Professional Documents
Culture Documents
Dot1x Ipt Cisco
Dot1x Ipt Cisco
Abstract
The IEEE 802.1X standard defines a client-server based access control and authentication
protocol that restricts unauthorized clients from connecting to a LAN through publicly
accessible ports. 802.1X provides a means of authenticating and authorizing users attached to a
LAN port and of preventing access to that port in cases where the authentication process fails.
Cisco Catalyst 6509, 4503 and 3750 Switches support 802.1X as authenticators and Avaya IP
Telephones support 802.1X as supplicants. These Application Notes provide the steps
necessary to configure 802.1X on the Cisco Catalyst Switches and the Avaya IP Telephone
with an attached PC using FreeRADIUS server.
• Supplicant – a port access entity (PAE) that requests access to the network. For
example, an Avaya IP Telephone and the attached PC can be configured to support
802.1X supplicants.
• Authenticator – a PAE that facilities the authentication of the supplicant. The Cisco
Catalyst switches function as authenticator PAEs that control the physical access to the
network based on the authentication status of a supplicant.
802.1X makes use of Extensible Authentication Protocol (EAP) messages. The protocol in
802.1X is called EAP encapsulation over LANs (EAPOL). It is currently defined for Ethernet-
like LANs including 802.11 wireless. The Authenticator becomes the middleman for relaying
EAP received in 802.1X packets to an authentication server by using the RADIUS format to
carry the EAP information.
The following shows typical EAP-MD5 message exchanges for the 802.1X protocol. The
authenticator or the supplicant can initiate authentication. When the switch detects the port link
state transitions from down to up, the switch will send an EAP-request/identity frame to the
client to request its identity. When the client receives the frame, it responds with an EAP-
response/identity frame. If the client does not receive an EAP-request/identity frame from the
switch, the client can initiate authentication by sending an EAPOL-start frame, which prompts
the switch to request the client's identity. Figure 1 shows typical flows for the Avaya IP
Telephone, the Cisco Catalyst Switch and an authentication server using the EAP-MD5
authentication.
Avaya IP telephones can prompt the user for a username and password, and the username and
password can be stored. For example, the user may be prompted for a username and password
if the username and password have never been entered in the phone, if the phone has been reset
to the manufacturer’s default values, or if the RADIUS server rejects the current username and
password. The default username is the phone’s MAC address (upper case letters without
colons). Once entered, the phone will save the username and password, and the saved values
will be re-used (without prompting the user) when the phone is restarted.
EAPOL-Start
EAP-Request/Identity
EAP-Response/Identity
EAP-Request/MD5 Challenge
EAP-Response/MD5, Response
EAP Success
EAP Reject
EAPOL-Logoff
1. The supplicant (the Avaya IP Telephone) sends an “EAPOL Start” packet to the
authenticator (a Cisco Catalyst switch). The IP Telephone will ignore the EAP-
request/identity frames from the switch during its booting process.
4. The authentication server recognizes the packet as an EAP-MD5 type and sends back a
challenge message to the authenticator. The authenticator removes the authentication
5. The supplicant responds to the challenge and the authenticator passes the response onto
the authentication server.
6. If the supplicant provides proper identity, the authentication server responds with a
success message. The authenticator passes the message onto the supplicant and allows
access to the LAN.
7. If the supplicant does not provide proper identity, the authentication server responds
with a reject message. The authenticator passes the message onto the supplicant and
blocks access to the LAN.
Figure 2 shows the network diagram used in these Application Notes. The Cisco Catalyst
switches and Avaya IP Telephones support EAP-MD5 authentication. EAP-MD5 was
configured on the Cisco Catalyst switches and Avaya IP Telephones.
