Dot1x Ipt Cisco

Avaya Solution & Interoperability Test Lab
Configuring 802.1X Protocol on Cisco Catalyst 6509, 4503

and 3750 Switches for Multi-host Mode Supporting an
Avaya IP Telephone With an Attached PC - Issue 1.1
Abstract
The IEEE 802.1X standard defines a client-server based access control and authentication
protocol that restricts unauthorized clients from connecting to a LAN through publicly
accessible ports. 802.1X provides a means of authenticating and authorizing users attached to a
LAN port and of preventing access to that port in cases where the authentication process fails.
Cisco Catalyst 6509, 4503 and 3750 Switches support 802.1X as authenticators and Avaya IP
Telephones support 802.1X as supplicants. These Application Notes provide the steps
necessary to configure 802.1X on the Cisco Catalyst Switches and the Avaya IP Telephone
with an attached PC using FreeRADIUS server.
JZ; Reviewed: Solution & Interoperability Test Lab Application Notes 1 of 22

PV 12/7/2006 ©2006 Avaya Inc. All Rights Reserved. DOT1X-IPT-CISCO.doc
1 Introduction
The 802.1X protocol is an IEEE standard for media-level access control, offering the capability
to permit or deny network connectivity, control LAN access, and apply traffic policy, based on
user or machine identity. 802.1X consists of three components (or entities):
• Supplicant – a port access entity (PAE) that requests access to the network. For
example, an Avaya IP Telephone and the attached PC can be configured to support
802.1X supplicants.
• Authenticator – a PAE that facilities the authentication of the supplicant. The Cisco
Catalyst switches function as authenticator PAEs that control the physical access to the
network based on the authentication status of a supplicant.
• Authentication server – a PAE, typically a Remote Authentication Dial-In User Service

(RADIUS) server that actually provides authentication service.
802.1X makes use of Extensible Authentication Protocol (EAP) messages. The protocol in
802.1X is called EAP encapsulation over LANs (EAPOL). It is currently defined for Ethernet-
like LANs including 802.11 wireless. The Authenticator becomes the middleman for relaying
EAP received in 802.1X packets to an authentication server by using the RADIUS format to
carry the EAP information.
The following shows typical EAP-MD5 message exchanges for the 802.1X protocol. The
authenticator or the supplicant can initiate authentication. When the switch detects the port link
state transitions from down to up, the switch will send an EAP-request/identity frame to the
client to request its identity. When the client receives the frame, it responds with an EAP-
response/identity frame. If the client does not receive an EAP-request/identity frame from the
switch, the client can initiate authentication by sending an EAPOL-start frame, which prompts
the switch to request the client's identity. Figure 1 shows typical flows for the Avaya IP
Telephone, the Cisco Catalyst Switch and an authentication server using the EAP-MD5
authentication.
Avaya IP telephones can prompt the user for a username and password, and the username and
password can be stored. For example, the user may be prompted for a username and password
if the username and password have never been entered in the phone, if the phone has been reset
to the manufacturer’s default values, or if the RADIUS server rejects the current username and
password. The default username is the phone’s MAC address (upper case letters without
colons). Once entered, the phone will save the username and password, and the saved values
will be re-used (without prompting the user) when the phone is restarted.

Supplicant PAE Authenticator PAE
Authentication Serve r
(Avaya IP Telephone) (Cisco Catalysts)
Port or MAC unauthorized
EAPOL-Start
EAP-Request/Identity
EAP-Response/Identity
EAP-Request/MD5 Challenge
EAP-Response/MD5, Response
EAP Success
Port or MAC authorized
EAP Reject
EAPOL-Logoff
Figure 1: 802.1X Message Exchanges
The following describes the 802.1X flows in Figure 1:
1. The supplicant (the Avaya IP Telephone) sends an “EAPOL Start” packet to the
authenticator (a Cisco Catalyst switch). The IP Telephone will ignore the EAP-
request/identity frames from the switch during its booting process.
2. The authenticator responds with an “EAP-Request/Identity” packet to the supplicant.
3. The supplicant responds with an "EAP-Response/Identity" packet to the authenticator.

The authenticator strips the Ethernet header and encapsulates the remaining EAP frame
in the RADIUS format, and then sends it to the authentication server.
4. The authentication server recognizes the packet as an EAP-MD5 type and sends back a
challenge message to the authenticator. The authenticator removes the authentication

server’s frame header and encapsulates the remaining EAP frame into the EAPOL
format and then sends it to the supplicant.
5. The supplicant responds to the challenge and the authenticator passes the response onto
the authentication server.
6. If the supplicant provides proper identity, the authentication server responds with a
success message. The authenticator passes the message onto the supplicant and allows
access to the LAN.
7. If the supplicant does not provide proper identity, the authentication server responds
with a reject message. The authenticator passes the message onto the supplicant and
blocks access to the LAN.
8. When the supplicant is disabled or reset, the supplicant sends an EAPOL-Logoff

message, which prompts the authenticator to block access to the LAN.
Figure 2 shows the network diagram used in these Application Notes. The Cisco Catalyst
switches and Avaya IP Telephones support EAP-MD5 authentication. EAP-MD5 was
configured on the Cisco Catalyst switches and Avaya IP Telephones.
Cisco Catalyst 4503 Avaya 4610SW IP

IP: 192.168.88.8 Telephone
PH ONE/ EXIT PAG E PA GE OPTIONS
LEFT R IGHT
SPEA KER HO LD
HEA DSET TRANSFER
AB C D EF
0SW IP MUTE CON FERENCE
G HI
1 JK L
2 MN O
3
DROP
4 5 6
PQ RS T UV W X YZ
RED IAL
7 8 9
* 0 #
FreeRADIUS Server GE 2/34 auto

