Deployment scenario
Working configuration for PC and phone for 802.1x authentication using MAC
Summary
- Configure all devices.
- PC
- Phone
- FortiSwitch
- FortiAuthenticator
- DHCP server
- Authenticate phone using MAB and using LLDP-MED.
- Authenticate PC using EAP 802.1x.
A. Configure all devices
I. Configure the PC, phone, FortiSwitch, FortiAuthenticator [RADIUS server], and DHCP server)
Phone configuration (file: macmode_phone_pc_ping_work)
- On the phone, enable the WAN port and leave the VLAN ID at the default to allow LLDP-Med (Policy) designate for voice VLAN assignment.
- On the phone, enable the LAN port and assign the VLAN ID for data matching the RADIUS VLAN assignment.
PC configuration
- Install the supplicant software.
- Launch the supplicant software, type the user name and password, and enable DHCP on the interface.
FortiSwitch configuration
- Configure the LLDP profile for voice.
# show switch lldp
config switch lldp profile
edit "pexa" <<<<<<<<<<<<<<<<
set 802.1-tlvs port-vlan-id
config med-network-policy
edit "voice"
set status enable
set vlan 21
next
edit "voice-signaling"
set status enable
set vlan 31
next
edit "guest-voice"
next
edit "quest-voice-signaling"
next
edit "softphone-voice"
set status enable
set vlan 41
next
edit "video-conferencing"
next
edit "streaming-video"
next
edit "video-signaling"
next
end
set med-tlvs inventory-management network-policy
- Apply the LLDL profile on a dot1x port.
# show switch physical-port port4
config switch physical-port
edit "pexa" <<<<<<<<<<<<<<<<
set lldp-profile "pexa"
set speed auto
next
end
- Configure a user group.
# show user group
config user group
edit "Corp_Grp_10"
set member "FAC_LAB"
next
end
- Configure the RADIUS server.
# show user radius
config user radius
edit "FAC_LAB" <<<<<<<<
set secret
ENCW82jBg06XhKD/4Dugqm8QF2f7D1B4bfFdDSZaLUQPwZXv4F8zMc5sWHRl9suwmbmzNnAnyqPaarAYcSLuT8kVjFSRO0znx+TXVWTqdSeLCpbMv +HYFNOHMbYlfES8wTYYD40InCgrYr2johvr2vfa5KG4g8XMwKSIM0LurR//1WqT0fH
set server
next
end
- Configure port security on the dot1x port.
- Configure mac-mode port-security.
- Add voice VLAN on allowed list (for example, 21).
- Apply the security group.
Interface port4 configuration:
# show switch interface port4
config switch interface
edit "port4"
set allowed-vlans 20-21,31,41
set security-groups "Corp_Grp_10"
set snmp-index 4
configure port-security
set auth-fail-vlan disable
set guest-auth-delay 120
set guest-vlan disable
set mac-auth-bypass enable
set port-security-mode 802.1X-mac-based
set radius-timeout-overwrite disable
set auth-fail-vlanid 40
set guest-vlanid 30
end
RADIUS configuration
MAB Authentication:
- Add phone MAC address to MAB list.
802.1X Authentication
- Create a local user.
- Create a user group with "Attributes" and enable PEAP and MSChapv2.
DHCP configuration
- On the DHCP server, configure a pool for phone and a pool for the PC.
!
ip dhcp pool PC
network 10.1.1.0 255.255.255.0
default-router 10.1.1.1
dns-server 10.1.1.1
!
ip dhcp pool PC
network 20.1.1.0 255.255.255.0
default-router 20.1.1.1
dns-server 20.1.1.5
- Configure exclude lists for pools for both gateway and DNS.
ip dhcp excluded-address 20.1.1.1 20.1.1.1.5
<<<<gateway and dns server
ip dhcp excluded-address 10.1.1.1 10.1.1.1.5
<<<<gateway and dns server
!
ip dhcp pool PC
network 20.1.1.0 255.255.255.0
default-router 20.1.1.1
dns-server 20.1.1.5
- Configure the switch port VLAN interface as a gateway for the phone.
# show run
Building configuration
Current configuration
!
interface vlan21 <<<<<<
ip address 20.1.1.1
end
- Configure the switch port VLAN interface as a gateway for the PC.
# show run
Building configuration
Current configuration
!
interface vlan10 <<<<<<
ip address 10.1.1.1
end
#
- Configure the l2 port and associate the voice VLAN.
# show run
Building configuration
Current configuration
!
interface GigabitEthernet g1/0/1 <<<<<<
switchport access vlan 21
switchport trunk encapsulation dot1q
switchport trunk all
switchport mode trunk
end
- Configure the l2 port and associate the data VLAN.
# show run
Building configuration
Current configuration
!
interface GigabitEthernet g1/0/2 <<<<<<
switchport access vlan 10
switchport trunk encapsulation dot1q
switchport trunk all
switchport mode trunk
end
II. Connect a link between the FortiSwitch unit and the DHCP server and assign matching VLAN for the phone for both ports
III. Connect a link between the FortiSwitch unit and the DHCP server and assign a matching VLAN for the PC for both ports
B. Authenticate phone using MAB
- Connect the phone to the switch to authenticate with RADIUS through the MAB (mac-bypass).