SPEA KER HO LD
AB C D EF
0SW IP MUTE CON FERENCE
G HI
1 JK L
2 MN O
3
DROP
4 5 6
PQ RS T UV W X YZ
RED IAL
7 8 9
* 0 #
2
S PEA KER
H EAD SET
P HON E/EXIT
PAGE
L EFT
P AGE
R IG HT
OP TIO NS
TR AN SFER
HO LD
AB
C DEF
M U TE CO NF ERE NC E
1 2 3
GHI JKL MNO
DR OP
4 5 6
192.168.88.61
P QRS TUV WXYZ R ED IAL
7 8 9
0 #
3
*
FAN
STATUS
GE 2/35 auto
Cisco Catalyst 6509 Avaya 4620SW, 4621SW,
Switch IP: 192.168.88.2 4622SW IP Telephones
Router IP: 192.168.88.1
Microsoft DHCP Server 192.168.89.1 GE 8/9 Avaya 4610SW IP
Telephone
1
192.168.88.31
3
4
GE 7/1 auto 0SW IP MUTE
SPEA KER
HEA DSET
PH ONE/ EXIT
AB C
PAG E
LEFT
D EF
PA GE
R IGHT
CON FERENCE
OPTIONS
TRANSFER
HOLD
1 2 3
GH I JK L MN O
DROP
4 5 6
PQ RS T UV W X YZ
RED IAL
7 8 9
* 0 #
7 GE 7/2 auto
8
P HON E/EXI T
PAGE P AGE OPT O
I NS
FAN L EFT R IG HT
M U TE
ABC DEF CONF ERE NC E
1 2 3
9 GHI JKL MNO
DR OP
4 5 6
P QRS TUV WXYZ
R ED IAL
7 8 9
0 #
*
4622SW IP Telephones
Powe rSu pply 1 Power Su ppl y 2
JKL
5
ABC
2
M NO
6
DEF
3
Ca talys t 37 50 SERI ES
FE 1/0/1 auto 0SW I P
MUTE
S PEA KER
HEAD SET
PH ONE/ EXIT
AB C
PAGE
LEFT
D EF
PA GE
RI GHT
OP TIONS
TRANSFER
CON FERENCE
HOLD
1 2 3
PQRS TUV W XYZ
GH I JK L M NO
7 8 9 1 2 3 4 5 6 7 8 9 10 1 1 12 13 1 4 15 1 6 17 1 8 19 2 0 21 22 23 2 4 DROP
1X 11 X 1 3X 23X 1 2 3 4 4 5 6
S YS T PQ RS T UV W X YZ
R PS RED IAL
* 0 # M AS TR 7 8 9
S TA T
D UP LX
S PEED
S TA CK
* 0 #
M ODE 2X 12 X 1 4X 24X
HOLD
HE AD SET TR AN SFER
* 0 #
Equipment Software
Avaya Communication Manager
Avaya S8500 Media Server 3.1.1 (load 628.7)
Avaya G650 Media Gateway
IPSI (TN2312BP) HW12 FW030
C-LAN (TN799DP) HW01 FW017
MEDPRO (TN2302AP) HW11 FW108
Avaya 4610SW IP Telephone 2.32.3e*
Avaya 4620SW IP Telephone 2.32.3e*
Avaya 4621SW IP Telephone 2.32.3e*
Avaya 4622 SW IP Telephone 2.32.3e*
Avaya 6210 Analog Telephone N/A
Cisco Catalyst 6509 Cat 8.5(3)
WS-F6K-GE48-AF (PoE module)
Cisco Catalyst 4503 12.2(25)
WS-X4548-GB-RJ45V (PoE module)
Cisco Catalyst 3750-24PS 12.2(25)
Red Hat Enterprise ES R4
FreeRADIUS Server 1.1.1
OpenSSL 0.9.8a
* Testing was performed using this beta release. At time of publication, 802.1X support was
not included in a generally available version of the telephone firmware. However, it is
expected that 802.1X support will be included in a forthcoming generally available version of
the telephone firmware.
Cisco Catalyst switches support the single-host and multi-host modes for the Cisco IOS and
CatOS software. The Catalyst 6509 running the Cisco CatOS software also supports the
multiple authentication mode. The Cisco Catalyst switches will use a well-known Multicast
MAC address 01:80:C2:00:00:03 for all EAPOL messages for the single-host and Multi-host
modes. Note that 802.1X is not supported on a trunk port.
• Single-host – A port is only allowed to support one 802.1X client on its primary VLAN.
Other workstations on that port will be blocked. The single-host mode cannot support an
IP Telephone with an attached PC.
• Multi-host – For the Catalyst switches (for example, Cisco Catalyst 4503 and 3750)
running Cisco IOS system software, additional clients on the voice VLAN are
unrestricted after 802.1X authentication succeeds on the primary VLAN.
For the Catalyst switch (for example, Cisco 6509) running Cisco CatOS software, when
a port is configured with an auxiliary VLAN and a native VLAN, the 802.1X
authentication only applies to the native VLAN, and the auxiliary VLAN will bypass the
802.1X. Since Avaya IP Telephones need both the native and auxiliary VLANs access
for a typical deployment using a DHCP server, the IP Telephone must be used to
authenticate the port.