GE 2/33
Red Hat Linux Catalyst
4503
1
2
S PEA KER
H EAD SET
P HON E/EXIT
PAGE
L EFT
P AGE
R IG HT
OP TIO NS
TR AN SFER
HO LD
AB
C DEF
M U TE CO NF ERE NC E
1 2 3
GHI JKL MNO
DR OP
4 5 6
192.168.88.61
P QRS TUV WXYZ R ED IAL
7 8 9
0 #
3
*
FAN
STATUS
GE 2/35 auto
Cisco Catalyst 6509 Avaya 4620SW, 4621SW,
Switch IP: 192.168.88.2 4622SW IP Telephones
Router IP: 192.168.88.1
Microsoft DHCP Server 192.168.89.1 GE 8/9 Avaya 4610SW IP
Telephone
1
Avaya TFTP Server 2
192.168.88.31
3
4
GE 7/1 auto 0SW IP MUTE
SPEA KER
HEA DSET
PH ONE/ EXIT
AB C
PAG E
LEFT
D EF
PA GE
R IGHT
CON FERENCE
OPTIONS
TRANSFER
HOLD
1 2 3
GH I JK L MN O
DROP
4 5 6
PQ RS T UV W X YZ
RED IAL
7 8 9
* 0 #
7 GE 7/2 auto
8
P HON E/EXI T
PAGE P AGE OPT O
I NS
FAN L EFT R IG HT
S TA TUS S PEA KER HO LD
H EAD SET TR AN SFER
M U TE
ABC DEF CONF ERE NC E
1 2 3
9 GHI JKL MNO
DR OP
4 5 6
P QRS TUV WXYZ
R ED IAL
7 8 9
0 #
*
Avaya S8500 Media

GE 1/1
Server Avaya 4620SW, 4621SW,
C OMPACT
4622SW IP Telephones
Powe rSu pply 1 Power Su ppl y 2
Cata lyst 6500 SERIES
Avaya 6210 Analog

Avaya 4610SW IP
Telephone
Telephone
GE 1/0/1
GH I
4
1
JKL
5
ABC
2
M NO
6
DEF
3
Ca talys t 37 50 SERI ES
FE 1/0/1 auto 0SW I P
MUTE
S PEA KER
HEAD SET
PH ONE/ EXIT
AB C
PAGE
LEFT
D EF
PA GE
RI GHT
OP TIONS
TRANSFER
CON FERENCE
HOLD
1 2 3
PQRS TUV W XYZ
GH I JK L M NO
7 8 9 1 2 3 4 5 6 7 8 9 10 1 1 12 13 1 4 15 1 6 17 1 8 19 2 0 21 22 23 2 4 DROP
1X 11 X 1 3X 23X 1 2 3 4 4 5 6
S YS T PQ RS T UV W X YZ
R PS RED IAL
* 0 # M AS TR 7 8 9
S TA T
D UP LX
S PEED
S TA CK
* 0 #
M ODE 2X 12 X 1 4X 24X
Avaya G650 Cisco Catalyst 3750 FE 1/0/2 auto S PEA KER

PH ON E/EXI T PAGE
L EFT
P AGE
R IG HT
OPT O
I NS
HOLD
HE AD SET TR AN SFER
ABC DEF CONF ERE NCE

MUT E
1 2 3
Media Gateway IP: 192.168.88.7

GHI JKL MNO
D R OP
4 5 6
PQRS T UV WXYZ
R ED IAL
7 8 9
* 0 #
C-LAN: 192.168.88.22 Avaya 4620SW, 4621SW,

4622SW IP Telephones
Figure 2 – 802.1X Configuration With Avaya IP Telephones

2 Equipment and Software Validated
Table 1 shows the versions verified in these Application Notes.
Equipment Software
Avaya Communication Manager
Avaya S8500 Media Server 3.1.1 (load 628.7)
Avaya G650 Media Gateway
IPSI (TN2312BP) HW12 FW030
C-LAN (TN799DP) HW01 FW017
MEDPRO (TN2302AP) HW11 FW108
Avaya 4610SW IP Telephone 2.32.3e*
Avaya 4622 SW IP Telephone 2.32.3e*
Avaya 6210 Analog Telephone N/A
Cisco Catalyst 6509 Cat 8.5(3)
WS-F6K-GE48-AF (PoE module)
Cisco Catalyst 4503 12.2(25)
WS-X4548-GB-RJ45V (PoE module)
Cisco Catalyst 3750-24PS 12.2(25)
Red Hat Enterprise ES R4
FreeRADIUS Server 1.1.1
OpenSSL 0.9.8a
Table 1: Equipment and Software Validated
* Testing was performed using this beta release. At time of publication, 802.1X support was
not included in a generally available version of the telephone firmware. However, it is
expected that 802.1X support will be included in a forthcoming generally available version of
the telephone firmware.

3 Configurations
The Cisco Catalyst switches can control the port authorization state. Three control modes can
be configured on a port:
• Force-authorized – Disables 802.1X port-based authentication and causes the port to

transition to the authorized state without any authentication exchange required. This is
the default setting.
• Force-unauthorized – Causes the port to remain in the unauthorized state, ignoring all
attempts by the client to authenticate.
• Auto – Enables 802.1X port-based authentication. Whether the port is in the authorized
state or the unauthorized state depends on the authentication result.
Cisco Catalyst switches support the single-host and multi-host modes for the Cisco IOS and
CatOS software. The Catalyst 6509 running the Cisco CatOS software also supports the
multiple authentication mode. The Cisco Catalyst switches will use a well-known Multicast
MAC address 01:80:C2:00:00:03 for all EAPOL messages for the single-host and Multi-host
modes. Note that 802.1X is not supported on a trunk port.
• Single-host – A port is only allowed to support one 802.1X client on its primary VLAN.
Other workstations on that port will be blocked. The single-host mode cannot support an
IP Telephone with an attached PC.
• Multi-host – For the Catalyst switches (for example, Cisco Catalyst 4503 and 3750)
running Cisco IOS system software, additional clients on the voice VLAN are
unrestricted after 802.1X authentication succeeds on the primary VLAN.
For the Catalyst switch (for example, Cisco 6509) running Cisco CatOS software, when
a port is configured with an auxiliary VLAN and a native VLAN, the 802.1X
authentication only applies to the native VLAN, and the auxiliary VLAN will bypass the
802.1X. Since Avaya IP Telephones need both the native and auxiliary VLANs access
for a typical deployment using a DHCP server, the IP Telephone must be used to
authenticate the port.
For both Cisco IOS and CatOS software, the Avaya IP Telephone can be used to
authenticate the port for the Multi-host mode, and the attached PC can get access to the
network without the need for authentication. The IP Telephone can be put on the voice
VLAN (or the auxiliary VLAN) with the attached PC on the native VLAN.
• Multiple authentication – Multiple authentication mode is only supported on the Cisco

