[RADIATOR] Cisco IP Phones 802.1x Authentication?
Hugh Irvine
hugh at open.com.au
Thu Jun 17 16:57:09 CDT 2010
Hello Greg -
As it happens I am doing exactly this at the moment.
The Cisco phones I have been working with do indeed use MD5 authentication.
The debug below shows Radiator sending an EAP-MD5 challenge, but then getting nothing further.
I think you will need to check the debug on the Cisco switch to see what is happening there.
Here is a copy of the relevant Radiator configuration file I have been using:
….
<Handler EAP-Message = /.+/, User-Name = /(.+)SEP([0-9a-fA-F]{12})$/>
<AuthBy LDAP2>
RewriteUsername s/(.+)SEP([0-9a-fA-F]{12})$/$2/
NoDefault
Host localhost
Port 3268
AuthDN radiator
AuthPassword Passw0rd
BaseDN CN=Users, DC=comms, DC=local
UsernameAttr sAMaccountName
PasswordAttr Description
SearchFilter (%0=%1)
Debug 255
EAPType MD5
EAPTLS_CAFile C:\Radiator\Radiator-Locked-4.5.1\certificates\demoCA\cacert.pem
EAPTLS_CertificateFile C:\Radiator\Radiator-Locked-4.5.1\certificates\cert-srv.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile C:\Radiator\Radiator-Locked-4.5.1\certificates\cert-srv.pem
EAPTLS_PrivateKeyPassword whatever
EAPTLS_MaxFragmentSize 1000
AutoMPPEKeys
EAPAnonymous %0
EAPTLS_PEAPVersion 0
AddToReply cisco-avpair="device-traffic-class=voice"
</AuthBy>
</Handler>
…..
I can get you Cisco configuration details, etc. tomorrow.
regards
Hugh
On 17 Jun 2010, at 17:36, Gregory Fuller wrote:
> We're getting ready to a Cisco VOIP rollout here and I'd like to
> enable 802.1x authentication on all of our phones (7942G and 7975G's).
>
>> From the Cisco docs it looks like they support EAP-MD5:
>
> http://www.cisco.com/en/US/prod/collateral/voicesw/ps6788/phones/ps379/ps8535/product_data_sheet0900aecd8069bb68.html
>
> But I've seen some conflicting reports that MD5 support has been
> removed from newer firmware versions.
>
> Here's my radius config:
>
> <Client xxx.xxx.xxx.xxx>
> # Configure 802.1x switch authentication for LANIGAN-SWITCHES
> #
> Identifier LANIGAN-SWITCHES
> Secret xxxxxxx
> DupInterval 0
> IgnoreAcctSignature
> </Client>
> <Handler Client-Identifier=LANIGAN-SWITCHES>
> <AuthBy FILE>
> Filename %D/voip-phones
> EAPType MD5
> </AuthBy>
> AuthLog VOIP-AuthLogger
> AcctLogFileName /var/log/radius/VOIP-detail
> </Handler>
>
> Contents of my "voip-phone" authfile:
>
> CP-7942G-SEP2893FE127C54 User-Password = test1234
> Cisco-avpair = "device-traffic-class=voice"
>
>
> And my switch config (I'm using a Cisco 3750v2-48PS running
> 12.2(53)SE) as the authenticator:
>
> aaa new-model
> aaa authentication dot1x default group radius
> aaa authorization network default group radius
> aaa session-id common
> aaa authentication dot1x default group radius
> aaa authorization network default group radius
> radius-server host 129.3.22.134 auth-port 1812 acct-port 1813 key 7
> xxxxxxxxxxxxxxxxxxxxx
> dot1x system-auth-control
> !
> interface FastEthernet2/0/3
> description 26-9 Y
> switchport access vlan 28
> switchport mode access
> switchport voice vlan 2089
> shutdown
> authentication host-mode multi-domain
> authentication port-control auto
> authentication periodic
> authentication timer reauthenticate 30
> dot1x pae authenticator
> spanning-tree portfast
>
>
>
> All I get from the radiator log with trace level 5 enabled is:
>
> Thu Jun 17 15:02:14 2010: DEBUG: Packet dump:
> *** Received from 129.3.244.100 port 1645 ....
