cisco phones
Alan Buxey
alan.buxey at gmail.com
Tue Jan 30 13:58:24 CET 2018
Are you sure that you don't want these to be reply attributes? Show debug
to see what's coming through.
alan
On 30 Jan 2018 11:10 am, "Vacheslav" <m_zouhairy at skno.by> wrote:
> Thanks for the tip.
> According to https://supportforums.cisco.com/t5/other-security-
> subjects/802-1x-authentication-not-happening-in-voice-domain-for-ip-phone/
> td-p/1652836
> These need to be added
> cisco-avpair="device-traffic-class=voice"
> Tunnel-Type=1:VLAN
> Tunnel-Medium-Type=1:802
> Tunnel-Private-Group-ID=1:VOICE-LAN
>
> So I added them as check attributes, with := but I got:
> Auth: (163) Invalid user (sql: Error parsing value: Unknown or invalid
> value "1:VLAN" for attribute Tunnel-Type): [ip phone name/<via Auth-Type =
> eap>] (from client Switch port 50145 cli mac)
> Tue Jan 30 13:36:34 2018 : Auth: (163) Login incorrect (sql: Error parsing
> value: Unknown or invalid value "1:VLAN" for attribute Tunnel-Type): [ip
> phone name/<via Auth-Type = eap>] (from client Switch port 50145 cli mac)
> If I delete the attribute
> Tunnel-Type:=1:VLAN
> (and it does not matter if I set it as a reply attribute, same error)
> I get:
> Auth: (159) Invalid user (sql: Error parsing value: Unknown or invalid
> value "1:802" for attribute Tunnel-Medium-Type): [ip phone name<via
> Auth-Type = eap>] (from client Switch port 50145 cli mac)
> Tue Jan 30 13:34:30 2018 : Auth: (159) Login incorrect (sql: Error parsing
> value: Unknown or invalid value "1:802" for attribute Tunnel-Medium-Type):
> [ip phone name/<via Auth-Type = eap>] (from client Switch port 50145 cli
> mac)
> The progress is that the ip phone now shows dropping packets on the voice
> vlan which means it accepted:
> Tunnel-Private-Group-ID:=1:VOICE-LAN
> After reading an email here: I'm inclined to replace ":=" with = but I
> have a limited lunch break to test these settings each day so perhaps
> someone who has dealt with this can save me some wasted time?
>
>
> -----Original Message-----
> From: Freeradius-Users [mailto:freeradius-users-bounces+m_zouhairy=
> skno.by at lists.freeradius.org] On Behalf Of Alan DeKok
> Sent: Friday, January 26, 2018 4:07 PM
> To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
> Subject: Re: cisco phones
>
> On Jan 26, 2018, at 6:49 AM, Vacheslav <m_zouhairy at skno.by> wrote:
> >
> > I still can't authenticate the ip phones using md5 on the voice vlan,
> they keep getting authenticated on the data vlan. I ducked ducked the
> internet and found that:
> > "device-traffic-class=voice:= Cisco-AVPair"
> > Must be added. So I added it username of the ip phone in daloradius but
> the behavior has not changed. Perhaps, that must be added manually to the
> users file for it work. I only found documentation on how to do that in
> cisco ACS.
>
> > That documentation tells you what attributes to return, and what values
> to use for those attributes. Do the same thing in FreeRADIUS.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
More information about the Freeradius-Users
mailing list