CatOS software and is a Cisco proprietary protocol. Multiple authentication mode
allows multiple dot1x-hosts on a port and every host is authenticated separately. Since
multiple authentication mode does not support an auxiliary VLAN, the Avaya IP
Telephone with an attached PC cannot be put in different VLANs although they may be
authenticated individually. This mode is not covered in these Application Notes.

Avaya IP Telephones support three 802.1X operational modes. The operational mode can
be changed by pressing “mute80219#” (i.e. mute 801x#) on the phone or through option
176 on the DHCP server.
• Pass-thru mode – Unicast supplicant operation for the IP Telephone itself, with PAE
multicast pass-through for the attached PC, but without proxy Logoff. This is the
default setting.
• Pass-thru with logoff – Unicast supplicant operation for the IP Telephone itself, with
PAE multicast pass-through and proxy Logoff for the attached PC. When the attached
PC is physically disconnected from the IP Telephone, the phone will send an EAPOL-
Logoff for the attached PC.
• Supplicant Mode – Unicast or multicast supplicant operation for the IP Telephone

itself, without PAE multicast pass-through or proxy Logoff for the attached PC.
Since the Cisco Catalyst switches only support Multicast operation for the single host and
multi-host modes, the Avaya IP Telephones must be configured to Supplicant Mode if the
Avaya IP Telephone is used to authenticate a port. Press “mute80219#” on the phone to
change the operational mode to Supplicant Mode.

3.1 DHCP Configuration for Avaya IP Telephones
Table 2 summarizes the Dynamic Host Configuration Protocol (DHCP) configuration. The
following describes how the Avaya IP Telephones work with the DHCP server after the 802.1X
authentication succeeds.
Consider the example of IP Telephones and computers configured for DHCP in Figure 2. If the
IP Telephone is set to the manufacturer’s default configuration, the IP Telephone will initially
send a clear DHCP request. The Cisco Catalyst 6509 Switch port connected to the Avaya IP
Telephone is configured with both a native VLAN ID 89 and voice VLAN or auxiliary VLAN
ID 88 for the port. The clear DHCP request will be associated with the native VLAN 89 on the
port. The router interface on that VLAN is on the Catalyst 6509 Switch and has IP address
192.168.89.1. When the router interface relays the DHCP request to the configured DHCP
server 192.168.88.31, the DHCP server associates this request with the 192.168.89.0 scope and
returns a reply with Option 176 string, instructing the requestor to enable 802.1Q tagging with
VLAN ID 88. The IP Telephone receiving this reply will release the supplied IP address and
issue a new DHCP request with VLAN ID 88. This request will be associated with the voice
VLAN or auxiliary VLAN on the port. The DHCP server associates this request with scope
192.168.88.0 and replies with an IP address from that scope as well as several parameters in
Option 176.
When the attached PC issues a DHCP request, it will send a clear DHCP request. This request
will be served in the same way as the initial request from the phone. However, the computer
will ignore Option 176 values specifying a new VLAN. Therefore, no new DHCP request is
issued.
If 802.1X is enabled on the ports connected to the Avaya IP Telephones with the attached PCs,
the Catalyst switches must forward the traffic from the IP Telephones on the native VLAN and
voice VLAN. If the port security is enabled on these ports, the maximum number of secure
MAC addresses must be set to 3 (the PC’s MAC on the native VLAN, the phone’s MAC on the
native VLAN and the phone’s MAC on the voice VLAN).
DHCP Option 3 Option 176 String Notes

Scope Router
For Voice
192.168.88.0 192.168.88.1 MCIPADD=192.168.88.22,TFTPSRVR=192.168.88.31 VLAN
For native
192.168.89.0 192.168.89.1 L2QVLAN=88, TFTPSRVR=192.168.88.31 VLAN
Table 2 – DHCP Configuration Summary
802.1X operational mode can also be configured on Option 176, the phone’ 802.1X operational
mode will changed once the phone receives Option 176 through the DHCP server. The format
is:
dot1x=0 for “pass-thru mode”, 1 for “pass-thru with logoff mode, and 2 for “Supplicant mode”.

3.2 Configuring 802.1X on the Cisco Catalyst 6509
The following shows the annotated global RADIUS and 802.1X configuration. The RADIUS
authentication secret must match the configuration on the FreeRADIUS server. When 802.1X is
globally enabled, the RADIUS server will be used for the 802.1X authentication.
! --- Configure radius server

Console> (enable) set radius server 192.168.88.61 primary
192.168.88.61 with auth-port 1812 acct-port 1813 added to radius server
table as primary server
! --- Configure radius authentication secret

Console> (enable) set radius key 1234567890123
Radius key set to 1234567890123
! --- Globally enable the radius authentication

Console> (enable) set dot1x system-auth-control enable
dot1x system-auth-control enabled.
Configured RADIUS servers will be used for dot1x authentication
Use the command show radius to verify the RADIUS configuration.
console> (enable) show radius

Active RADIUS Server : 192.168.88.61
RADIUS Deadtime : 0 minutes
RADIUS Key : 1234567890123
RADIUS Retransmit : 2
RADIUS Timeout : 5 seconds
Framed-Ip Address Transmit : Disabled
RADIUS Framed MTU : 1000 bytes
RADIUS-Server Status Auth-port Acct-port Resolved IP

