dot1x and voip on the same switch port

Started by Dieselboy, June 11, 2018, 06:03:35 AM

Previous topic - Next topic

Dieselboy

I was looking into this today. I have PEAP working, but voip phone no worky! Test env. is a 2960, an 8945 cisco phone and Windows Server 2012 NPS.

Curious to know what you guys are doing in terms of dot1x when the PC is daisy-chained behind the phone. I Googled a lot and saw people using mac address auth by creating new users with a username of each phones mac address, It seems messy to me and users aren't stupid, each phone has the mac address printed on it and it's not difficult to spoof a mac.

Otanx

That phone should be able to do .1x. Then a multiauth confit to allow the pc and it should work. I haven't done it but that is where I would start.

-Otanx

Dieselboy

Got you, thanks; looks like I can do eap-tls. I looked at the phone earlier and saw eap-md5  :XD:

Dieselboy

Have been unsuccessful in this so far. I have three options to complete this:

  • eap-tls
  • eap-md5
  • mac auth bypass

eap-tls - unsure of the Microsoft NPS policy but what I see so far is NPS auth success but the switch logs that the phone has not authed successfully. I have been trying to do this with the cisco root cert (not looking to use LSC cert at this point, just want to make sure that the only other device on the switch port is a cisco phone).

eap-md5 is OUT due to security and the fact that Windows 2012 needs a registry hack to be able to configure it

mac auth bypass - not been able to get that working either. Don't really want to create AD user accounts per-phone.

Any pointers will be appreciated.

deanwebb

Installing a cert on a Cisco phone is a manual job, and most crews will refuse to do so. No way to automate the cert push, as I understand. Therefore, phones typically get a MAC bypass list.

Cisco root cert does not prove you have a company asset, just something made by Cisco. Therefore, it's a permissive form of NAC, as is the MAC bypass. What is desirable is a method that allows the device on the network, then does a profile assessment to ensure it is a proper company asset. Let it remain if yes, block if no.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Dieselboy

Pushing a cert to a phone requires a bit more planning and prep. I need to make the CUCM publisher a CA and then go and create / push the certs. I think this is what I will need to do eventually but I need to look into it some more before I decide to go down that road. For the moment, I am making use of mab so that I can get the laptops using dot1x and implement dot1x for the phones later. I was initially trying to allow any Cisco phone access using the MIC cert. I found in the debugs that RADIUS / NPS was sending the switch a radius-accept message but the phone was not connecting I think that it was because the phone was not authenticating the server.

Dean regarding dot1x on the laptops, I've had one other problem. I found a couple of Windows machines authenticating to the wifi using the computer account in AD. Because the computer account was not matching the users security group of  "Internal wireless users" they were being placed on to the guest wifi network (like a fallback, if AD authenticates but not in the internal group; then put on guest wifi net). For some reason my windows laptop decided to disconnect from the wifi. When I connected manually I was being placed onto the guest wifi. I had to forget the wifi network then reconnect manually to fix that. So on the guest wifi RADIUS / NPS policy, I am now matching a a guest wireless AD group as well, because the guest wifi policy was acting like a catch all and including the computer accounts. I have EAP as well as PEAP enabled on the policy. Am I right in thinking that the computer accounts are authenticating via EAP? I was using GPO to push the wireless config which included the certs from the CA. So now what will happen if a user is not logged in, then the laptop wont automatically connect to the wifi.

I can imagine that some companies would like access to computers to manage them even if a user is not logged in (say for pushing updates etc). But I can also imagine a stance of "if there's no one using a laptop then why should it be on the network". What is commonly done in this situation? A 3rd option might be to create a specific LAN for computer login that allows management access but not the reverse but that is more complex and might be over-engineering things  ;D

deanwebb

You will definitely want  the certs to be non-interactive, and allowing user or machine certs keeps your bases covered, as the Windows native supplicant is... quirky, I'll use that word.

As for the last question, it's best to examine the actual use cases for that requirement and then engineer around those.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

wintermute000

You can bypass dot1x on the VOIP VLAN and rely on the fact that the phone needs to pass CDP before the VOIP VLAN is granted.

Sure it can be spoofed, but you can harden the VOIP VLAN, and its still better than nothing.  dot1x and certs on handsets is a nightmare as you're discovering.