We're getting ready to a Cisco VOIP rollout here and I'd like to enable 802.1x authentication on all of our phones (7942G and 7975G's).
>From the Cisco docs it looks like they support EAP-MD5: http://www.cisco.com/en/US/prod/collateral/voicesw/ps6788/phones/ps379/ps8535/product_data_sheet0900aecd8069bb68.html But I've seen some conflicting reports that MD5 support has been removed from newer firmware versions. Here's my radius config: <Client xxx.xxx.xxx.xxx> # Configure 802.1x switch authentication for LANIGAN-SWITCHES # Identifier LANIGAN-SWITCHES Secret xxxxxxx DupInterval 0 IgnoreAcctSignature </Client> <Handler Client-Identifier=LANIGAN-SWITCHES> <AuthBy FILE> Filename %D/voip-phones EAPType MD5 </AuthBy> AuthLog VOIP-AuthLogger AcctLogFileName /var/log/radius/VOIP-detail </Handler> Contents of my "voip-phone" authfile: CP-7942G-SEP2893FE127C54 User-Password = test1234 Cisco-avpair = "device-traffic-class=voice" And my switch config (I'm using a Cisco 3750v2-48PS running 12.2(53)SE) as the authenticator: aaa new-model aaa authentication dot1x default group radius aaa authorization network default group radius aaa session-id common aaa authentication dot1x default group radius aaa authorization network default group radius radius-server host 129.3.22.134 auth-port 1812 acct-port 1813 key 7 xxxxxxxxxxxxxxxxxxxxx dot1x system-auth-control ! interface FastEthernet2/0/3 description 26-9 Y switchport access vlan 28 switchport mode access switchport voice vlan 2089 shutdown authentication host-mode multi-domain authentication port-control auto authentication periodic authentication timer reauthenticate 30 dot1x pae authenticator spanning-tree portfast All I get from the radiator log with trace level 5 enabled is: Thu Jun 17 15:02:14 2010: DEBUG: Packet dump: *** Received from 129.3.244.100 port 1645 .... Packet length = 184 01 44 00 b8 9b 93 1e a7 b1 50 55 53 b5 23 ad 7b 7f 5f f8 3a 01 1a 43 50 2d 37 39 34 32 47 2d 53 45 50 32 38 39 33 46 45 31 32 37 43 35 34 06 06 00 00 00 02 0c 06 00 00 05 dc 1e 13 36 34 2d 31 36 2d 38 44 2d 46 35 2d 30 39 2d 30 35 1f 13 32 38 2d 39 33 2d 46 45 2d 31 32 2d 37 43 2d 35 34 4f 1f 02 01 00 1d 01 43 50 2d 37 39 34 32 47 2d 53 45 50 32 38 39 33 46 45 31 32 37 43 35 34 50 12 63 76 20 b5 e7 56 c4 ca 53 e4 e0 df f2 67 d0 e7 66 02 3d 06 00 00 00 0f 05 06 00 00 c4 1b 57 13 46 61 73 74 45 74 68 65 72 6e 65 74 32 2f 30 2f 33 04 06 81 03 f4 64 Code: Access-Request Identifier: 68 Authentic: <155><147><30><167><177>PUS<181>#<173>{<127>_<248>: Attributes: User-Name = "CP-7942G-SEP2893FE127C54" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "64-16-8D-F5-09-05" Calling-Station-Id = "28-93-FE-12-7C-54" EAP-Message = <2><1><0><29><1>CP-7942G-SEP2893FE127C54 Message-Authenticator = cv <181><231>V<196><202>S<228><224><223><242>g<208><231> EAP-Key-Name = NAS-Port-Type = Ethernet NAS-Port = 50203 NAS-Port-Id = "FastEthernet2/0/3" NAS-IP-Address = xxxx.xxxx.xxxx.xxxx Thu Jun 17 15:02:14 2010: DEBUG: Handling request with Handler 'Client-Identifier=LANIGAN-SWITCHES' Thu Jun 17 15:02:14 2010: DEBUG: Deleting session for CP-7942G-SEP2893FE127C54, 129.3.244.100, 50203 Thu Jun 17 15:02:14 2010: DEBUG: Handling with Radius::AuthFILE: Thu Jun 17 15:02:14 2010: DEBUG: Handling with EAP: code 2, 1, 29, 1 Thu Jun 17 15:02:14 2010: DEBUG: Response type 1 Thu Jun 17 15:02:14 2010: DEBUG: EAP result: 3, EAP MD5-Challenge Thu Jun 17 15:02:14 2010: DEBUG: AuthBy FILE result: CHALLENGE, EAP MD5-Challenge Thu Jun 17 15:02:14 2010: DEBUG: Access challenged for CP-7942G-SEP2893FE127C54: EAP MD5-Challenge Thu Jun 17 15:02:14 2010: DEBUG: Packet dump: *** Sending to 129.3.244.100 port 1645 .... Packet length = 82 0b 44 00 52 19 6d cc 6f 3a fa a6 fc 18 50 a8 1f 29 71 f9 13 4f 2c 01 02 00 2a 04 10 5d 68 89 02 09 5f 48 5d aa f2 d7 7d 62 a0 e2 95 72 61 64 69 75 73 2d 30 31 2e 6f 73 77 65 67 6f 2e 65 64 75 50 12 5f cb 5d 3e 32 22 33 d4 68 42 2e 71 d0 2d 0f 65 Code: Access-Challenge Identifier: 68 Authentic: <25>m<204>o:<250><166><252><24>P<168><31>)q<249><19> Attributes: EAP-Message = <1><2><0>*<4><16>]h<137><2><9>_H]<170><242><215>}b<160><226><149>radius-01.oswego.edu Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> I'm running Radiator v4.5.1 under CentOS 5.4. Anyone have any experience with configuring Cisco IP phones to authenticate via EAP-MD5 (or another means!) against Radiator? I've also opened a TAC case with Cisco to see if there's a bug in the firmware -- but I'm not finding anything googling around or looking on the Cisco site. Any help or suggestions are appreciated! --greg Gregory A. Fuller - CCNA Network Manager State University of New York at Oswego Phone: (315) 312-5750 http://www.oswego.edu/~gfuller _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