Address
-------------------------------- ------- --------- --------- ---------------
192.168.88.61 primary 1812 1813

Use the command show dot1x to verify the 802.1X configuration.
Console> (enable) show dot1x

PAE Capability Authenticator Only
Protocol Version 1
system-auth-control enabled
max-req 2
max-reauth-req 2
quiet-period 60 seconds
radius-accounting disabled
radius-vlan-assignment enabled
radius-keepalive state enabled

re-authperiod 3600 seconds
server-timeout 30 seconds
shutdown-timeout 300 seconds
supp-timeout 30 seconds
tx-period 30 seconds
By default, all ports are configured in the force-authorized mode. The command set port dot1x
port-control can be used to configure a port in the force-unauthorize, auto or force-authorize
mode. It is highly recommended to configure all ports connected to the IP Telephones or the
PCs in the auto mode for high security. The ports connected to the servers including the
Microsoft DHCP server, the Avaya S8500 Media Server and the Avaya G650 Media Gateways
in Figure 1 are left in the force-authorize mode. The following screen shows that port 7/1
connected to a phone is configured to the auto mode.
Console> (enable) set port dot1x 7/1 port-control auto

Port 7/1 dot1x port-control is set to auto.
Trunking disabled for port 7/1 due to Dot1x feature.
Spantree port fast start option enabled for port 7/1.
By default, the 802.1X multiple hosts mode is disabled. Use the command set port dot1x
<port#> multiple-host enable to enable 802.1X multiple hosts mode on the specified ports.
Console> (enable) set port dot1x 7/1-2 multiple-host enable

Ports 7/1-2 Multiple-host option enabled.

The following screen shows that a native VLAN 89 and an auxiliary VLAN 88 are configured
on ports 7/1 and 7/2. The native VLAN will be used for the attached PCs and the auxiliary
VLAN 88 used for the IP Telephones.
Console> (enable) set vlan 89 7/1-2
console> (enable) set port auxiliaryvlan 7/1-2 88
By default, the re-authentication is not enabled. It is recommended to enable re-authentication

for high security. The default re-authentication period is 1 hour. Re-authentication does not
have any impact on the phone’s operation as long as the phone can provide the correct
credentials.
Console> (enable) set port dot1x 7/1-2 re-authentication enable

Ports 7/1-2 Dot1x re-authentication enabled
3.3 Configuring 802.1X on the Cisco Catalyst 4503

For the Catalyst switches (for example, Cisco Catalyst 4503 and 3750) running Cisco IOS
system software, additional clients on the voice VLAN are unrestricted after 802.1X
authentication succeeds on the primary VLAN. The Avaya IP Telephone can be used to
authenticate the primary VLAN, and the Avaya IP Telephone can be put on the voice VLAN.
The attached PC can get access to the network without the need for authentication. The
following screen shows the Radius configuration on the Catalyst 4503:
aaa new-model
aaa authentication login default none
aaa authentication dot1x default group radius
dot1x system-auth-control
radius-server host 192.168.88.61 auth-port 1812 acct-port 1813 key 1234567890123
Use the command show dot1x to verify the dot1x configuration.
Catalyst-4503#show dot1x
Sysauthcontrol = Enabled
Supplicant Allowed In Guest Vlan = Disabled
Dot1x Protocol Version = 1
Dot1x Oper Controlled Directions = Both
Dot1x Admin Controlled Directions = Both

The following screen shows the configuration on interface GigabitEthernet2/34. The
switchport mode must be configured to access since 802.1X is not supported on a trunk
interface. The command dot1x host-mode multi-host is used to configure a port in the
multiple-host mode. The command switchport access vlan 89 is used to configure a native
VLAN for the attached PC and the command switchport voice vlan 88 is used to configure a
voice VLAN 88 for the IP Telephone. Enable re-authentication for higher security.
interface GigabitEthernet2/34
switchport access vlan 89
switchport mode access
switchport voice vlan 88
dot1x port-control auto
dot1x host-mode multi-host
dot1x reauthentication
spanning-tree portfast
3.4 Configuring 802.1X on the Cisco Catalyst 3750-24PS

The similar configuration to the Catalyst 4503 can be configured on the Cisco Catalyst 3750.
The following shows the configuration used in these Application Notes.
aaa new-model
aaa authentication login default none
aaa authentication dot1x default group radius
dot1x system-auth-control
interface FastEthernet1/0/1
switchport access vlan 89
switchport mode access
switchport voice vlan 88
dot1x pae authenticator
dot1x port-control auto
dot1x host-mode multi-host
dot1x reauthentication
spanning-tree portfast
radius-server host 192.168.88.61 auth-port 1812 acct-port 1813 key

1234567890123
radius-server source-ports 1645-1646

3.5 Configuring the FreeRADIUS Server and Odyssey Client
Refer to [1] for detailed information on how to install and configure the FreeRADIUS server
and the OpenSSL software on Red Hat Linux Operating System.
To support a Cisco Catalyst switch as an authenticator, the Cisco Catalyst must be configured in
the clients.conf. For the sample configuration, this file is under /usr/local/etc/raddb directory.
All the Catalyst switches in these Application Notes are added as authenticators at the end of
the clients.conf file.
client 192.168.88.2/32 {
secret = 1234567890123
shortname = C6509
NAS-IP-Address = 192.168.88.2
}
client 192.168.88.7/32 {
secret = 1234567890123
shortname = C3750
}
client 192.168.88.8/32 {
secret = 1234567890123
shortname = C4503
Configure a username with a password in the users file under /usr/local/etc/raddb directory for
an Avaya IP Telephone. The default user name for an IP Telephone is its MAC address with
upper case letters without colons. Note that the FreeRADIUS runs on Linux Operation System
and user names are case sensitive.
00040D508820 User-Password == "123456"

