields for all names and ip addresses of all cluster members.

Extended Key usage should be TLS Web Server Authentication, Code Signing and 1.3.6.1.5.5.7.3.14 (typical server cert).

If you are fine with MAC authentication, just disable dot1x on phones.

Best, Gorazd

Phones are factroy default in this regard, and what I understood that no changes are needed at phone side as it has factory certificate.

Secutiy is not really the objective here, as we are good with mac-auth and limited access; we need to stop getting time-out requests, because there are an aweful lot, about 500 times more than the actual phones count, this of course unnecessarily utilize server resources, and polluting access tracker.

The only remaining piece of this head-scratching-puzzle is the server certificate, is there any special requirement or limitation? Like subject-alt-Name, TLS version, public key algorithm/length, signature algorithm, extended key usage, or seperate cert/full chain? 

For the authentication timeout you have to troubleshoot ad the client side. In ClearPass you can only see that the client is not responding. 

Does the phone filter the Radius server certificate according to the CA or the content of the subject field or something similar?
If in doubt, you will need support from a service provider who is familiar with the phones.

It has a public certificate.

Just a stupid question. what certificate your RADIUS server is using? The problem is that client does not trust RADIUS server certificate.

Best, Gorazd 

Yes, all of them enabled with EAP usage.

This is usually sign that client does not trust RADIUS certificate. Did you enable Alcatel CA with EAP?

Best, Gorazd

In my case, no matter what auth-method is used, the result is always time-out (Client did not complete EAP transaction)

There are many paths that lead to the goal :). We just have to choose one.
It is important to clarify whether the phones authenticate with dot1x at all.

@Stefano Colombo is there anything new regarding the authentication or does the problem still exist?

I would take the opposite approach and disable authorization in the EAP-TLS method; then in your role mapping do you own authorization (check if the user is in one or more authorization sources) and enforcement for phones (or devices that don't need authorization) without checking, for users/laptops use the role as required to do the authorization.

But if different services for phones and other devices is useful anyway, you could take that approach as well.

Only one TLS auth method can be used in the service. By editing the method, authorization is deactivated for all devices that are authenticated by this service. In this case, a separate service must be created for all devices that use EAP-TLS without authorization. If you do not want this, create a user so that EAP-TLS with authorization works and all devices are authenticated by a service.

Because certificate based authentication is used, there is no user needed in the local user DB. The reason why to create an user is because if the authorization that is enabled in the EAP-TLS method by default. By disabling authorization in the EAP-TLS method, the user in the local user DB is not needed

We implemented NAC for Alcatel phones in a customer project a year ago. I don't know the phone model, but the dot1x authentication with certificates was activated on the phones by default. The customer just didn't know that. We noticed it when we activated authentication on the switch and the phones tried to authenticate.

What happens if you configure dot1x with MAC-Auth on the switch and activate authentication on the port? Does ClearPass then receive authentication requests?

If so, then you don't need to do anything else on the phones, just set up ClearPass.
You have to activate the Alcatel root certificates in ClearPass under Certificate Trust List and select EAP as usage. You also need a service for wired authentication with EAP-TLS.
By default, the phones use the username ALCICT or ALC for authentication, the password is "password". We created the user in the local user DB.

However, you need manufacturer documentation for the Alcatel IP Phone.

Hi Thomas,

Can you please guide me how to use he factory certificates for authentication with ClearPass?

Thanks

Hi Stefano

years ago, I worked with Alcatel phones in the context of NAC. We authenticated the phones using 802.1x and X.509 certificates. The phones come with pre-installed certificates signed by an ALE CA and through the management you can replace them by your own ones if desired. That all worked quite well for me.

I tried to find information regarding your particular models. It seems as the models you have are quite old. So not sure whether or not 4004 models support dot1x, 8008 do for sure according to the datasheet. 

To make the long story short, I think there is a fair chance that it will work. What are your specific questions regarding the implementation?

Best, 
Thomas

I was looking for information about how to configure Alcatel IP Phone to do 802.1x authentication but couldn't find anything helpful by googling.

Has anyone implemented it ? The models are 4008,8008.

thanks in advance