- Once authenticated:
- On the FortiSwitch unit, verify that the port is authorized and that the voice VLAN is on the allowed list.
# diagnose switch 8 status
Signal 10 received - config reload scheduled
wrdapd_hostapd_dump_state_console Hostapd own address 90:6c:ac:18:6f:2f
dump_diag:1:
receive dump diagnostic 802_1x/MAB sessions. ifname :port4: dump_diag:1:
port4 : Mode: mac-based (mac-by-pass enable)
Link: Link up
Port State: authorized ( ) <<<<<<
Native Vlan : 1
Allowed Vlan list: 1,10,20-21,31,41 <<<<<<
Untagged Vlan list:
Guest VLAN:
Client MAC Type Vlan Dynamic-Vlan
68:f7:28:fb:c0:0f 802.1x 1 10
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<phone
Sessions info:
68:f7:28:fb:c0:0f Type=802.1x,PEAP,state=AUTHENTICATED
params:reAuth=3600
00:a8:59:d8:f1:f6 Type=MAB,,state=AUTHENTICATED
params: reAuth=3600
edited on: 2016-11-29 17:25
edited on: 2016-11-29 17:59
- On the FortiSwitch unit, verify that the lldp neighbor detail accurately reflects the phone and voice VLAN designation.
Neighbor learned on port4 by LLDP protocol
Last change 140 seconds ago
Last packet received 13 seconds ago
Chassis ID: 20.1.1.10 (ip) <<<<<<<<<<
System Name: FON-670i
System Description
V12.740.335.12.B
Time To Live: 60 seconds
System Capabilities: BT
Enabled Capabilities: BT
MED type: Communication Device Endpoint (Class III)
MED Capabilities: CP
Management IP Address: 20.1.1.10
Port ID: 00:a8:59:d8:f1:f6 (mac) <<<<<<<<<<<<<<<
Port description: WAN Port 10M/100M/1000M
IEEE802.3, Power via MDI:
Power devicetype: PD
PSE MDI Power: Not Supported
PSE MDI Power Enabled: No
PSE Pair Selection: Can not be controlled
PSE power pairs: Signal
Power class: 1
Power type: 802.3at off
Power source: Unknown
Power priority: Unknown
Power requested: 0
Power allocated: 0
LLDP-MED, Network Policies:
voice: VLAN: 21 (tagged), Priority: 0 DSCP: 0 <<<<<<<<<<<<
voice-signaling: VLAN: 21 (tagged), Priority: 0 DSCP: 0
streaming-video: VLAN: 21 (tagged), Priority: 0 DSCP: 0
# Checking STA 00:a8:59:d8:f1:f6 inactivity:
Station has been active
- On the phone, verify that the DHCP address is assigned.
- On the DHCP server, check binding and ping from gateway to verify that the phone is reachable.
# show ip dhcp binding
IP address Client-ID/ Lease expiration Type
Hardware address
20.1.1.10 00a8.59d8.f1f6 Mar 20 1993 01:52 AM Automatic
#
#
#
# show ip dhcp binding
IP address Client-ID/ Lease expiration Type
Hardware address
10.1.1.7 0168.f728.fbc0.0f Mar 11 1993 01:54 AM Automatic <<<<<< pc
20.1.1.10 00a8.59d8.f1f6 Mar 20 1993 01:52 AM Automatic <<<<< phone
# ping 10.1.1.7
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.7, timeout is 2
!!!!!
seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
# ping 10.1.1.7
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.7, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
# ping 10.1.1.7
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.7, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms
# ping 20.1.1.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.1.1.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
#
- On the FortiSwitch unit, verify that the port is authorized and that the voice VLAN is on the allowed list.
C. Authenticate the PC using EAP dot1x
- Connect the PC to the phone for EAP authentication and VLAN assignment (for data)
- After authentication:
- On the FortiSwitch unit, verify that the port is authorized and that the data VLAN assigned to dynamic has been placed on the allowed list.
# diagnose switch 8 status
Signal 10 received - config reload scheduled
wrdapd_hostapd_dump_state_console Hostapd own address 90:6c:ac:18:6f:2f
dump_diag:1:
receive dump diagnostic 802_1x/MAB sessions. ifname :port4: dump_diag:1:
port4 : Mode: mac-based (mac-by-pass enable)
Link: Link up
Port State: authorized ( ) <<<<<<
Native Vlan : 1
Allowed Vlan list: 1,10,20-21,31,41
<<<<<<
Untagged Vlan list:
Guest VLAN:
Client MAC Type Vlan Dynamic-Vlan
68:f7:28:fb:c0:0f 802.1x 1 10
<<<<<<<<<<<<<<<<<<<<< PC
00:a8:59:d8:f1:f6 MAB 1 0
Sessions info:
68:f7:28:fb:c0:0f Type=802.1x,PEAP,state=AUTHENTICATED
params:reAuth=3600
00:a8:59:d8:f1:f6 Type=MAB,,state=AUTHENTICATED
params:reAuth=3600
edited on: 2016-11-29 17:25
edited on: 2016-11-29 17:59
- On the PC, verify that the DHCP address is assigned.
- From the DHCP server, check the binding and a ping from gateway to verify that the PC is reachable.
- On the FortiSwitch unit, verify that the port is authorized and that the data VLAN assigned to dynamic has been placed on the allowed list.