[c-nsp] authentication host-mode multi-auth configuration on cisco 2960

pamela pomary ppomary at gmail.com
Thu Jul 14 13:05:42 EDT 2011 

Hello,

I have an ip phone that DOES NOT SUPPORT DOT1X
I have a radius server using freeradius on Linux machine
I am able to authenticate the ip phone via mab
Here are my configuration on the fastEthernet port on Cisco Catalyst 2960
switch and users file in freeradius  respectively

switchport access vlan 6
switchport mode access
switchport voice vlan 200
authentication host-mode multi-auth
authentication port-control auto
authentication violation protect
mab eap
dot1x pae both
spanning-tree portfast


nicholas            User-Password := "xxxxxx"
000e10005336   User-Password := "000e10005336"
000e100045da   User-Password := "000e100045da"

IP phone is able to authenticate succesfully via mac address by-pass. PC on
the other hand is not able to authenticate via dot1x.

Because I have authentication host-mode set to multi-auth, I was expecting
that when I connect a PC to the LAN port of the IP Phone, the PC will
authenticate using dot1x. The PC prompts me for login Username and Password
alright, but does not authenticate when i enter these details. The user
account is a valid user on the radius server.

When I run radius in debug mode on the radius server, I realise it tries to
use the MAC address of the PC to authenticate but fails because it has no
entry in the users file on my radius server. Also, when I debug
authentication on the Cisco Catalyst 2960, the PC starts a dot1x process
first, then fails, then starts a mab process which also fails because I do
not want to do MAC address by-pass for the PC.

I want to be able to authenticate the IP Phone via MAC address by-pass and
authenticate the PC that connects to the LAN port of the IP Phone via dot1x
using authentication host-mode multi-auth. How can I achieve that. When I
connect an unmanaged switch to an authenticated configured port on the cisco
2960 switch i am able to authenticate PC and phone independently, not when a
PC connects to the LAN port of the phone. If an unmanaged switch connecting
to a cisco catalyst 2960 authentication host mode multi-auth enabled port
can do multi authentication i.e. mab and dot1x, why cant I get the IP phone
to do same(i.e. authenticate phone via mac address bypass and PC connecting
to the LAN port of the IP Phone)?

More information about the cisco-nsp mailing list