Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

dot1x authentication of Cisco IP phone on mobility controller

This thread has been viewed 0 times

  • 1.  dot1x authentication of Cisco IP phone on mobility controller

    Posted Dec 27, 2016 01:05 PM

    Can the 3600 mobility controller be configured for wired 802.1x authentication when a Cisco IP Phone is connected to the wired port of a RAP? Said phones are set-up in AD with a username/PWD that we use for MAB device authentication on our Cisco switches, but would like to get it to work on 3600 mobility controller as well. This is the output of the authtrace of the client:

     

    Dec 27 12:51:50 station-up * 00:1b:d4:a0:38:de 01:80:c2:00:00:03 - - open system
    Dec 27 12:51:50 station-up * 00:1b:d4:a0:38:de 01:80:c2:00:00:03 - - wired station
    Dec 27 12:51:50 eap-id-req <- 00:1b:d4:a0:38:de 01:80:c2:00:00:03 1 5
    Dec 27 12:51:55 eap-id-req <- 00:1b:d4:a0:38:de 01:80:c2:00:00:03 1 5
    Dec 27 12:52:00 eap-id-req <- 00:1b:d4:a0:38:de 01:80:c2:00:00:03 1 5
    Dec 27 12:52:05 eap-id-req <- 00:1b:d4:a0:38:de 01:80:c2:00:00:03 2 5
    Dec 27 12:52:10 eap-id-req <- 00:1b:d4:a0:38:de 01:80:c2:00:00:03 2 5
    Dec 27 12:52:15 eap-id-req <- 00:1b:d4:a0:38:de 01:80:c2:00:00:03 2 5
    Dec 27 12:52:20 eap-id-req <- 00:1b:d4:a0:38:de 01:80:c2:00:00:03 3 5
    Dec 27 12:52:25 eap-id-req <- 00:1b:d4:a0:38:de 01:80:c2:00:00:03 3 5
    Dec 27 12:52:30 eap-id-req <- 00:1b:d4:a0:38:de 01:80:c2:00:00:03 3 5
    Dec 27 12:52:35 eap-id-req <- 00:1b:d4:a0:38:de 01:80:c2:00:00:03 4 5
    Dec 27 12:52:40 eap-id-req <- 00:1b:d4:a0:38:de 01:80:c2:00:00:03 4 5
    Dec 27 12:52:45 eap-id-req <- 00:1b:d4:a0:38:de 01:80:c2:00:00:03 4 5
    Dec 27 12:52:50 eap-id-req <- 00:1b:d4:a0:38:de 01:80:c2:00:00:03 5 5
    Dec 27 12:52:55 eap-id-req <- 00:1b:d4:a0:38:de 01:80:c2:00:00:03 5 5
    Dec 27 12:53:00 eap-id-req <- 00:1b:d4:a0:38:de 01:80:c2:00:00:03 5 5

     

     

    Never see the client send a eap-id-resp packet.

     

    Regards,

    Tony Marques



  • 2.  RE: dot1x authentication of Cisco IP phone on mobility controller

    EMPLOYEE
    Posted Dec 27, 2016 01:55 PM

    Is the phone's supplicant configured for PEAPv0/EAP-MSCHAPv2?



  • 3.  RE: dot1x authentication of Cisco IP phone on mobility controller

    Posted Dec 27, 2016 02:35 PM

    Unencrypted authentication (PAP, SPAP)



  • 4.  RE: dot1x authentication of Cisco IP phone on mobility controller

    Posted Dec 27, 2016 03:00 PM

    Hi Tim,

     

    My apologies, there is no supplicant on the phone. In Cisco world, switches will allow the 802.1x timeout and proceed to MAC Authentication Bypass (MAB).The switch crafts a RADISU access-request packet using the MAC Address of the phone as the username/pwd.

     

    Therefore, wondering if there is a way of mimicing that in the Aruba Mobility controller world.

     

    Regards,

    Tony Marques



  • 5.  RE: dot1x authentication of Cisco IP phone on mobility controller

    EMPLOYEE
    Posted Dec 27, 2016 03:02 PM

    What model phone? Most newer Cisco IP phones support 802.1X.

     

    In terms of your original question, you can configure a MAC-Authentication profile for your wired-ap config.



  • 6.  RE: dot1x authentication of Cisco IP phone on mobility controller

    Posted Dec 27, 2016 03:06 PM

    7961. I've tired a mac authetication profile, but the event viewer shows that it fails. I'm thinking I don't have the appropriate attributes define in the NAS policy that the phone is sending in comparison to what a Cisco swtich sends.