For both Cisco IOS and CatOS software, the Avaya IP Telephone can be used to
authenticate the port for the Multi-host mode, and the attached PC can get access to the
network without the need for authentication. The IP Telephone can be put on the voice
VLAN (or the auxiliary VLAN) with the attached PC on the native VLAN.
• Pass-thru mode – Unicast supplicant operation for the IP Telephone itself, with PAE
multicast pass-through for the attached PC, but without proxy Logoff. This is the
default setting.
• Pass-thru with logoff – Unicast supplicant operation for the IP Telephone itself, with
PAE multicast pass-through and proxy Logoff for the attached PC. When the attached
PC is physically disconnected from the IP Telephone, the phone will send an EAPOL-
Logoff for the attached PC.
Since the Cisco Catalyst switches only support Multicast operation for the single host and
multi-host modes, the Avaya IP Telephones must be configured to Supplicant Mode if the
Avaya IP Telephone is used to authenticate a port. Press “mute80219#” on the phone to
change the operational mode to Supplicant Mode.
Consider the example of IP Telephones and computers configured for DHCP in Figure 2. If the
IP Telephone is set to the manufacturer’s default configuration, the IP Telephone will initially
send a clear DHCP request. The Cisco Catalyst 6509 Switch port connected to the Avaya IP
Telephone is configured with both a native VLAN ID 89 and voice VLAN or auxiliary VLAN
ID 88 for the port. The clear DHCP request will be associated with the native VLAN 89 on the
port. The router interface on that VLAN is on the Catalyst 6509 Switch and has IP address
192.168.89.1. When the router interface relays the DHCP request to the configured DHCP
server 192.168.88.31, the DHCP server associates this request with the 192.168.89.0 scope and
returns a reply with Option 176 string, instructing the requestor to enable 802.1Q tagging with
VLAN ID 88. The IP Telephone receiving this reply will release the supplied IP address and
issue a new DHCP request with VLAN ID 88. This request will be associated with the voice
VLAN or auxiliary VLAN on the port. The DHCP server associates this request with scope
192.168.88.0 and replies with an IP address from that scope as well as several parameters in
Option 176.
When the attached PC issues a DHCP request, it will send a clear DHCP request. This request
will be served in the same way as the initial request from the phone. However, the computer
will ignore Option 176 values specifying a new VLAN. Therefore, no new DHCP request is
issued.
If 802.1X is enabled on the ports connected to the Avaya IP Telephones with the attached PCs,
the Catalyst switches must forward the traffic from the IP Telephones on the native VLAN and
voice VLAN. If the port security is enabled on these ports, the maximum number of secure
MAC addresses must be set to 3 (the PC’s MAC on the native VLAN, the phone’s MAC on the
native VLAN and the phone’s MAC on the voice VLAN).
802.1X operational mode can also be configured on Option 176, the phone’ 802.1X operational
mode will changed once the phone receives Option 176 through the DHCP server. The format
is:
dot1x=0 for “pass-thru mode”, 1 for “pass-thru with logoff mode, and 2 for “Supplicant mode”.
By default, all ports are configured in the force-authorized mode. The command set port dot1x
port-control can be used to configure a port in the force-unauthorize, auto or force-authorize
mode. It is highly recommended to configure all ports connected to the IP Telephones or the
PCs in the auto mode for high security. The ports connected to the servers including the
Microsoft DHCP server, the Avaya S8500 Media Server and the Avaya G650 Media Gateways
in Figure 1 are left in the force-authorize mode. The following screen shows that port 7/1
connected to a phone is configured to the auto mode.
By default, the 802.1X multiple hosts mode is disabled. Use the command set port dot1x
<port#> multiple-host enable to enable 802.1X multiple hosts mode on the specified ports.
aaa new-model
aaa authentication login default none
aaa authentication dot1x default group radius
dot1x system-auth-control
radius-server host 192.168.88.61 auth-port 1812 acct-port 1813 key 1234567890123
Catalyst-4503#show dot1x
Sysauthcontrol = Enabled
Supplicant Allowed In Guest Vlan = Disabled
Dot1x Protocol Version = 1
Dot1x Oper Controlled Directions = Both
Dot1x Admin Controlled Directions = Both
interface GigabitEthernet2/34
switchport access vlan 89
switchport mode access
switchport voice vlan 88
dot1x port-control auto
dot1x host-mode multi-host
dot1x reauthentication
spanning-tree portfast
aaa new-model
aaa authentication login default none
aaa authentication dot1x default group radius
dot1x system-auth-control
interface FastEthernet1/0/1
switchport access vlan 89
switchport mode access
switchport voice vlan 88
dot1x pae authenticator
dot1x port-control auto
dot1x host-mode multi-host
dot1x reauthentication
spanning-tree portfast
To support a Cisco Catalyst switch as an authenticator, the Cisco Catalyst must be configured in
the clients.conf. For the sample configuration, this file is under /usr/local/etc/raddb directory.
