|
3/24/2009 11:51:10 AM
|
topic:
802.1X with VOIP phones (1 via EAP 1 via MAB)
tpowers
Posts 5
|
Hmm...this is a slightly loaded question. This method should work with any phone, but we have seen instances where even though the 802.1x supplicant on the phone was disabled, it still sent out EAP start frames disrupting the ability to MAC Auth Bypass. As far as the RADIUS attributes, there are Vendor Specific Attributes (VSA)s that upon authentication will inform the switch that the device is a voice device. I was specifically referring to Cisco's ACS previously, but other RADIUS servers provide support for these VSAs also. You would want to make sure before deciding to move forward. There are a lot of options as well as moving parts in an end-to-end 802.1x project. I'm not sure where you are in regards to this being a project, but in order to ensure success, you may want to engage with someone to lay out all of the options available to you and then assemble an 802.1x Statement of Work with specific deliverables.
Ty Powers
Blue Spruce Technologies, Inc.
|
|
3/23/2009 7:37:27 PM
|
topic:
802.1X with VOIP phones (1 via EAP 1 via MAB)
IT Sec tech
Posts 7
|
Thanks Ty,
Unless I misunderstand, your post seems to imply that this method will work regardless of the phone (Cisco, Nortel, Avaya, etc.), correct? Also, you mean RADIUS attributes need to be defined on the ACS server right?
|
|
3/23/2009 3:03:22 PM
|
topic:
802.1X with VOIP phones (1 via EAP 1 via MAB)
tpowers
Posts 5
|
Hey IT Sec tech.
The answers to your questions will vary greatly based on variables such as switch manufacturer, phone manufacturer, and authentication server.
I've recently set up this scenario utilizing Polycom phones, Cisco 3750s, and Cisco ACS. This is possible thanks to the addition of multi-domain authentication in Cisco IOS. I believe that it was introduced back in version 12.2(35)xx. The Polycom phones have been profiled by Great Bay Software's Beacon and are authenticating via MAC Auth Bypass, while the client stations attached directly to the VoIP phones are utilizing PEAP for authentication. The switch configuration is pretty straight forward but Radius attributes should be defined to ensure that the switch knows that the phone is a voice device and that re-authentication won't stomp on the connection in the middle of a call.
Ty Powers
Blue Spruce Technologies, Inc.
|
|
3/23/2009 2:04:12 PM
|
topic:
802.1X with VOIP phones (1 via EAP 1 via MAB)
IT Sec tech
Posts 7
|
Has anyone had experience authenticating VOIP phones and PCs on the same switch port? The PCs are plugged into the phones and the plan is for the PC/Laptop to have the 802.1X client, but the phones will not. Should we expect the phone to MAC authenticate and the PC to EAP authenticate without any issues?
|
|
3/11/2009 3:04:57 PM
|
topic:
Beacon Install with multiple interfaces and routes
gmarkley
Posts 3
|
I am sure this will help anybody trying to install beacon with multiple network tie in's. Thank you for submitting.
|
|
3/11/2009 2:47:13 PM
|
topic:
Beacon Install with multiple interfaces and routes
alball
Posts 1
|
If you are running into a situation where the web gui is on one network and all the snmp traffic is on another, there is an easy way to make this happen.
vi /etc/rc.conf
Add the following lines to the conf file:
static_routes="native"
route_native="-net 192.168.1.0/24 192.168.1.1"
defaultrouter="172.168.1.1"
The first line sets labels to the the routes which are referenced below.
The second line tells the route command what route to add. This example 192.168.1.0/24 network has a default gateway of 192.168.1.1. This way when the request to poll the devices on the native network the beacon system will route to the correct network.
The last line is your route of last resort or default route. This is for the web interface of the beacon system.
All of this is documented at : http://www.freebsd.org/doc/en/books/handbook/network-routing.html
Look under section 31.2.5.2.
|
|
3/3/2009 10:50:07 PM
|
topic:
802.1X client tool
tpowers
Posts 5
|
In Windows XP SP2 and earlier environments this gets a little tricky. Prior to Service Pack 3, Windows XP really only had GPO settings for wireless. That said, we have developed a Wired EAP Management tool to fill the void. Service Pack 3 catches up though a bit with the addition of the Wired Auto Config service.
Ty Powers
Blue Spruce Technologies, Inc.
|
|
2/25/2009 8:09:12 PM
|
topic:
Cisco IP Camera - profiled as a Trunk Port
khook
Posts 2
|
Yes the Cisco IP Cameras do send CDP.
|
|
2/25/2009 7:04:06 PM
|
topic:
MAC Auth Bypass on 3750
jgorsky
Posts 5
|
The following is a very basic port config for a 3750 (that already has 802.1X enabled at switch-level) for MAC-auth-bypass. Note that there are multiple timers and other parameters of this config that need to be tuned for desired operation of MAB. If you have specific questions, I will try to answer but this is a pretty big topic.
interface GigabitEthernet1/0/19
switchport mode access
dot1x mac-auth-bypass
dot1x pae authenticator
dot1x port-control auto
dot1x timeout quiet-period 10
dot1x timeout reauth-period 60
dot1x timeout tx-period 10
dot1x timeout supp-timeout 10
dot1x max-req 1
dot1x reauthentication
dot1x auth-fail max-attempts 1
spanning-tree portfast
!
|
|
2/25/2009 6:56:15 PM
|
topic:
Cisco IP Camera - profiled as a Trunk Port
jdamron
Posts 1
|
My initial thought on this is that your Video Cameras
are talking CDP to the switch. Beacon will mark ports
with CDP information as trunks. Currently the only
exception is for Cisco IP Phones.
Could you check the CDP information on that the port?
|
|
pages:
1 2
|