[RADIATOR] Cisco IP Phones 802.1x Authentication?
Gregory Fuller
gregory.fuller at oswego.edu
Wed Jun 23 05:50:32 CDT 2010
Hugh,
I was able to get this working the other day. Here's my radius config:
<Client 129.3.244.100>
# Configure 802.1x switch authentication for LANIGAN-SWITCHES
#
Identifier LANIGAN-SWITCHES
Secret xxxxxx
DupInterval 0
IgnoreAcctSignature
</Client>
<Handler Client-Identifier=LANIGAN-SWITCHES, User-Name =
/(.+)SEP([0-9a-fA-F]{12})$/>
<AuthBy FILE>
Filename %D/voip-phones
EAPType MD5
</AuthBy>
AuthLog VOIP-AuthLogger
AcctLogFileName /var/log/radius/VOIP-detail
</Handler>
Then within the voip-phones userfile I added the following:
CP-7942G-SEP2893FE127C54 User-Password = oswego
cisco-avpair="device-traffic-class=voice",
Tunnel-Type=1:VLAN,
Tunnel-Medium-Type=1:Ether_802,
Tunnel-Private-Group-ID=1:VOICE-LAN
It appeared that the "cisco-avpair" was case sensitive on my CIsco
3750V2-48PS switches for some reason. I didn't try it with any other
switches yet, but changing that attribute to all lowercase appeared to
actually assign the voice vlan name properly as part of the voice
domain. I also have multi-domain 802.1x authentication enabled on the
switch to allow multiple 802.1x authentications on the same port.
When doing that you need to specifically tell the switch that the
phone needs to be in the voice-vlan and not the data vlan, that's what
the cisco-avpair is assigning.
Here's my interface configuration from the switch:
interface FastEthernet2/0/3
description 26-9 Y
switchport mode access
switchport voice vlan 2089
srr-queue bandwidth share 10 10 60 20
priority-queue out
authentication host-mode multi-domain
authentication port-control auto
authentication periodic
authentication timer reauthenticate 1800
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
dot1x pae authenticator
spanning-tree portfast
service-policy input AutoQoS-Police-CiscoPhone
end
If I take out the static voice-vlan assignment from the interface the
RADIUS reply puts the phone into the correct VLAN. I did read
somewhere that "dynamic" vlan assignment for the voice-vlan wasn't
supported by Cisco, but it does appear to work on the 3750V2's running
IOS 12.2(53)SE.
Thanks for your assistance.
--greg
On Thu, Jun 17, 2010 at 5:57 PM, Hugh Irvine <hugh at open.com.au> wrote:
>
> Hello Greg -
>
> As it happens I am doing exactly this at the moment.
>
> The Cisco phones I have been working with do indeed use MD5 authentication.
>
> The debug below shows Radiator sending an EAP-MD5 challenge, but then getting nothing further.
>
> I think you will need to check the debug on the Cisco switch to see what is happening there.
>
> Here is a copy of the relevant Radiator configuration file I have been using:
>
> ….
>
> <Handler EAP-Message = /.+/, User-Name = /(.+)SEP([0-9a-fA-F]{12})$/>
> <AuthBy LDAP2>
> RewriteUsername s/(.+)SEP([0-9a-fA-F]{12})$/$2/
> NoDefault
> Host localhost
> Port 3268
> AuthDN radiator
> AuthPassword Passw0rd
> BaseDN CN=Users, DC=comms, DC=local
> UsernameAttr sAMaccountName
> PasswordAttr Description
> SearchFilter (%0=%1)
> Debug 255
> EAPType MD5
> EAPTLS_CAFile C:\Radiator\Radiator-Locked-4.5.1\certificates\demoCA\cacert.pem
> EAPTLS_CertificateFile C:\Radiator\Radiator-Locked-4.5.1\certificates\cert-srv.pem
> EAPTLS_CertificateType PEM
> EAPTLS_PrivateKeyFile C:\Radiator\Radiator-Locked-4.5.1\certificates\cert-srv.pem
> EAPTLS_PrivateKeyPassword whatever
> EAPTLS_MaxFragmentSize 1000
> AutoMPPEKeys
> EAPAnonymous %0
> EAPTLS_PEAPVersion 0
> AddToReply cisco-avpair="device-traffic-class=voice"
> </AuthBy>
> </Handler>
>
> …..
