Re: [OSL | CCIE_Security] Dotlx with voice vlan

[Eugene Pefti]

Couple of questions, guys, with the first one not very relevant to Kings' 
original question.

If it is lab 15 (Task 5.2 - Port Security) why do we need to use EAP-FAST as 
authentication protocol as it stated in the solution? The task asks - 'Any 
device that connects to Port F 0/15 should be authenticated by a RADIUS server 
located at 10.1.1.100"
If it is Windows host than there are options to use "MD5 Challenge", "Smart 
card/Certificate" and "PEAP". How do we know what protocol will be used on the 
endpoint ?

Then back to Kings' original question. Do we need to have "switchport access 
vlan 49" under the interface if VLAN assignment is via ACS ?

I tested thoroughly this scenario and here my curious observations.


1)     The switch port where IP Phone is plugged is lit up AMBER as if it is in 
error-disabled mode.

2)     For some reason the switch detects the phone MAC address by dot1x 
process and then drops it. This is what I see on the switch while asking for 
dot1x summary status (Fa0/7 is where it is connected)

WRLSW#sh dot1x all sum
Interface       PAE     Client          Status
--------------------------------------------------------
Fa0/7           AUTH    0023.339c.d629  UNAUTHORIZED

WRLSW#sh dot1x all sum
Interface       PAE     Client          Status
--------------------------------------------------------
Fa0/7           AUTH    none            UNAUTHORIZED


3)     Dot1x debugging reports the phone MAC address by the following messages. 
I have no idea how to interpret them:

*Mar  1 00:11:39.626: dot1x-ev:dot1x_switch_mac_address_notify: MAC 
0023.339c.d629 discovered on FastEthernet0/7(1) consumed by MDA
*Mar  1 00:11:41.178: dot1x-ev:dot1x_switch_addr_remove: Did not locate HA 
entry for MAC 0023.339c.d629 on interface FastEthernet0/7


4)      And last but not least when the PC successfully authenticates the 
switch port lits up GREEN and "show dot1x all sum" reports that it sees two MAC 
addresses and they are both authorized:

WRLSW#sh dot1x all sum
Interface       PAE     Client          Status
--------------------------------------------------------
Fa0/7           AUTH    001d.72e2.634c  AUTHORIZED
                                      0023.339c.d629  AUTHORIZED
         I have to stress out again that the successful authentication works 
when the authentication type is set to user MD5 Challenge on Windows PC. All 
other methods don't work and I see this error message in ACS Failed attempts:

      "EAP-TLS or PEAP authentication failed during SSL handshake"

     Will it require me installing the ACS certificate on the Test PC to use 
PEAP?


Eugene



From: ccie_security-boun...@onlinestudylist.com 
[mailto:ccie_security-boun...@onlinestudylist.com] On Behalf Of Mike Rojas
Sent: 06 May 2012 19:27
To: kingsley.char...@gmail.com; ccie_security@onlinestudylist.com
Subject: Re: [OSL | CCIE_Security] Dotlx with voice vlan


Hi Kings,

That is lab 15 right? I Did that one today. Why is it multi-domain? Shouldnt it 
be multi-host? I finished the lab and I have to review over the solution but it 
just said "If authenticated, pleace it on vlan x". That is all I did.

Like I said, I have to compare both configs, but I guess if not specified then 
just use the authenticated vlan.

Mike
________________________________
Date: Sun, 6 May 2012 01:39:07 +0530
From: kingsley.char...@gmail.com<mailto:kingsley.char...@gmail.com>
To: ccie_security@onlinestudylist.com<mailto:ccie_security@onlinestudylist.com>
Subject: [OSL | CCIE_Security] Dotlx with voice vlan

Hi all

I have never got a chance to try this practically hence theoritically I need 
confirmatioin :-)


Ok the scenario is that the port f0/15 is carrying both data and voice. Now, I 
need to configure that for dotx and hence I have put in "multi-domain" mode.

Now, the PC authenticates and gets the data vlan for the ACS. No issues, it is 
working.



What about the IP Phone? It just authenticates and starts using voice vlan 
configured on the port or should it also downloaded vlan from ACS.



Inputs please...





interface FastEthernet0/15

description XP PC

switchport access vlan 49

switchport mode access

switchport voice vlan 500

dot1x pae authenticator

dot1x port-control auto

dot1x host-mode multi-domain

dot1x violation-mode protect

dot1x timeout reauth-period server

dot1x max-reauth-req 1

dot1x reauthentication

dot1x auth-fail vlan 490

spanning-tree portfast





With regards

Kings
_______________________________________________ For more information regarding 
industry leading CCIE Lab training, please visit 
www.ipexpert.com<http://www.ipexpert.com> Are you a CCNP or CCIE and looking 
for a job? Check out www.PlatinumPlacement.com<http://www.PlatinumPlacement.com>

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com