[RADIATOR] Cisco IP Phones 802.1x Authentication?

Hugh Irvine hugh at open.com.au
Thu Jun 17 16:57:09 CDT 2010 

Hello Greg -

As it happens I am doing exactly this at the moment.

The Cisco phones I have been working with do indeed use MD5 authentication.

The debug below shows Radiator sending an EAP-MD5 challenge, but then getting nothing further.

I think you will need to check the debug on the Cisco switch to see what is happening there.

Here is a copy of the relevant Radiator configuration file I have been using:

….

<Handler EAP-Message = /.+/, User-Name = /(.+)SEP([0-9a-fA-F]{12})$/>
	<AuthBy LDAP2>
		RewriteUsername s/(.+)SEP([0-9a-fA-F]{12})$/$2/
		NoDefault
		Host localhost
		Port 3268
		AuthDN          radiator
		AuthPassword    Passw0rd
		BaseDN CN=Users, DC=comms, DC=local
		UsernameAttr sAMaccountName
		PasswordAttr Description
		SearchFilter (%0=%1)
		Debug 255
		EAPType MD5
		EAPTLS_CAFile C:\Radiator\Radiator-Locked-4.5.1\certificates\demoCA\cacert.pem
		EAPTLS_CertificateFile C:\Radiator\Radiator-Locked-4.5.1\certificates\cert-srv.pem
		EAPTLS_CertificateType PEM
		EAPTLS_PrivateKeyFile C:\Radiator\Radiator-Locked-4.5.1\certificates\cert-srv.pem
		EAPTLS_PrivateKeyPassword whatever
		EAPTLS_MaxFragmentSize 1000
		AutoMPPEKeys
		EAPAnonymous %0
		EAPTLS_PEAPVersion 0
		AddToReply cisco-avpair="device-traffic-class=voice"
	</AuthBy>
</Handler>

…..

I can get you Cisco configuration details, etc. tomorrow.

regards

Hugh



On 17 Jun 2010, at 17:36, Gregory Fuller wrote:

> We're getting ready to a Cisco VOIP rollout here and I'd like to
> enable 802.1x authentication on all of our phones (7942G and 7975G's).
> 
>> From the Cisco docs it looks like they support EAP-MD5:
> 
> http://www.cisco.com/en/US/prod/collateral/voicesw/ps6788/phones/ps379/ps8535/product_data_sheet0900aecd8069bb68.html
> 
> But I've seen some conflicting reports that MD5 support has been
> removed from newer firmware versions.
> 
> Here's my radius config:
> 
> <Client xxx.xxx.xxx.xxx>
>        # Configure 802.1x switch authentication for LANIGAN-SWITCHES
>        #
>        Identifier              LANIGAN-SWITCHES
>        Secret                  xxxxxxx
>        DupInterval             0
>        IgnoreAcctSignature
> </Client>
> <Handler Client-Identifier=LANIGAN-SWITCHES>
>        <AuthBy FILE>
>                Filename %D/voip-phones
>                EAPType MD5
>        </AuthBy>
>        AuthLog VOIP-AuthLogger
>        AcctLogFileName /var/log/radius/VOIP-detail
> </Handler>
> 
> Contents of my "voip-phone" authfile:
> 
> CP-7942G-SEP2893FE127C54        User-Password = test1234
>                                Cisco-avpair = "device-traffic-class=voice"
> 
> 
> And my switch config (I'm using a Cisco 3750v2-48PS running
> 12.2(53)SE) as the authenticator:
> 
> aaa new-model
> aaa authentication dot1x default group radius
> aaa authorization network default group radius
> aaa session-id common
> aaa authentication dot1x default group radius
> aaa authorization network default group radius
> radius-server host 129.3.22.134 auth-port 1812 acct-port 1813 key 7
> xxxxxxxxxxxxxxxxxxxxx
> dot1x system-auth-control
> !
> interface FastEthernet2/0/3
> description 26-9 Y
> switchport access vlan 28
> switchport mode access
> switchport voice vlan 2089
> shutdown
> authentication host-mode multi-domain
> authentication port-control auto
> authentication periodic
> authentication timer reauthenticate 30
> dot1x pae authenticator
> spanning-tree portfast
> 
> 
> 
> All I get from the radiator log with trace level 5 enabled is:
> 
> Thu Jun 17 15:02:14 2010: DEBUG: Packet dump:
> *** Received from 129.3.244.100 port 1645 ....
> 
> Packet length = 184
> 01 44 00 b8 9b 93 1e a7 b1 50 55 53 b5 23 ad 7b
> 7f 5f f8 3a 01 1a 43 50 2d 37 39 34 32 47 2d 53
> 45 50 32 38 39 33 46 45 31 32 37 43 35 34 06 06
> 00 00 00 02 0c 06 00 00 05 dc 1e 13 36 34 2d 31
> 36 2d 38 44 2d 46 35 2d 30 39 2d 30 35 1f 13 32
> 38 2d 39 33 2d 46 45 2d 31 32 2d 37 43 2d 35 34
> 4f 1f 02 01 00 1d 01 43 50 2d 37 39 34 32 47 2d
> 53 45 50 32 38 39 33 46 45 31 32 37 43 35 34 50
> 12 63 76 20 b5 e7 56 c4 ca 53 e4 e0 df f2 67 d0
> e7 66 02 3d 06 00 00 00 0f 05 06 00 00 c4 1b 57
> 13 46 61 73 74 45 74 68 65 72 6e 65 74 32 2f 30
> 2f 33 04 06 81 03 f4 64
> Code:       Access-Request
> Identifier: 68
> Authentic:  <155><147><30><167><177>PUS<181>#<173>{<127>_<248>:
> Attributes:
>        User-Name = "CP-7942G-SEP2893FE127C54"
>        Service-Type = Framed-User
>        Framed-MTU = 1500
>        Called-Station-Id = "64-16-8D-F5-09-05"
>        Calling-Station-Id = "28-93-FE-12-7C-54"
>        EAP-Message = <2><1><0><29><1>CP-7942G-SEP2893FE127C54
>        Message-Authenticator = cv
> <181><231>V<196><202>S<228><224><223><242>g<208><231>
>        EAP-Key-Name =
>        NAS-Port-Type = Ethernet
>        NAS-Port = 50203
>        NAS-Port-Id = "FastEthernet2/0/3"
>        NAS-IP-Address = xxxx.xxxx.xxxx.xxxx
> 
> Thu Jun 17 15:02:14 2010: DEBUG: Handling request with Handler
> 'Client-Identifier=LANIGAN-SWITCHES'
> Thu Jun 17 15:02:14 2010: DEBUG:  Deleting session for
> CP-7942G-SEP2893FE127C54, 129.3.244.100, 50203
> Thu Jun 17 15:02:14 2010: DEBUG: Handling with Radius::AuthFILE:
> Thu Jun 17 15:02:14 2010: DEBUG: Handling with EAP: code 2, 1, 29, 1
> Thu Jun 17 15:02:14 2010: DEBUG: Response type 1
> Thu Jun 17 15:02:14 2010: DEBUG: EAP result: 3, EAP MD5-Challenge
> Thu Jun 17 15:02:14 2010: DEBUG: AuthBy FILE result: CHALLENGE, EAP
> MD5-Challenge
> Thu Jun 17 15:02:14 2010: DEBUG: Access challenged for
> CP-7942G-SEP2893FE127C54: EAP MD5-Challenge
> Thu Jun 17 15:02:14 2010: DEBUG: Packet dump:
> *** Sending to 129.3.244.100 port 1645 ....
> 
> Packet length = 82
> 0b 44 00 52 19 6d cc 6f 3a fa a6 fc 18 50 a8 1f
> 29 71 f9 13 4f 2c 01 02 00 2a 04 10 5d 68 89 02
> 09 5f 48 5d aa f2 d7 7d 62 a0 e2 95 72 61 64 69
> 75 73 2d 30 31 2e 6f 73 77 65 67 6f 2e 65 64 75
> 50 12 5f cb 5d 3e 32 22 33 d4 68 42 2e 71 d0 2d
> 0f 65
> Code:       Access-Challenge
> Identifier: 68
> Authentic:  <25>m<204>o:<250><166><252><24>P<168><31>)q<249><19>
> Attributes:
>        EAP-Message =
> <1><2><0>*<4><16>]h<137><2><9>_H]<170><242><215>}b<160><226><149>radius-01.oswego.edu
>        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 
> 
> 
> I'm running Radiator v4.5.1 under CentOS 5.4.
> 
> Anyone have any experience with configuring Cisco IP phones to
> authenticate via EAP-MD5 (or another means!) against Radiator?  I've
> also opened a TAC case with Cisco to see if there's a bug in the
> firmware -- but I'm not finding anything googling around or looking on
> the Cisco site.
> 
> Any help or suggestions are appreciated!
> 
> --greg
> 
> 
> Gregory A. Fuller - CCNA
> Network Manager
> State University of New York at Oswego
> Phone: (315) 312-5750
> http://www.oswego.edu/~gfuller
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



NB: 

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets), 
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

More information about the radiator mailing list