>
> I can get you Cisco configuration details, etc. tomorrow.
>
> regards
>
> Hugh
>
>
>
> On 17 Jun 2010, at 17:36, Gregory Fuller wrote:
>
>> We're getting ready to a Cisco VOIP rollout here and I'd like to
>> enable 802.1x authentication on all of our phones (7942G and 7975G's).
>>
>>> From the Cisco docs it looks like they support EAP-MD5:
>>
>> http://www.cisco.com/en/US/prod/collateral/voicesw/ps6788/phones/ps379/ps8535/product_data_sheet0900aecd8069bb68.html
>>
>> But I've seen some conflicting reports that MD5 support has been
>> removed from newer firmware versions.
>>
>> Here's my radius config:
>>
>> <Client xxx.xxx.xxx.xxx>
>> # Configure 802.1x switch authentication for LANIGAN-SWITCHES
>> #
>> Identifier LANIGAN-SWITCHES
>> Secret xxxxxxx
>> DupInterval 0
>> IgnoreAcctSignature
>> </Client>
>> <Handler Client-Identifier=LANIGAN-SWITCHES>
>> <AuthBy FILE>
>> Filename %D/voip-phones
>> EAPType MD5
>> </AuthBy>
>> AuthLog VOIP-AuthLogger
>> AcctLogFileName /var/log/radius/VOIP-detail
>> </Handler>
>>
>> Contents of my "voip-phone" authfile:
>>
>> CP-7942G-SEP2893FE127C54 User-Password = test1234
>> Cisco-avpair = "device-traffic-class=voice"
>>
>>
>> And my switch config (I'm using a Cisco 3750v2-48PS running
>> 12.2(53)SE) as the authenticator:
>>
>> aaa new-model
>> aaa authentication dot1x default group radius
>> aaa authorization network default group radius
>> aaa session-id common
>> aaa authentication dot1x default group radius
>> aaa authorization network default group radius
>> radius-server host 129.3.22.134 auth-port 1812 acct-port 1813 key 7
>> xxxxxxxxxxxxxxxxxxxxx
>> dot1x system-auth-control
>> !
>> interface FastEthernet2/0/3
>> description 26-9 Y
>> switchport access vlan 28
>> switchport mode access
>> switchport voice vlan 2089
>> shutdown
>> authentication host-mode multi-domain
>> authentication port-control auto
>> authentication periodic
>> authentication timer reauthenticate 30
>> dot1x pae authenticator
>> spanning-tree portfast
>>
>>
>>
>> All I get from the radiator log with trace level 5 enabled is:
>>
>> Thu Jun 17 15:02:14 2010: DEBUG: Packet dump:
>> *** Received from 129.3.244.100 port 1645 ....
