Implementation of 802.1x for computers behind "stupid" phones
There are many different languages written on how to implement computer authentication on various RADIUS servers, including scenarios when the computer is connected to the network via the integrated switch in the phone, but these articles mention smart IP phones that support CDP or LLDP and can work with Voice Vlan.
Unfortunately, I had to work with what is, namely the IP phone of the Panasonic KX-NT321, working under a proprietary protocol, neither LLDP, nor even CDP, or even TFTP configuration downloads. But you can configure from the phone itself tagging on each of the switch port.
So, what we have: RADIUS based on Microsoft NPS, Cisco 2960 switches, Panasonic IP phones and computers.
I will not consider the basic configuration of RADIUS and switches, we will assume that our switches are already clients.
Since phones do not understand EAPoL packages, we will apply MAB (MAC Authentication Bypass) technology to them. In short, the switch takes the mac address of the phone and sends it as a login / password on RADIUS for authentication, described in more detail on cisco.com
And for computers we will use 802.1x, we will take for the fact that everything on our computer is configured properly.
Accordingly, we should have 802.1x and MAB enabled on the switch port, for this we need only the MDA (Multidomain Authentication Mode) mode in more detail about the modes here and thus the port configuration will be as follows:
The mab command is required because without it, the switch sends packets using EAP-MD5 authentication, but MS NPS does not accept this mode, so you need to use PAP.
We collect mac addresses of our phones and add them to ActiveDirectory in a separate OU and security group (let's call them Phone) as regular users with a login and password as the address of our phones.
In NPS we create a rule for phones:
The device-traffic-class = voice parameter tells the switch that this device will go to voice vlan.
The Tunnel-Pvt-Group-ID parameter tells the switch which Vlan the device will fall into, but in our case it will not work, because we set up the vlans with our hands on the phone.
Create a similar rule for computers:
')
You also need to create a connection request policy with permission to use PAP.
In the switch, you can manually set a password for MAB requests, i.e. sending a request for authentication in the login line will be the mac address, and in the password line, what we manually specify on the switch:
Used materials:
IEEE 802.1X Port-Based Authentication
MAC Authentication Bypass Deployment Guide
Unfortunately, I had to work with what is, namely the IP phone of the Panasonic KX-NT321, working under a proprietary protocol, neither LLDP, nor even CDP, or even TFTP configuration downloads. But you can configure from the phone itself tagging on each of the switch port.
So, what we have: RADIUS based on Microsoft NPS, Cisco 2960 switches, Panasonic IP phones and computers.
I will not consider the basic configuration of RADIUS and switches, we will assume that our switches are already clients.
Since phones do not understand EAPoL packages, we will apply MAB (MAC Authentication Bypass) technology to them. In short, the switch takes the mac address of the phone and sends it as a login / password on RADIUS for authentication, described in more detail on cisco.com
And for computers we will use 802.1x, we will take for the fact that everything on our computer is configured properly.
Accordingly, we should have 802.1x and MAB enabled on the switch port, for this we need only the MDA (Multidomain Authentication Mode) mode in more detail about the modes here and thus the port configuration will be as follows:
interface FastEthernet0/2 switchport access vlan 99 switchport mode access switchport voice vlan 2 authentication host-mode multi-domain authentication order mab dot1x authentication port-control auto authentication periodic mab dot1x pae authenticator dot1x timeout tx-period 3 spanning-tree portfast The mab command is required because without it, the switch sends packets using EAP-MD5 authentication, but MS NPS does not accept this mode, so you need to use PAP.
We collect mac addresses of our phones and add them to ActiveDirectory in a separate OU and security group (let's call them Phone) as regular users with a login and password as the address of our phones.
In NPS we create a rule for phones:
The device-traffic-class = voice parameter tells the switch that this device will go to voice vlan.
The Tunnel-Pvt-Group-ID parameter tells the switch which Vlan the device will fall into, but in our case it will not work, because we set up the vlans with our hands on the phone.
Create a similar rule for computers:
')
You also need to create a connection request policy with permission to use PAP.
In the switch, you can manually set a password for MAB requests, i.e. sending a request for authentication in the login line will be the mac address, and in the password line, what we manually specify on the switch:
(config)#mab request format attribute 2 yourpassword Then in AD all phone accounts must have this password.Used materials:
IEEE 802.1X Port-Based Authentication
MAC Authentication Bypass Deployment Guide
Source: https://habr.com/ru/post/196930/
All Articles