VVX500 with dot1x MAB for handset, dot1x EAP for workstation and CDP disconnect

jev
Occasional Visitor

VVX500 with dot1x MAB for handset, dot1x EAP for workstation and CDP disconnect

Hi All,

 

We are having some issues configuring the VVX500 handset with Cisco switches in a secure environment.

 

Where it’s at now is we have the VVX500 handsets authenticating via dot1x MAB and connecting to the voice VLAN; when a workstation connects behind a handset it will authenticate with dot1x (EAP-MSCHAPv2) and be placed on the data VLAN as follows (PVID=100, VVID=900):

 

CAM Table:

 

SWITCH01#sh mac add | inc 1/0/20

100    2c41.38xx.xxxx    STATIC      Gi1/0/20

900    0004.f2aa.aaaa    STATIC      Gi1/0/20

 

CDP Neighbour information:

 

SWITCH01#sh cdp nei gi1/0/20

Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge

                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,

                  D - Remote, C - CVTA, M - Two-port Mac Relay

 

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID

SEP0004f2aaaaaa  Gig 1/0/20        143              H P   Polycom V Port 1

 

Switchport configuration:

 

interface GigabitEthernet1/0/20

description *** VOICE ***

switchport access vlan 100

switchport mode access

switchport nonegotiate

switchport voice vlan 900

srr-queue bandwidth share 1 30 35 5

priority-queue out

authentication host-mode multi-domain

authentication port-control auto

authentication violation restrict

mab

no snmp trap link-status

mls qos trust cos

dot1x pae authenticator

dot1x timeout tx-period 5

dot1x timeout supp-timeout 5

auto qos trust

spanning-tree portfast

spanning-tree bpduguard enable

end

 

Included in handset configuration file:

 

  <sec>
    <sec.hostmovedetect.cdp.enabled="1" />
  </sec>

 

The issue is that when the workstation behind the handset is physically disconnected there is no ‘EAPOL-logoff’ or ‘CDP disconnect’ sent to the authenticator and as such the workstation’s MAC address is still assigned to the handset’s interface. This in turn does not allow a new workstation to connect behind the handset and the switch will not allow the original workstation to connect to any other interface. (There is also a security issue with an authenticated MAC being behind the handset with no authenticated workstation present).

 

Without an ‘EAPOL-logoff’ or ‘CDP disconnect’ the MAC address of the workstation appears to stay assigned to the interface until manually cleared (>24hr).

 

From what I’ve read there is a way around it using inactivity timers dynamically assigned to the switch via the RADIUS ‘Idle-Timeout Attribute [28]’, however, this will also require the configuration ‘IP device tracking’ within the switch to ensure quiet devices (such as printers) are not disconnected from the network. I’m not sure that this is the best solution.

 

Any assistance or best practice recommendations would be greatly appreciated.

 

rgds,

Jev

Message 1 of 2
1 REPLY 1
jev
Occasional Visitor

Re: VVX500 with dot1x MAB for handset, dot1x EAP for workstation and CDP disconnect

Additional Info:

 

To clarify roles:

Supplicant: Voice Handset/Workstation

Authenticator: Cisco Switch 2960X 15.0(2)EX1 (Access Layer)

Authentication Server: Cisco ACS 4.2

 

Handset:

Polycom VVX500

BootBlock: 3.0.3.0013

BootL1: 1.0.0.0018

Updater: 5.0.2.15022

Message 2 of 2