Comware

Hello,

I'm tring to make working an Alcatel IP Phone with my 2610-24 PWR switch.

The problem is using the phone only support 802.1X MD5 and this makes a fault error on my NPS Serveur (Windows 2008).

I would disable authentication on voice VLAN. Is it possible ?

I found "aaa port-access [port] mixed" command but un can deal witch it.

couple of comments:

1) you could add MD5 as a supported EAP type in your NPS policy...1 policy test for MD5 and voice windows group, and another policy test for any other EAP and computer windows group...

2) you cannot select 802.1X auth per vlan, it is per port...

3) i couldn't find a reference to that last command...hmm???

hth...jeff

ps, i have a mitel 5212 auth with MD5 and a computer connected to the phone that auth with PEAP...all on W2K8/NPS and separate policies...

1) you could add MD5 as a supported EAP type in your NPS policy...1 policy test for MD5 and voice windows group, and another policy test for any other EAP and computer windows group...

> I already make a "IP Phone" group and policy for Phone and another for computers. But I have an internal error from NPS my Windows 2008 server. So authentication time-out because the RADIUS not respond.

2) you cannot select 802.1X auth per vlan, it is per port...

> Ok. It doesn't help me.

3) i couldn't find a reference to that last command...hmm???

> In the command line, it shows that this command allow authenticated and unauthenticated clients on the same port.

ps, i have a mitel 5212 auth with MD5 and a computer connected to the phone that auth with PEAP...all on W2K8/NPS and separate policies...

> I think the problem is into the ALCATEL phone. Could I see your config file ?

Ludovic,

seems that MD5 is not enabled by default in NPS. Maybe this is causing the problem.

see: http://social.technet.microsoft.com/Forums/en/winserverNAP/thread/e801bdac-9347-4efb-9d7c-bcf4d64aa927

Mac-auth is also a possibility, not very secure (spoofable) but from an automation point of view very handy.

Switches support concurrent 802.1x and MAC auth.

good catch Sietze !!! i had forgotten about that...drove me crazy for many hours...

i followed the instructions on that same link provided and it worked for me :-)


MAC auth is how my aastra phones auth as they don't have an 802.1X supplicant...

but in active dir, both the UID and PW _must_ be the mac addr of the phone...however that will not pass the password complexity policy in AD...so you must change that...

see: http://forums.techarena.in/microsoft-security/1000801.htm


and i've sometimes had issues with 802.1X and mac auth working correctly on the same switch port...seems even tho the phone would mac auth ok, when the pc came online, the switch wouldn't auth the pc with its 802.1X credentials, it still wanted the pc to auth with mac addr...this was supposed to have been resolved last year, but i haven't tested it lately...


btw, every port configured for 802.1X auth (802.1X, mac, web) has a default client-limit of '1', so if you connect a pc to a phone, that switch port needs to have 'client-limit 3' set.....1 for phone in untag state, 1 for phone in tag state, 1 for pc in untag state...

cheers...jeff

I know all of that.

I have managed to get enable MD5 working on NPS. It works with Windows XP but not witch my IP Phone.

I'm not interested in MD5 with the MAC address because I have to disable password security in my GPO.

I made some captures with Wireshark if you want.

I followed ProCurve Networking Application Note How to configure 802.1X authentication on ProCurve switches and have activated it on my switch

(config )# vlan 89
(vlan?1)#untagged 1-24
(vlan?1)# vlan 447
(vlan?2)# voice
(vlan?2)# tagged 1-24
(vlan?2)# exit
(config )# aaa port-access authenticator 1-24
(config )# aaa port-access authenticator 1-24 client-limit 3
(config )# aaa port-access authenticator active
(config )# write mem

But It want dynamic assignment VLAN and It works fine with HP IDM.

with 3500yl or 5400zl/8200zl you can configure a password which is compliant to the GPO. so the username=MAC address and the password is configured in the switch. another possibility is to use another radius server group for MAC-auth. In this case you can set up another infrastucture (radius and directory/flatfile) for Mac auth.

Hopefully HP will enhance this functionality also in the 2610 series.

the aaa port-access mixed command states that authenticated and unauthenticated users are allowed on the same port. I never checked how this works in reality, but I think this usefull to have unauthenticated users in a unsecure vlan and authenticated users get a dynamic secure vlan.

