Ethernet Switches & Routers

Reply
New Contributor
oklier1
Posts: 3
Registered: ‎07-26-2012

multi-device port authentication and 802.1X authentication configuration on the same port

So, I'm sure I'm not the first to run into this and I've been digging around looking for answers but found none. What we are trying to do is have dot1x authentication on dual-mode ports, e.g. IP phones (Avaya) with PC's daisy chained off of them (either domain PC's or guest). I found the configs in the guides but still have a few questions as to why its not working.

So the phones should be authenticated and dropped onto the phone vlan.

Domain PC's should be authenticated using user authentication via dot1x and be put onto the production vlan.

Guest PC's should fail dot1x and be dumped on the guest vlan.

Here are snippets of my config:

vlan production: the port is untagged

vlan voice: the port is tagged

dot1x-enable

re-authentication

restrict-forward-non-dot1x

no global-filter-strict-security

servertimeout 60

timeout quiet-period 4294967295

auth-fail-action restricted-vlan

auth-fail-vlanid 3399

enable ethe 0/1/1 to 0/1/47

mac-authentication enable

mac-authentication auth-fail-dot1x-override

interface ethernet 0/1/37

dot1x port-control auto

dual-mode

mac-authentication enable

spanning-tree 802-1w admin-edge-port

trust dscp

We are using 2008R2 NPS for our dot1x auth.

Questions:

How can I authenticate the phones without a ton of administrative overhead, e.g. entering each MAC individually and creating a user account for each? Maybe groups or somehow tell the switch that if a MAC matches a defined range it auto dumps them into the proper vlan?

New Contributor
david.manson
Posts: 2
Registered: ‎12-13-2011

Re: multi-device port authentication and 802.1X authentication configuration on the same port

Hi, I was wondering if you ever got this working? I'm trying to do the same, ideally with MAC auth for the phone and user/machine auth for the PC. I can get MAC auth or user auth but not both. Any ideas?

New Contributor
oklier1
Posts: 3
Registered: ‎07-26-2012

Re: multi-device port authentication and 802.1X authentication configuration on the same port

Nope sorry, Brocade support was a brick wall. Since we have to implement full posture validation, dot1x wont work for us anyway, our directives have changed. We are going to use a 3rd party product to do NAC for us. The only thing I have come across that was slightly helpful was this document, just search for it on brocades site BRCD-ENTERPRISE 2373. Basicallu uses LLDP for the phone side of things. But I never got to test it out.

Hope things work out for you.

Occasional Contributor
sethfiermonti
Posts: 5
Registered: ‎08-23-2012

Re: multi-device port authentication and 802.1X authentication configuration on the same port

You can use LLDP to assign the Voice VLAN using the MED policy.  You can also use a better RADIUS server...check this one out:

http://www.arubanetworks.com/product/clearpass-policy-manager

New Contributor
david.manson
Posts: 2
Registered: ‎12-13-2011

Re: multi-device port authentication and 802.1X authentication configuration on the same port

Hi, I'm using Clearpass. But its the Brocade I cant get to do what I want. I'll look into LLDP thanks.

Occasional Contributor
sethfiermonti
Posts: 5
Registered: ‎08-23-2012

Re: multi-device port authentication and 802.1X authentication configuration on the same port

And...you are sending back the appropriate VSAs correct?  The idea is that MAC auth fails and then 802.1x auth should occur.  What is Access Tracker look like?  You know...you can also do a tcpdump within ClearPass and analyze the logs to see what's being sent and received on the wire...

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.