00040D0065D3 User-Password == "123456"
00040D4CB324 User-Password == "123456"
00040D9B7DC5 User-Password == "123456"
00040D9BC38A User-Password == "123456"
…

4 Verification
4.1 Verify 802.1X On the Catalyst 6509
Use the command show port dot1x to display the dot1x configuration and 802.1X status. The
following screen shows that port 7/1 is authorized.
Console> (enable) show port dot1x 7/1

Port Auth-State BEnd-State Port-Control Port-Status
----- ------------------- ---------- ------------------- -------------
7/1 authenticated idle auto authorized
Port Port-Mode Re-authentication Shutdown-timeout Control-Mode

admin oper
----- ------------- ----------------- ---------------- ---------------
7/1 MultiHost enabled disabled Both Both
Port Posture-Token Critical Termination action Session-timeout

----- ------------- -------- ------------------ ---------------
7/1 - NO ReAuth -
Use the command show port dot1x user to display dot1x user information. The following
screen shows that username 00040D508820 is used to authenticate port 7/1. 00040D508820 is
the MAC address of the IP Telephone.
Console> (enable) show port dot1x user

Username Mod/Port UserIP VLAN
-------- -------- ------ ----
00040D508820 7/1 0.0.0.0 89
Verify that the Avaya IP Telephone is configured to the supplicant mode by pressing “mute
80219#”. You will be prompted to enter a username and password if the authentication fails.
Use the command show cam dynamic <port#> to verify that the Cisco Catalyst learns the
MAC addresses of the IP Telephone and the attached PC in different VLANs.
Console> (enable) show cam dynamic 7/1

* = Static Entry. + = Permanent Entry. # = System Entry. R = Router Entry.
X = Port Security Entry $ = Dot1x Security Entry M = Mac-Auth-Bypass Entry
VLAN Dest MAC/Route Des [CoS] Destination Ports or VCs / [Protocol Type]
---- ------------------ ----- -----------------------------------------
88 00-04-0d-50-88-20 7/1 [ALL]
89 00-b0-d0-3e-a7-61 7/1 [ALL]
Total Matching CAM Entries Displayed = 2

Use the command set trace dot1x <debug levels 1-15> to troubleshoot an 802.1X problem on
the Catalyst 6509. A similar output from the Cisco Catalyst 3750 is shown in Section 4.3. Refer
to Section 4.3 for details.
4.2 Verify 802.1X Operation on the Catalyst 4503

Use the command show dot1x interface to display the dot1x configuration and 802.1X status
on the Catalyst 4503. The following screen shows that gigabitEthernet 2/34 is authorized using
phone’s MAC address 0004.0d50.8820.
Catalyst-4503#show dot1x interface gigabitEthernet 2/34

Supplicant MAC 0004.0d50.8820
AuthSM State = AUTHENTICATED
BendSM State = IDLE
Posture = N/A
PortStatus = AUTHORIZED
MaxReq = 2
MaxAuthReq = 2
HostMode = Multi
PortControl = Auto
QuietPeriod = 60 Seconds
Re-authentication = Enabled
ReAuthPeriod = 3600 Seconds
ServerTimeout = 30 Seconds
SuppTimeout = 30 Seconds
TxPeriod = 30 Seconds
Guest-Vlan = 0
AuthFail-Vlan = 0
AuthFail-Max-Attempts = 3
Use the command show mac-address-table interface to verify that the switch has learned the
MACs for the PC and the Telephone.
Catalyst-4503#show mac-address-table interface gigabitEthernet 2/34

Unicast Entries
vlan mac address type protocols port
-------+---------------+--------+---------------------+--------------------
88 0004.0d50.8820 dynamic ip GigabitEthernet2/34
89 00b0.d03e.a761 dynamic ip GigabitEthernet2/34
Use the command debug dot1x all to troubleshoot an 802.1X problem on the Catalyst 4503. A
similar output from the Cisco Catalyst 3750 is shown in Section 4.3. Refer to Section 4.3 for
details.

4.3 Verify 802.1X Operation on the Catalyst 3750
Use the command show dot1x interface to display the dot1x configuration and 802.1X status.
The following screen shows that fastEthernet 1/0/1 is authorized using phone’s MAC address
0004.0d50.8820.
C3750-24PS#show dot1x interface fastEthernet 1/0/1 details
Dot1x Info for FastEthernet1/0/1

-----------------------------------
PAE = AUTHENTICATOR
PortControl = AUTO
ControlDirection = Both
HostMode = MULTI_HOST
ReAuthentication = Enabled
QuietPeriod = 60
ServerTimeout = 30
SuppTimeout = 30
ReAuthPeriod = 3600 (Locally configured)
ReAuthMax = 2
MaxReq = 2
TxPeriod = 30
RateLimitPeriod = 0
Dot1x Authenticator Client List

-------------------------------
Supplicant = 0004.0d50.8820
Auth SM State = AUTHENTICATED
Auth BEND SM Stat = IDLE
Port Status = AUTHORIZED
ReAuthPeriod = 3600
ReAuthAction = Reauthenticate
TimeToNextReauth = 3202
Authentication Method = Dot1x
Authorized By = Authentication Server
Vlan Policy = N/A
Use the command show mac-address-table interface to verify that the switch has learned the
MACs for the PC and the Telephone.
C3750-24PS#show mac-address-table interface fastEthernet 1/0/1

Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports

---- ----------- -------- -----
88 0004.0d50.8820 DYNAMIC Fa1/0/1
89 0004.0d50.8820 STATIC Fa1/0/1
89 00b0.d03e.a761 DYNAMIC Fa1/0/1
Total Mac Addresses for this criterion: 3

Use the command debug dot1x all to troubleshoot an 802.1X problem. The following shows
the output of the successful authentication using an Avaya IP Telephone with MAC address
0004.0d50.8820.
…
! --- Receive the EAPOL Start frame from the supplicant.
*Apr 15 22:08:24.810: dot1x-packet:Received an EAPOL frame on interface

