Hello Guys,
I'm looking at setting up 802.1x PNAC on our Juniper EX2300's running 18.3.R1 - Handing off to NPS for radius.
Devices with machine certificates authenticate fine. I am having an issue with VOIP phones, the phones do not have certificates or are domain joined devices so I have enabled MAC-Radius (not secure I know) on the switch-port. The phones authenticate fine as stand alone devices with mac-radius - phones register to the call manager platform.
The issue I am running into is when the PC's are piggybacked through the Phones, I have enabled multi-domain authentication
My dot1x configuration is below:-
set protocols dot1x authenticator authentication-profile-name WIRED_ACCESS set protocols dot1x authenticator interface ge-0/0/4.0 supplicant multiple set protocols dot1x authenticator interface ge-0/0/4.0 transmit-period 2 set protocols dot1x authenticator interface ge-0/0/4.0 multi-domain max-data-session 2 set protocols dot1x authenticator interface ge-0/0/4.0 mac-radius set protocols dot1x authenticator interface ge-0/0/4.0 reauthentication 60 set protocols dot1x authenticator interface ge-0/0/4.0 supplicant-timeout 60 set protocols dot1x authenticator interface ge-0/0/4.0 server-timeout 60 set protocols dot1x authenticator interface ge-0/0/4.0 maximum-requests 3 However in the output I see that the phone (supplicant f8a5c5ea3fa3 is in the data domain, not the voice domain) this is causing issues and the phones are unable to register.
I am using a cisco 8845 - has anyone experienced anything like this before?
root@dot1x_switch> show dot1x interface detail ge-0/0/4.0 Role: Authenticator Administrative state: Auto Supplicant mode: Multiple Number of retries: 3 Quiet period: 60 seconds Transmit period: 2 seconds Mac Radius: Enabled Mac Radius Restrict: Disabled Mac Radius Authentication Protocol: EAP-MD5 Reauthentication: Enabled Reauthentication interval: 60 seconds Supplicant timeout: 60 seconds Server timeout: 60 seconds Maximum EAPOL requests: 3 Guest VLAN member: not configured Multi Domain Data Session Count: 2 Number of connected supplicants: 2 Supplicant: host/LAPTOP1.thedomain.co.uk, B8:6B:23:08:62:CE Operational state: Authenticated Backend Authentication state: Idle Authentication method: Radius Authenticated VLAN: VLAN_USER_248 Session Reauth interval: 60 seconds Reauthentication due in 18 seconds Eapol-Block: Not In Effect Domain: Data Supplicant: f8a5c5ea3fa3, F8:A5:C5:EA:3F:A3 Operational state: Authenticated Backend Authentication state: Idle Authentication method: Mac Radius Authenticated VLAN: VLAN_USER_248 Session Reauth interval: 60 seconds Reauthentication due in 26 seconds Eapol-Block: Not In Effect Domain: Data 
No comments:
Post a Comment