All the Catalyst switches in these Application Notes are added as authenticators at the end of
the clients.conf file.
client 192.168.88.2/32 {
secret = 1234567890123
shortname = C6509
NAS-IP-Address = 192.168.88.2
}
client 192.168.88.7/32 {
secret = 1234567890123
shortname = C3750
NAS-IP-Address = 192.168.88.7
}
client 192.168.88.8/32 {
secret = 1234567890123
shortname = C4503
NAS-IP-Address = 192.168.88.8
Configure a username with a password in the users file under /usr/local/etc/raddb directory for
an Avaya IP Telephone. The default user name for an IP Telephone is its MAC address with
upper case letters without colons. Note that the FreeRADIUS runs on Linux Operation System
and user names are case sensitive.
Use the command show port dot1x user to display dot1x user information. The following
screen shows that username 00040D508820 is used to authenticate port 7/1. 00040D508820 is
the MAC address of the IP Telephone.
Verify that the Avaya IP Telephone is configured to the supplicant mode by pressing “mute
80219#”. You will be prompted to enter a username and password if the authentication fails.
Use the command show cam dynamic <port#> to verify that the Cisco Catalyst learns the
MAC addresses of the IP Telephone and the attached PC in different VLANs.
VLAN Dest MAC/Route Des [CoS] Destination Ports or VCs / [Protocol Type]
---- ------------------ ----- -----------------------------------------
88 00-04-0d-50-88-20 7/1 [ALL]
89 00-b0-d0-3e-a7-61 7/1 [ALL]
Total Matching CAM Entries Displayed = 2
Use the command show mac-address-table interface to verify that the switch has learned the
MACs for the PC and the Telephone.
Use the command debug dot1x all to troubleshoot an 802.1X problem on the Catalyst 4503. A
similar output from the Cisco Catalyst 3750 is shown in Section 4.3. Refer to Section 4.3 for
details.
Use the command show mac-address-table interface to verify that the switch has learned the
MACs for the PC and the Telephone.
! --- Send the EAP-Request/Identity from the supplicant to the RADIUS server.
*Apr 15 22:08:24.844: dot1x-packet:Received an EAP request packet from EAP for mac
0004.0d50.8820
*Apr 15 22:08:24.844: dot1x-sm:Posting EAP_REQ on Client=3BC1ED8
*Apr 15 22:08:24.844: dot1x_auth_bend Fa1: during state auth_bend_response, got
event 7(eapReq)
*Apr 15 22:08:24.844: @@@ dot1x_auth_bend Fa1: auth_bend_response ->
auth_bend_request
! Send the EAP-Request/MD response from the supplicant to the RADIUS Server.
5 Conclusion
As illustrated in these Application Notes, Avaya IP Telephones can be configured as 802.1X
supplicants and Cisco Catalyst switches can be configured as 802.1X authenticators. The Cisco
Catalyst switches can use the FreeRADIUS server to authenticate the Avaya IP Telephones.
When the IP Telephone is configured in the supplicant mode and the port connected to the
Avaya IP Telephone in the multi-host mode, the Avaya IP Telephone can be used to
authenticate the port so that the attached PC can get access to the network without the need for
authentication. The Avaya IP Telephone can be configured to use the voice VLAN or auxiliary
VLAN on the Cisco Catalyst switches so that the IP Telephone and the attached PC are in
different VLANs.
6 Additional References
The following Application Notes can be found at http://www.avaya.com.
[1] Configuring 802.1X Protocol On Avaya G250 and G350 Media Gateways For an Avaya
IP Telephone With an Attached PC
Please e-mail any questions or comments pertaining to these Application Notes along with the
full title name and filename, located in the lower right corner, directly to the Avaya Solution &
Interoperability Test Lab at interoplabnotes@list.avaya.com