FastEthernet1/0/1
*Apr 15 22:08:24.810: dot1x-ev:Received pkt saddr =0004.0d50.8820 , daddr =
0180.c200.0003,
pae-ether-type = 888e.0101.0000
*Apr 15 22:08:24.810: dot1x-packet:Received an EAPOL-Start packet on interface
FastEthernet1/0/1
*Apr 15 22:08:24.810: EAPOL pak dump rx
*Apr 15 22:08:24.810: EAPOL Version: 0x1 type: 0x1 length: 0x0000
*Apr 15 22:08:24.810: dot1x-sm:Posting EAPOL_START on Client=3BC1ED8
*Apr 15 22:08:24.810: dot1x_auth Fa1: during state auth_connecting, got event
4(eapolStart) (ignored)
*Apr 15 22:08:24.835: dot1x-packet:Received an EAP request packet from EAP for mac
0004.0d50.8820
*Apr 15 22:08:24.835: dot1x-sm:Posting RX_REQ on Client=3BC1ED8
*Apr 15 22:08:24.835: dot1x_auth Fa1: during state auth_connecting, got event
10(eapReq_no_reAuthMax)
*Apr 15 22:08:24.835: @@@ dot1x_auth Fa1: auth_connecting -> auth_authenticating
*Apr 15 22:08:24.835: dot1x-sm:Fa1/0/1:0004.0d50.8820:auth_authenticating_enter
called
*Apr 15 22:08:24.835: dot1x-
sm:Fa1/0/1:0004.0d50.8820:auth_connecting_authenticating_action called
*Apr 15 22:08:24.835: dot1x-sm:Posting AUTH_START on Client=3BC1ED8
*Apr 15 22:08:24.835: dot1x_auth_bend Fa1: during state auth_bend_idle, got event
4(eapReq_authStart)
! --- Send the EAP-Request/Identity to the supplicant.
*Apr 15 22:08:24.835: @@@ dot1x_auth_bend Fa1: auth_bend_idle -> auth_bend_request

*Apr 15 22:08:24.835: dot1x-sm:Fa1/0/1:0004.0d50.8820:auth_bend_request_enter called
*Apr 15 22:08:24.835: dot1x-packet:dot1x_mgr_send_eapol :EAP code: 0x1 id: 0x3
length: 0x0005 type: 0x1 data:
*Apr 15 22:08:24.835: dot1x-ev:FastEthernet1/0/1:Sending EAPOL packet to group PAE
address
*Apr 15 22:08:24.835: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination
not required on FastEthernet1/0/1.
*Apr 15 22:08:24.835: dot1x-registry:registry:dot1x_ether_macaddr called
*Apr 15 22:08:24.835: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on
FastEthernet1/0/1
*Apr 15 22:08:24.835: EAPOL pak dump Tx
*Apr 15 22:08:24.835: EAP code: 0x1 id: 0x3 length: 0x0005 type: 0x1
*Apr 15 22:08:24.835: dot1x-packet:dot1x_txReq: EAPOL packet sent to client
(0004.0d50.8820)
*Apr 15 22:08:24.835: dot1x-sm:Fa1/0/1:0004.0d50.8820:auth_bend_idle_request_action
called
*Apr 15 22:08:24.835: dot1x-packet:dot1x_mgr_process_eapol_pak: queuing an EAPOL pkt
on Authenticator Q
*Apr 15 22:08:24.835: dot1x-ev:Enqueued the eapol packet to the global authenticator
queue

! --- Receive the EAP-Request/Identity from the supplicant.

FastEthernet1/0/1
0180.c200.0003,
*Apr 15 22:08:24.835: dot1x-packet:Received an EAP packet on interface
FastEthernet1/0/1
*Apr 15 22:08:24.835: dot1x-packet:Received an EAP packet on the FastEthernet1/0/1
from mac 0004.0d50.8820
*Apr 15 22:08:24.835: dot1x-sm:Posting EAPOL_EAP on Client=3BC1ED8
*Apr 15 22:08:24.835: dot1x_auth_bend Fa1: during state auth_bend_request, got
event 6(eapolEap)
! --- Send the EAP-Request/Identity from the supplicant to the RADIUS server.
*Apr 15 22:08:24.835: @@@ dot1x_auth_bend Fa1: auth_bend_request ->

auth_bend_response
*Apr 15 22:08:24.835: dot1x-sm:Fa1/0/1:0004.0d50.8820:auth_bend_response_enter called
*Apr 15 22:08:24.835: dot1x-ev:dot1x_sendRespToServer: Response sent to the server
from 0004.0d50.8820
*Apr 15 22:08:24.835: dot1x-
sm:Fa1/0/1:0004.0d50.8820:auth_bend_request_response_action called
! Receive the EAP-Request/MD challenge from the RADIUS server.
*Apr 15 22:08:24.844: dot1x-packet:Received an EAP request packet from EAP for mac
0004.0d50.8820
*Apr 15 22:08:24.844: dot1x-sm:Posting EAP_REQ on Client=3BC1ED8
*Apr 15 22:08:24.844: dot1x_auth_bend Fa1: during state auth_bend_response, got
event 7(eapReq)
*Apr 15 22:08:24.844: @@@ dot1x_auth_bend Fa1: auth_bend_response ->
auth_bend_request
! Send the EAP-Request/MD challenge to the supplicant.
*Apr 15 22:08:24.844: dot1x-sm:Fa1/0/1:0004.0d50.8820:auth_bend_response_exit called

*Apr 15 22:08:24.844: dot1x-sm:Fa1/0/1:0004.0d50.8820:auth_bend_request_enter called
length: 0x0016 type: 0x4 data: _._R- _>-qB{$_+?v
address
FastEthernet1/0/1
*Apr 15 22:08:24.844: EAP code: 0x1 id: 0x4 length: 0x0016 type: 0x4
(0004.0d50.8820)
*Apr 15 22:08:24.844: dot1x-
sm:Fa1/0/1:0004.0d50.8820:auth_bend_response_request_action called
*Apr 15 22:08:24.844: dot1x-packet:dot1x_mgr_process_eapol_pak: queuing an EAPOL pkt
on Authenticator Q
*Apr 15 22:08:24.844: dot1x-ev:Enqueued the eapol packet to the global authenticator

queue
! Receive the EAP-Request/MD response from the supplicant.

