I trying to do 802.1x authentication with certificates. I am stuck with a problem client machine which fails to communicate with the RADIUS server (NPS) when I connect it through a Cisco IP phone.
The problem goes away if I directly connect the client to the switch port. The NPS server allows the connection to establish if it has a required certificate .
- The NAP enabled Switch port connects to Cisco IP phone, and from there the
connection goes to client machine (this is not working). The IP
phone works, but not the LAN on client computer - Switch port directly connects to client computer (this is working as
intended). The client computer talks to the NPS server.
The interesting thing here is that after establishing the connection once, the first setting which was not working does work until the computer is restarted .
Switch Configuration
aaa group server radius radius-dot1x-group
server-private 192.168.22.122 auth-port 1812 acct-port 1813 key 7 02090A5904071!
aaa authentication dot1x default group radius-dot1x-group
aaa authorization console
aaa authorization network default group radius-dot1x-group
Configuration on Port
interface FastEthernet0/21
switchport access vlan 20
switchport mode access
switchport voice vlan 40
speed 100
duplex full
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
dot1x pae authenticator
spanning-tree portfast
Best Answer
Setting up 802.1x through a phone is a complicated mess.
See the "Device Behind Phone Authenticates" section of Cisco's guide:
Perhaps your PC systems need to be configured to send EAPOL-Start messages explicitly. (most systems don't by default.)
(Note: that document is, of course, w.r.t. Cisco's switches.)