>>
>> Packet length = 184
>> 01 44 00 b8 9b 93 1e a7 b1 50 55 53 b5 23 ad 7b
>> 7f 5f f8 3a 01 1a 43 50 2d 37 39 34 32 47 2d 53
>> 45 50 32 38 39 33 46 45 31 32 37 43 35 34 06 06
>> 00 00 00 02 0c 06 00 00 05 dc 1e 13 36 34 2d 31
>> 36 2d 38 44 2d 46 35 2d 30 39 2d 30 35 1f 13 32
>> 38 2d 39 33 2d 46 45 2d 31 32 2d 37 43 2d 35 34
>> 4f 1f 02 01 00 1d 01 43 50 2d 37 39 34 32 47 2d
>> 53 45 50 32 38 39 33 46 45 31 32 37 43 35 34 50
>> 12 63 76 20 b5 e7 56 c4 ca 53 e4 e0 df f2 67 d0
>> e7 66 02 3d 06 00 00 00 0f 05 06 00 00 c4 1b 57
>> 13 46 61 73 74 45 74 68 65 72 6e 65 74 32 2f 30
>> 2f 33 04 06 81 03 f4 64
>> Code: Access-Request
>> Identifier: 68
>> Authentic: <155><147><30><167><177>PUS<181>#<173>{<127>_<248>:
>> Attributes:
>> User-Name = "CP-7942G-SEP2893FE127C54"
>> Service-Type = Framed-User
>> Framed-MTU = 1500
>> Called-Station-Id = "64-16-8D-F5-09-05"
>> Calling-Station-Id = "28-93-FE-12-7C-54"
>> EAP-Message = <2><1><0><29><1>CP-7942G-SEP2893FE127C54
>> Message-Authenticator = cv
>> <181><231>V<196><202>S<228><224><223><242>g<208><231>
>> EAP-Key-Name =
>> NAS-Port-Type = Ethernet
>> NAS-Port = 50203
>> NAS-Port-Id = "FastEthernet2/0/3"
>> NAS-IP-Address = xxxx.xxxx.xxxx.xxxx
>>
>> Thu Jun 17 15:02:14 2010: DEBUG: Handling request with Handler
>> 'Client-Identifier=LANIGAN-SWITCHES'
>> Thu Jun 17 15:02:14 2010: DEBUG: Deleting session for
>> CP-7942G-SEP2893FE127C54, 129.3.244.100, 50203
>> Thu Jun 17 15:02:14 2010: DEBUG: Handling with Radius::AuthFILE:
>> Thu Jun 17 15:02:14 2010: DEBUG: Handling with EAP: code 2, 1, 29, 1
>> Thu Jun 17 15:02:14 2010: DEBUG: Response type 1
>> Thu Jun 17 15:02:14 2010: DEBUG: EAP result: 3, EAP MD5-Challenge
>> Thu Jun 17 15:02:14 2010: DEBUG: AuthBy FILE result: CHALLENGE, EAP
>> MD5-Challenge
>> Thu Jun 17 15:02:14 2010: DEBUG: Access challenged for
>> CP-7942G-SEP2893FE127C54: EAP MD5-Challenge
>> Thu Jun 17 15:02:14 2010: DEBUG: Packet dump:
>> *** Sending to 129.3.244.100 port 1645 ....
>>
>> Packet length = 82
>> 0b 44 00 52 19 6d cc 6f 3a fa a6 fc 18 50 a8 1f
>> 29 71 f9 13 4f 2c 01 02 00 2a 04 10 5d 68 89 02
>> 09 5f 48 5d aa f2 d7 7d 62 a0 e2 95 72 61 64 69
>> 75 73 2d 30 31 2e 6f 73 77 65 67 6f 2e 65 64 75
>> 50 12 5f cb 5d 3e 32 22 33 d4 68 42 2e 71 d0 2d
>> 0f 65
>> Code: Access-Challenge
>> Identifier: 68
>> Authentic: <25>m<204>o:<250><166><252><24>P<168><31>)q<249><19>
>> Attributes:
>> EAP-Message =
>> <1><2><0>*<4><16>]h<137><2><9>_H]<170><242><215>}b<160><226><149>radius-01.oswego.edu
>> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>
>>
>>
>> I'm running Radiator v4.5.1 under CentOS 5.4.
>>
>> Anyone have any experience with configuring Cisco IP phones to
>> authenticate via EAP-MD5 (or another means!) against Radiator? I've
>> also opened a TAC case with Cisco to see if there's a bug in the
>> firmware -- but I'm not finding anything googling around or looking on
>> the Cisco site.
>>
>> Any help or suggestions are appreciated!
>>
>> --greg
>>
>>
>> Gregory A. Fuller - CCNA
>> Network Manager
>> State University of New York at Oswego
>> Phone: (315) 312-5750
>> http://www.oswego.edu/~gfuller
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
>
>
More information about the radiator
mailing list