Windows natively supports MD5 and PEAP. Mostly in lab, you will not be asked to perform end to end. The EAP type is supposed to be configured on ACS. So you need worry about that. It is just to give you a practical experience. In some of the labs, I have seen even EAP-FAST being used. For PEAP to work, you need to install the ACS self cert in the root cert folder of the PC. If you don't you will see that error message.
Next, the PC will be connected to the IP Phone and the the IP phone will be connected to the switch. So the PC connects through the IP phone to the switch. Now the IP Phone can't authenticate. Once, the PC authenticates, the port becomes authorized and the PC/IP Phone starts to use their respective vlans. With regards Kings On Tue, May 8, 2012 at 8:57 AM, Eugene Pefti <[email protected]>wrote: > Couple of questions, guys, with the first one not very relevant to > Kings’ original question.**** > > ** ** > > If it is lab 15 (Task 5.2 – Port Security) why do we need to use EAP-FAST > as authentication protocol as it stated in the solution? The task asks – ‘Any > device that connects to Port F 0/15 should be authenticated by a RADIUS > server located at 10.1.1.100”**** > > If it is Windows host than there are options to use “MD5 Challenge”, > “Smart card/Certificate” and “PEAP”. How do we know what protocol will be > used on the endpoint ? **** > > ** ** > > Then back to Kings’ original question. Do we need to have “switchport > access vlan 49” under the interface if VLAN assignment is via ACS ?**** > > ** ** > > I tested thoroughly this scenario and here my curious observations.**** > > ** ** > > **1) **The switch port where IP Phone is plugged is lit up AMBER as > if it is in error-disabled mode.**** > > **2) **For some reason the switch detects the phone MAC address by > dot1x process and then drops it. This is what I see on the switch while > asking for dot1x summary status (Fa0/7 is where it is connected)**** > > ** ** > > WRLSW#sh dot1x all sum**** > > Interface PAE Client Status **** > > --------------------------------------------------------**** > > Fa0/7 AUTH 0023.339c.d629 UNAUTHORIZED**** > > ** ** > > WRLSW#sh dot1x all sum**** > > Interface PAE Client Status **** > > --------------------------------------------------------**** > > Fa0/7 AUTH none UNAUTHORIZED**** > > ** ** > > **3) **Dot1x debugging reports the phone MAC address by the following > messages. I have no idea how to interpret them:**** > > ** ** > > *Mar 1 00:11:39.626: dot1x-ev:dot1x_switch_mac_address_notify: MAC > 0023.339c.d629 discovered on FastEthernet0/7(1) consumed by MDA**** > > *Mar 1 00:11:41.178: dot1x-ev:dot1x_switch_addr_remove: Did not locate HA > entry for MAC 0023.339c.d629 on interface FastEthernet0/7**** > > ** ** > > **4) **And last but not least when the PC successfully authenticates > the switch port lits up GREEN and “show dot1x all sum” reports that it sees > two MAC addresses and they are both authorized:**** > > ** ** > > WRLSW#sh dot1x all sum**** > > Interface PAE Client Status **** > > --------------------------------------------------------**** > > Fa0/7 AUTH 001d.72e2.634c AUTHORIZED**** > > 0023.339c.d629 AUTHORIZED**** > > **** > > I have to stress out again that the successful authentication > works when the authentication type is set to user MD5 Challenge on Windows > PC. All other methods don’t work and I see this error message in ACS Failed > attempts:**** > > ** ** > > “EAP-TLS or PEAP authentication failed during SSL handshake”**** > > ** ** > > Will it require me installing the ACS certificate on the Test PC to > use PEAP?**** > > ** ** > > ** ** > > Eugene**** > > ** ** > > ** ** > > ** ** > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Mike Rojas > *Sent:* 06 May 2012 19:27 > *To:* [email protected]; [email protected] > *Subject:* Re: [OSL | CCIE_Security] Dotlx with voice vlan**** > > ** ** > > > Hi Kings, > > That is lab 15 right? I Did that one today. Why is it multi-domain? > Shouldnt it be multi-host? I finished the lab and I have to review over the > solution but it just said "If authenticated, pleace it on vlan x". That is > all I did. > > Like I said, I have to compare both configs, but I guess if not specified > then just use the authenticated vlan. > > Mike **** > ------------------------------ > > Date: Sun, 6 May 2012 01:39:07 +0530 > From: [email protected] > To: [email protected] > Subject: [OSL | CCIE_Security] Dotlx with voice vlan > > Hi all > > I have never got a chance to try this practically hence theoritically I > need confirmatioin :-) > > > Ok the scenario is that the port f0/15 is carrying both data and voice. > Now, I need to configure that for dotx and hence I have put in > "multi-domain" mode. > > Now, the PC authenticates and gets the data vlan for the ACS. No issues, > it is working. > > > > What about the IP Phone? It just authenticates and starts using voice vlan > configured on the port or should it also downloaded vlan from ACS. > > > > Inputs please... > > > > > > interface FastEthernet0/15 > > description XP PC > > switchport access vlan 49 > > switchport mode access > > switchport voice vlan 500 > > dot1x pae authenticator > > dot1x port-control auto > > dot1x host-mode multi-domain > > dot1x violation-mode protect > > dot1x timeout reauth-period server > > dot1x max-reauth-req 1 > > dot1x reauthentication > > dot1x auth-fail vlan 490 > > spanning-tree portfast > > > > > > With regards > > Kings > _______________________________________________ For more information > regarding industry leading CCIE Lab training, please visit > www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com**** >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
