|
3/23/2009 2:04:12 PM
|
IT Sec tech
Posts 7
|
Has anyone had experience authenticating VOIP phones and PCs on the same switch port? The PCs are plugged into the phones and the plan is for the PC/Laptop to have the 802.1X client, but the phones will not. Should we expect the phone to MAC authenticate and the PC to EAP authenticate without any issues?
|
|
3/23/2009 3:03:22 PM
|
tpowers
Posts 5
|
Hey IT Sec tech.
The answers to your questions will vary greatly based on variables such as switch manufacturer, phone manufacturer, and authentication server.
I've recently set up this scenario utilizing Polycom phones, Cisco 3750s, and Cisco ACS. This is possible thanks to the addition of multi-domain authentication in Cisco IOS. I believe that it was introduced back in version 12.2(35)xx. The Polycom phones have been profiled by Great Bay Software's Beacon and are authenticating via MAC Auth Bypass, while the client stations attached directly to the VoIP phones are utilizing PEAP for authentication. The switch configuration is pretty straight forward but Radius attributes should be defined to ensure that the switch knows that the phone is a voice device and that re-authentication won't stomp on the connection in the middle of a call.
Ty Powers
Blue Spruce Technologies, Inc.
|
|
3/23/2009 7:37:27 PM
|
IT Sec tech
Posts 7
|
Thanks Ty,
Unless I misunderstand, your post seems to imply that this method will work regardless of the phone (Cisco, Nortel, Avaya, etc.), correct? Also, you mean RADIUS attributes need to be defined on the ACS server right?
|
|
3/24/2009 11:51:10 AM
|
tpowers
Posts 5
|
Hmm...this is a slightly loaded question. This method should work with any phone, but we have seen instances where even though the 802.1x supplicant on the phone was disabled, it still sent out EAP start frames disrupting the ability to MAC Auth Bypass. As far as the RADIUS attributes, there are Vendor Specific Attributes (VSA)s that upon authentication will inform the switch that the device is a voice device. I was specifically referring to Cisco's ACS previously, but other RADIUS servers provide support for these VSAs also. You would want to make sure before deciding to move forward. There are a lot of options as well as moving parts in an end-to-end 802.1x project. I'm not sure where you are in regards to this being a project, but in order to ensure success, you may want to engage with someone to lay out all of the options available to you and then assemble an 802.1x Statement of Work with specific deliverables.
Ty Powers
Blue Spruce Technologies, Inc.
|
|
pages:
1 |
|---|