FastEthernet1/0/1
0180.c200.0003,
*Apr 15 22:08:24.844: dot1x-packet:Received an EAP packet on interface
FastEthernet1/0/1
*Apr 15 22:08:24.844: dot1x-packet:Received an EAP packet on the FastEthernet1/0/1
from mac 0004.0d50.8820
*Apr 15 22:08:24.844: dot1x-sm:Posting EAPOL_EAP on Client=3BC1ED8
*Apr 15 22:08:24.844: dot1x_auth_bend Fa1: during state auth_bend_request, got
event 6(eapolEap)
! Send the EAP-Request/MD response from the supplicant to the RADIUS Server.
*Apr 15 22:08:24.844: @@@ dot1x_auth_bend Fa1: auth_bend_request ->

auth_bend_response
*Apr 15 22:08:24.844: dot1x-sm:Fa1/0/1:0004.0d50.8820:auth_bend_response_enter called
*Apr 15 22:08:24.844: dot1x-ev:dot1x_sendRespToServer: Response sent to the server
from 0004.0d50.8820
*Apr 15 22:08:24.844: dot1x-
sm:Fa1/0/1:0004.0d50.8820:auth_bend_request_response_action called
! Receive EAP/success from the RADIUS Server.
*Apr 15 22:08:24.844: dot1x-packet:Received an EAP Success on the FastEthernet1/0/1

for mac 0004.0d50.8820
*Apr 15 22:08:24.844: dot1x-sm:Posting EAP_SUCCESS on Client=3BC1ED8
*Apr 15 22:08:24.852: dot1x_auth_bend Fa1: during state auth_bend_response, got
event 11(eapSuccess)
*Apr 15 22:08:24.852: @@@ dot1x_auth_bend Fa1: auth_bend_response ->
auth_bend_success
*Apr 15 22:08:24.852: dot1x-sm:Fa1/0/1:0004.0d50.8820:auth_bend_response_exit called
*Apr 15 22:08:24.852: dot1x-sm:Fa1/0/1:0004.0d50.8820:auth_bend_success_enter called
*Apr 15 22:08:24.852: dot1x-
sm:Fa1/0/1:0004.0d50.8820:auth_bend_response_success_action called
*Apr 15 22:08:24.852: dot1x_auth_bend Fa1: idle during state auth_bend_success
*Apr 15 22:08:24.852: @@@ dot1x_auth_bend Fa1: auth_bend_success -> auth_bend_idle
*Apr 15 22:08:24.852: dot1x-sm:Fa1/0/1:0004.0d50.8820:auth_bend_idle_enter called
*Apr 15 22:08:24.852: dot1x-sm:Posting AUTH_SUCCESS on Client=3BC1ED8
*Apr 15 22:08:24.852: dot1x_auth Fa1: during state auth_authenticating, got event
12(authSuccess_portValid)
*Apr 15 22:08:24.852: @@@ dot1x_auth Fa1: auth_authenticating -> auth_authc_result
*Apr 15 22:08:24.852: dot1x-sm:Fa1/0/1:0004.0d50.8820:auth_authenticating_exit called
*Apr 15 22:08:24.852: dot1x-sm:Fa1/0/1:0004.0d50.8820:auth_authc_result_enter called
! FastEthernet 1/0/1 is authenticated by the IP Telephone on the native VLAN 89.
*Apr 15 22:08:24.852: dot1x-ev:dot1x_vlan_assign_authc_success called on interface

FastEthernet1/0/1
*Apr 15 22:08:24.852: dot1x-ev:Successfully assigned VLAN 0 to interface
FastEthernet1/0/1
*Apr 15 22:08:24.852: dot1x-sm:Posting AUTHC_SUCCESS on Client=3BC1ED8
*Apr 15 22:08:24.852: dot1x_auth Fa1: during state auth_authc_result, got event
22(authcSuccess)
*Apr 15 22:08:24.852: @@@ dot1x_auth Fa1: auth_authc_result -> auth_authz_success

*Apr 15 22:08:24.852: dot1x-sm:Fa1/0/1:0004.0d50.8820:auth_authz_success_enter called
*Apr 15 22:08:24.852: dot1x-ev:dot1x_switch_addr_add: Added MAC 0004.0d50.8820 to
vlan 89 on interface FastEthernet1/0/1
*Apr 15 22:08:24.852: dot1x-ev:dot1x_switch_port_authorized: set dot1x ask handler on
interface FastEthernet1/0/1
*Apr 15 22:08:24.852: dot1x-ev:Received successful Authz complete for 0004.0d50.8820
*Apr 15 22:08:24.852: dot1x-sm:Posting AUTHZ_SUCCESS on Client=3BC1ED8
*Apr 15 22:08:24.852: dot1x_auth Fa1: during state auth_authz_success, got event
25(authzSuccess)
*Apr 15 22:08:24.852: @@@ dot1x_auth Fa1: auth_authz_success -> auth_authenticated
*Apr 15 22:08:24.852: dot1x-sm:Fa1/0/1:0004.0d50.8820:auth_authenticated_enter called
*Apr 15 22:08:24.852: dot1x-sm:Fa1/0/1:0004.0d50.8820:dot1x_auth_start_reauth_timer
called
*Apr 15 22:08:24.852: dot1x-ev:Start REAUTHENTICATION timer
*Apr 15 22:08:24.852: dot1x-ev:Using locally configured value of 3600 for
reauthentication timer
length: 0x0004 type: 0x0 data:
! Send the EAP/Success to the supplicant.

