[RADIATOR] Cisco IP Phones 802.1x Authentication?

Gregory Fuller gregory.fuller at oswego.edu
Thu Jun 17 16:36:59 CDT 2010 

We're getting ready to a Cisco VOIP rollout here and I'd like to
enable 802.1x authentication on all of our phones (7942G and 7975G's).

>From the Cisco docs it looks like they support EAP-MD5:

http://www.cisco.com/en/US/prod/collateral/voicesw/ps6788/phones/ps379/ps8535/product_data_sheet0900aecd8069bb68.html

But I've seen some conflicting reports that MD5 support has been
removed from newer firmware versions.

Here's my radius config:

<Client xxx.xxx.xxx.xxx>
        # Configure 802.1x switch authentication for LANIGAN-SWITCHES
        #
        Identifier              LANIGAN-SWITCHES
        Secret                  xxxxxxx
        DupInterval             0
        IgnoreAcctSignature
</Client>
<Handler Client-Identifier=LANIGAN-SWITCHES>
        <AuthBy FILE>
                Filename %D/voip-phones
                EAPType MD5
        </AuthBy>
        AuthLog VOIP-AuthLogger
        AcctLogFileName /var/log/radius/VOIP-detail
</Handler>

Contents of my "voip-phone" authfile:

CP-7942G-SEP2893FE127C54        User-Password = test1234
                                Cisco-avpair = "device-traffic-class=voice"


And my switch config (I'm using a Cisco 3750v2-48PS running
12.2(53)SE) as the authenticator:

aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa session-id common
aaa authentication dot1x default group radius
aaa authorization network default group radius
radius-server host 129.3.22.134 auth-port 1812 acct-port 1813 key 7
xxxxxxxxxxxxxxxxxxxxx
dot1x system-auth-control
!
interface FastEthernet2/0/3
 description 26-9 Y
 switchport access vlan 28
 switchport mode access
 switchport voice vlan 2089
 shutdown
 authentication host-mode multi-domain
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate 30
 dot1x pae authenticator
 spanning-tree portfast



All I get from the radiator log with trace level 5 enabled is:

Thu Jun 17 15:02:14 2010: DEBUG: Packet dump:
*** Received from 129.3.244.100 port 1645 ....

Packet length = 184
01 44 00 b8 9b 93 1e a7 b1 50 55 53 b5 23 ad 7b
7f 5f f8 3a 01 1a 43 50 2d 37 39 34 32 47 2d 53
45 50 32 38 39 33 46 45 31 32 37 43 35 34 06 06
00 00 00 02 0c 06 00 00 05 dc 1e 13 36 34 2d 31
36 2d 38 44 2d 46 35 2d 30 39 2d 30 35 1f 13 32
38 2d 39 33 2d 46 45 2d 31 32 2d 37 43 2d 35 34
4f 1f 02 01 00 1d 01 43 50 2d 37 39 34 32 47 2d
53 45 50 32 38 39 33 46 45 31 32 37 43 35 34 50
12 63 76 20 b5 e7 56 c4 ca 53 e4 e0 df f2 67 d0
e7 66 02 3d 06 00 00 00 0f 05 06 00 00 c4 1b 57
13 46 61 73 74 45 74 68 65 72 6e 65 74 32 2f 30
2f 33 04 06 81 03 f4 64
Code:       Access-Request
Identifier: 68
Authentic:  <155><147><30><167><177>PUS<181>#<173>{<127>_<248>:
Attributes:
        User-Name = "CP-7942G-SEP2893FE127C54"
        Service-Type = Framed-User
        Framed-MTU = 1500
        Called-Station-Id = "64-16-8D-F5-09-05"
        Calling-Station-Id = "28-93-FE-12-7C-54"
        EAP-Message = <2><1><0><29><1>CP-7942G-SEP2893FE127C54
        Message-Authenticator = cv
<181><231>V<196><202>S<228><224><223><242>g<208><231>
        EAP-Key-Name =
        NAS-Port-Type = Ethernet
        NAS-Port = 50203
        NAS-Port-Id = "FastEthernet2/0/3"
        NAS-IP-Address = xxxx.xxxx.xxxx.xxxx

Thu Jun 17 15:02:14 2010: DEBUG: Handling request with Handler
'Client-Identifier=LANIGAN-SWITCHES'
Thu Jun 17 15:02:14 2010: DEBUG:  Deleting session for
CP-7942G-SEP2893FE127C54, 129.3.244.100, 50203
Thu Jun 17 15:02:14 2010: DEBUG: Handling with Radius::AuthFILE:
Thu Jun 17 15:02:14 2010: DEBUG: Handling with EAP: code 2, 1, 29, 1
Thu Jun 17 15:02:14 2010: DEBUG: Response type 1
Thu Jun 17 15:02:14 2010: DEBUG: EAP result: 3, EAP MD5-Challenge
Thu Jun 17 15:02:14 2010: DEBUG: AuthBy FILE result: CHALLENGE, EAP
MD5-Challenge
Thu Jun 17 15:02:14 2010: DEBUG: Access challenged for
CP-7942G-SEP2893FE127C54: EAP MD5-Challenge
Thu Jun 17 15:02:14 2010: DEBUG: Packet dump:
*** Sending to 129.3.244.100 port 1645 ....

Packet length = 82
0b 44 00 52 19 6d cc 6f 3a fa a6 fc 18 50 a8 1f
29 71 f9 13 4f 2c 01 02 00 2a 04 10 5d 68 89 02
09 5f 48 5d aa f2 d7 7d 62 a0 e2 95 72 61 64 69
75 73 2d 30 31 2e 6f 73 77 65 67 6f 2e 65 64 75
50 12 5f cb 5d 3e 32 22 33 d4 68 42 2e 71 d0 2d
0f 65
Code:       Access-Challenge
Identifier: 68
Authentic:  <25>m<204>o:<250><166><252><24>P<168><31>)q<249><19>
Attributes:
        EAP-Message =
<1><2><0>*<4><16>]h<137><2><9>_H]<170><242><215>}b<160><226><149>radius-01.oswego.edu
        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>



I'm running Radiator v4.5.1 under CentOS 5.4.

Anyone have any experience with configuring Cisco IP phones to
authenticate via EAP-MD5 (or another means!) against Radiator?  I've
also opened a TAC case with Cisco to see if there's a bug in the
firmware -- but I'm not finding anything googling around or looking on
the Cisco site.

Any help or suggestions are appreciated!

--greg


Gregory A. Fuller - CCNA
Network Manager
State University of New York at Oswego
Phone: (315) 312-5750
http://www.oswego.edu/~gfuller

More information about the radiator mailing list