cisco phones

Vacheslav m_zouhairy at skno.by
Tue Jan 30 12:07:46 CET 2018 

Thanks for the tip.
According to https://supportforums.cisco.com/t5/other-security-subjects/802-1x-authentication-not-happening-in-voice-domain-for-ip-phone/td-p/1652836
These need to be added
cisco-avpair="device-traffic-class=voice"
Tunnel-Type=1:VLAN
Tunnel-Medium-Type=1:802
Tunnel-Private-Group-ID=1:VOICE-LAN

So I added them as check attributes, with := but I got: 
Auth: (163) Invalid user (sql: Error parsing value: Unknown or invalid value "1:VLAN" for attribute Tunnel-Type): [ip phone name/<via Auth-Type = eap>] (from client Switch port 50145 cli mac)
Tue Jan 30 13:36:34 2018 : Auth: (163) Login incorrect (sql: Error parsing value: Unknown or invalid value "1:VLAN" for attribute Tunnel-Type): [ip phone name/<via Auth-Type = eap>] (from client Switch port 50145 cli mac)
If I delete the attribute
Tunnel-Type:=1:VLAN
(and it does not matter if I set it as a reply attribute, same error)
I get:
Auth: (159) Invalid user (sql: Error parsing value: Unknown or invalid value "1:802" for attribute Tunnel-Medium-Type): [ip phone name<via Auth-Type = eap>] (from client Switch port 50145 cli mac)
Tue Jan 30 13:34:30 2018 : Auth: (159) Login incorrect (sql: Error parsing value: Unknown or invalid value "1:802" for attribute Tunnel-Medium-Type): [ip phone name/<via Auth-Type = eap>] (from client Switch port 50145 cli mac)
The progress is that the ip phone now shows dropping packets on the voice vlan which means it accepted: 
Tunnel-Private-Group-ID:=1:VOICE-LAN 
After reading an email here: I'm inclined to replace ":=" with = but I have a limited lunch break to test these settings each day so perhaps someone who has dealt with this can save me some wasted time?


-----Original Message-----
From: Freeradius-Users [mailto:freeradius-users-bounces+m_zouhairy=skno.by at lists.freeradius.org] On Behalf Of Alan DeKok
Sent: Friday, January 26, 2018 4:07 PM
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Subject: Re: cisco phones 

On Jan 26, 2018, at 6:49 AM, Vacheslav <m_zouhairy at skno.by> wrote:
> 
> I still can't authenticate the ip phones using md5 on the voice vlan, they keep getting authenticated on the data vlan. I ducked ducked the internet and found that: 
> "device-traffic-class=voice:= Cisco-AVPair"
> Must be added. So I added it username of the ip phone in daloradius but the behavior has not changed. Perhaps, that must be added manually to the users file for it work. I only found documentation on how to do that in cisco ACS. 

>  That documentation tells you what attributes to return, and what values to use for those attributes.  Do the same thing in FreeRADIUS.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list