address
FastEthernet1/0/1
*Apr 15 22:08:24.852: EAP code: 0x3 id: 0x4 length: 0x0004
(0004.0d50.8820)

4.4 Troubleshoot 802.1X on the FreeRADIUS server
If the IP Telephone or the attached PC cannot be authenticated by the FreeRADIUS server, use
the command radiusd –X to run the server in the debugging mode. Refer to [1] for details.
5 Conclusion
As illustrated in these Application Notes, Avaya IP Telephones can be configured as 802.1X
supplicants and Cisco Catalyst switches can be configured as 802.1X authenticators. The Cisco
Catalyst switches can use the FreeRADIUS server to authenticate the Avaya IP Telephones.
When the IP Telephone is configured in the supplicant mode and the port connected to the
Avaya IP Telephone in the multi-host mode, the Avaya IP Telephone can be used to
authenticate the port so that the attached PC can get access to the network without the need for
authentication. The Avaya IP Telephone can be configured to use the voice VLAN or auxiliary
VLAN on the Cisco Catalyst switches so that the IP Telephone and the attached PC are in
different VLANs.
6 Additional References
The following Application Notes can be found at http://www.avaya.com.
[1] Configuring 802.1X Protocol On Avaya G250 and G350 Media Gateways For an Avaya
IP Telephone With an Attached PC

©2006 Avaya Inc. All Rights Reserved.
Avaya and the Avaya Logo are trademarks of Avaya Inc. All trademarks identified by ® and
™ are registered trademarks or trademarks, respectively, of Avaya Inc. All other trademarks
are the property of their respective owners. The information provided in these Application
Notes is subject to change without notice. The configurations, technical data, and
recommendations provided in these Application Notes are believed to be accurate and
dependable, but are presented without express or implied warranty. Users are responsible for
their application of any products specified in these Application Notes.
Please e-mail any questions or comments pertaining to these Application Notes along with the
full title name and filename, located in the lower right corner, directly to the Avaya Solution &
Interoperability Test Lab at interoplabnotes@list.avaya.com


Dot1x Ipt Cisco

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Dot1x Ipt Cisco

Uploaded by

Copyright:

Available Formats

Avaya Solution & Interoperability Test Lab

Configuring 802.1X Protocol on Cisco Catalyst 6509, 4503

JZ; Reviewed: Solution & Interoperability Test Lab Application Notes 1 of 22

• Authentication server – a PAE, typically a Remote Authentication Dial-In User Service

JZ; Reviewed: Solution & Interoperability Test Lab Application Notes 2 of 22

Port or MAC unauthorized

Port or MAC authorized

Port or MAC unauthorized

Port or MAC unauthorized

Figure 1: 802.1X Message Exchanges

The following describes the 802.1X flows in Figure 1:

2. The authenticator responds with an “EAP-Request/Identity” packet to the supplicant.

3. The supplicant responds with an "EAP-Response/Identity" packet to the authenticator.

JZ; Reviewed: Solution & Interoperability Test Lab Application Notes 3 of 22

8. When the supplicant is disabled or reset, the supplicant sends an EAPOL-Logoff

Cisco Catalyst 4503 Avaya 4610SW IP

HEA DSET TRANSFER

FreeRADIUS Server GE 2/34 auto

Avaya TFTP Server 2

S TA TUS S PEA KER HO LD

H EAD SET TR AN SFER

Avaya S8500 Media

Cata lyst 6500 SERIES

Avaya 6210 Analog

Avaya G650 Cisco Catalyst 3750 FE 1/0/2 auto S PEA KER

ABC DEF CONF ERE NCE

Media Gateway IP: 192.168.88.7

C-LAN: 192.168.88.22 Avaya 4620SW, 4621SW,

Figure 2 – 802.1X Configuration With Avaya IP Telephones

JZ; Reviewed: Solution & Interoperability Test Lab Application Notes 4 of 22

Table 1: Equipment and Software Validated

JZ; Reviewed: Solution & Interoperability Test Lab Application Notes 5 of 22

• Force-authorized – Disables 802.1X port-based authentication and causes the port to

• Multiple authentication – Multiple authentication mode is only supported on the Cisco

JZ; Reviewed: Solution & Interoperability Test Lab Application Notes 6 of 22

• Supplicant Mode – Unicast or multicast supplicant operation for the IP Telephone

JZ; Reviewed: Solution & Interoperability Test Lab Application Notes 7 of 22

DHCP Option 3 Option 176 String Notes

Table 2 – DHCP Configuration Summary

JZ; Reviewed: Solution & Interoperability Test Lab Application Notes 8 of 22

! --- Configure radius server

! --- Configure radius authentication secret

! --- Globally enable the radius authentication

Use the command show radius to verify the RADIUS configuration.

console> (enable) show radius

RADIUS-Server Status Auth-port Acct-port Resolved IP

JZ; Reviewed: Solution & Interoperability Test Lab Application Notes 9 of 22

Console> (enable) show dot1x

radius-keepalive state enabled

Console> (enable) set port dot1x 7/1 port-control auto

Console> (enable) set port dot1x 7/1-2 multiple-host enable

JZ; Reviewed: Solution & Interoperability Test Lab Application Notes 10 of 22

Console> (enable) set vlan 89 7/1-2

console> (enable) set port auxiliaryvlan 7/1-2 88

By default, the re-authentication is not enabled. It is recommended to enable re-authentication

Console> (enable) set port dot1x 7/1-2 re-authentication enable

3.3 Configuring 802.1X on the Cisco Catalyst 4503

Use the command show dot1x to verify the dot1x configuration.

JZ; Reviewed: Solution & Interoperability Test Lab Application Notes 11 of 22

3.4 Configuring 802.1X on the Cisco Catalyst 3750-24PS

radius-server host 192.168.88.61 auth-port 1812 acct-port 1813 key

JZ; Reviewed: Solution & Interoperability Test Lab Application Notes 12 of 22

00040D508820 User-Password == "123456"