>
> Packet length = 184
> 01 44 00 b8 9b 93 1e a7 b1 50 55 53 b5 23 ad 7b
> 7f 5f f8 3a 01 1a 43 50 2d 37 39 34 32 47 2d 53
> 45 50 32 38 39 33 46 45 31 32 37 43 35 34 06 06
> 00 00 00 02 0c 06 00 00 05 dc 1e 13 36 34 2d 31
> 36 2d 38 44 2d 46 35 2d 30 39 2d 30 35 1f 13 32
> 38 2d 39 33 2d 46 45 2d 31 32 2d 37 43 2d 35 34
> 4f 1f 02 01 00 1d 01 43 50 2d 37 39 34 32 47 2d
> 53 45 50 32 38 39 33 46 45 31 32 37 43 35 34 50
> 12 63 76 20 b5 e7 56 c4 ca 53 e4 e0 df f2 67 d0
> e7 66 02 3d 06 00 00 00 0f 05 06 00 00 c4 1b 57
> 13 46 61 73 74 45 74 68 65 72 6e 65 74 32 2f 30
> 2f 33 04 06 81 03 f4 64
> Code: Access-Request
> Identifier: 68
> Authentic: <155><147><30><167><177>PUS<181>#<173>{<127>_<248>:
> Attributes:
> User-Name = "CP-7942G-SEP2893FE127C54"
> Service-Type = Framed-User
> Framed-MTU = 1500
> Called-Station-Id = "64-16-8D-F5-09-05"
> Calling-Station-Id = "28-93-FE-12-7C-54"
> EAP-Message = <2><1><0><29><1>CP-7942G-SEP2893FE127C54
> Message-Authenticator = cv
> <181><231>V<196><202>S<228><224><223><242>g<208><231>
> EAP-Key-Name =
> NAS-Port-Type = Ethernet
> NAS-Port = 50203
> NAS-Port-Id = "FastEthernet2/0/3"
> NAS-IP-Address = xxxx.xxxx.xxxx.xxxx
>
> Thu Jun 17 15:02:14 2010: DEBUG: Handling request with Handler
> 'Client-Identifier=LANIGAN-SWITCHES'
> Thu Jun 17 15:02:14 2010: DEBUG: Deleting session for
> CP-7942G-SEP2893FE127C54, 129.3.244.100, 50203
> Thu Jun 17 15:02:14 2010: DEBUG: Handling with Radius::AuthFILE:
> Thu Jun 17 15:02:14 2010: DEBUG: Handling with EAP: code 2, 1, 29, 1
> Thu Jun 17 15:02:14 2010: DEBUG: Response type 1
> Thu Jun 17 15:02:14 2010: DEBUG: EAP result: 3, EAP MD5-Challenge
> Thu Jun 17 15:02:14 2010: DEBUG: AuthBy FILE result: CHALLENGE, EAP
> MD5-Challenge
> Thu Jun 17 15:02:14 2010: DEBUG: Access challenged for
> CP-7942G-SEP2893FE127C54: EAP MD5-Challenge
> Thu Jun 17 15:02:14 2010: DEBUG: Packet dump:
> *** Sending to 129.3.244.100 port 1645 ....
>
> Packet length = 82
> 0b 44 00 52 19 6d cc 6f 3a fa a6 fc 18 50 a8 1f
> 29 71 f9 13 4f 2c 01 02 00 2a 04 10 5d 68 89 02
> 09 5f 48 5d aa f2 d7 7d 62 a0 e2 95 72 61 64 69
> 75 73 2d 30 31 2e 6f 73 77 65 67 6f 2e 65 64 75
> 50 12 5f cb 5d 3e 32 22 33 d4 68 42 2e 71 d0 2d
> 0f 65
> Code: Access-Challenge
> Identifier: 68
> Authentic: <25>m<204>o:<250><166><252><24>P<168><31>)q<249><19>
> Attributes:
> EAP-Message =
> <1><2><0>*<4><16>]h<137><2><9>_H]<170><242><215>}b<160><226><149>radius-01.oswego.edu
> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
>
>
> I'm running Radiator v4.5.1 under CentOS 5.4.
>
> Anyone have any experience with configuring Cisco IP phones to
> authenticate via EAP-MD5 (or another means!) against Radiator? I've
> also opened a TAC case with Cisco to see if there's a bug in the
> firmware -- but I'm not finding anything googling around or looking on
> the Cisco site.
>
> Any help or suggestions are appreciated!
>
> --greg
>
>
> Gregory A. Fuller - CCNA
> Network Manager
> State University of New York at Oswego
> Phone: (315) 312-5750
> http://www.oswego.edu/~gfuller
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
More information about the radiator
mailing list