Maybe there are some other things to consider like the dual boot or fixed vlan config of the Alcatel phone. Unfortunally Alcatel does not support LLDP-MED (yet) which would make setup and config easier.

for me, the next info to see would be what the "radius log: info indicates...

what is radius saying is the problem...

i'm thinking the issue is in radius[nps]/remote access policy area -or- between switch and radius...

that's why seeing what radius says as the problem helps...

(side note, i would not use MAC addr for MD5, i only mentioned MAC auth info as it was brought up later in this thread)...

also, i see that the "mixed" support is brand new in that 2610 code, and not (yet?) in the provision asic switches, that must be why i didn't see in the latest manual set...cool feature :-)

cheers...jeff

You can find the radius log in attachment. Sorry, it's in French but except the XML part.

This is a Wireshark capture between the switch and the NPS server (Radius).

Someone can explain the "aaa port-access authenticator control" command because I want to allow both 802.1X compliant client a not 802.1X compliant to acces netwok ?

I set it in auto mode and when I connect a not 802.1X compliant I doesn't have acces to the network.

I want that 802.1X compliant clients use dynamic attribution VLAN and use static VLAN defined on the port for not 802.1X compliant clients.

----------------------------------------
aaa port-access authenticator < port-list >
[control < authorized | auto | unauthorized >]

Controls authentication mode on the specified port:

authorized: Also termed "Force Authorized". Gives access to a device connected to the port. In this case, the device does not have to provide 802.1X credentials or support 802.1X authentication. (You can still
configure console, Telnet, or SSH security on the port.)

auto (the default): The device connected to the port must support 802.1X authentication and provide valid credentials to get network access. (Optional: You can use the Open VLAN mode to provide a path for clients without 802.1X supplicant software to down-load this
software and begin the authentication process. Refer to "802.1X Open VLAN Mode" on page 11-27.)

unauthorized: Also termed "Force Unauthorized". Do not grant access to the network, regardless of whether the device provides the correct credentials and has 802.1X support. In this state, the port blocks access to any connected device.

BOUE said:
Someone can explain the "aaa port-access authenticator control" command because I want to allow both 802.1X compliant client a not 802.1X compliant to acces netwok ?

jeff reply:
this commands dictates how the switch will control 802.1X enabled ports...

default is auto, meaning if the device authenticates via radius, do what radius says...if device doesn't authenticate, then switch blocks that port...

on - means don't try to authenticate at all, just let all traffic pass...

off - don't allow traffic at all, even if the device trys to authenticate...


BOUE said:
I set it in auto mode and when I connect a not 802.1X compliant I doesn't have acces to the network.

jeff reply:
that is correct function


BOUE said:
I want that 802.1X compliant clients use dynamic attribution VLAN and use static VLAN defined on the port for not 802.1X compliant clients.

jeff reply, then the way to configure that 802.1X function is to define what is called the "unauthenticated vlan"...this is generally not the vlan the ports are statically assigned to, and i've never tried it to be, i always define a separate vlan...

so, to configure this:
1) create a vlan
2) control is access to the network via ACL(s)
3) provide the vlan with DHCP services and ip-helper on the vlan
4) then this command:

'aaa port-access authenticator <PORTS> unauth-vid<X>'

hth...jeff


ps, i looked at the event info you provided earlier (running the french thru a translator on google), but the messages viewed didn't really tell me anything...it didn't look like they were the radius messages...

so i assume that is why you are looking at this other option...

cheers..jeff</X></PORTS>

In fact I already user the unauth vlan for computers, so I can't user it for my phone.

They must have a function to no authenticate phones.

What could LLDP-MED compliance do for that if my phone was ?

BOUE said:
In fact I already user the unauth vlan for computers, so I can't user it for my phone.

They must have a function to no authenticate phones.

jeff said: none that i've seen...


BOUE said: What could LLDP-MED compliance do for that if my phone was ?

jeff said: if you have LLDP-MED compliant phones, you can remove the phone ports for 802.1X control and instead put those ports into a "no use" vlan [ie, no ip addr on the vlan ,etc]...then when the phone connects, the switch will see that it is a phone (via LLDP-MED) and can assign that port to the "voice" vlan...however, the port in this case is no longer under 802.1X authentication control, and you have less security...

hth...jeff

Are you sure ? What happen if I plug a computer on the phone ethernet switch ?

I read in "How to use LLDP-MED with IP phones and ProCurve switches" :

More security: LLDP-MED runs after 802.1X, to prevent unauthenticated devices from gaining access to the network.

So we need to pass the authentication before LLDP-MED runs.