• May 22, 2012, 09:29:16 PM
Welcome, Guest. Please login or register. Registration is free.
Did you miss your activation email?
« previous next »
Pages: [1]

Author Topic: 1140E eap-peap  (Read 469 times)

0 Members and 1 Guest are viewing this topic.

Offline Farpoint

  • Rookie
  • **
  • Posts: 2
1140E eap-peap
« on: September 21, 2011, 12:15:20 PM »
Can anybody share how 1140E configured with eap-peap work?
I want the pc connected to 1140E access port to be authenticated by radius.  If someone unplugs pc and plugs in unkown pc and does not authenticate, then the 1140E access port should disable.

Can someone confirm this is how it should work?

Thanks,
Logged

Offline Michael McNamara

  • Administrator
  • Hero Member
  • *****
  • Posts: 2517
    • Michael McNamara
Re: 1140E eap-peap
« Reply #1 on: September 22, 2011, 12:29:29 AM »
Logged
We've been helping network engineers, system administrators and technology professionals since June 2009.
If you've found this site useful or helpful, please help me spread the word. Link to us in your blog or homepage - Thanks!

Offline Farpoint

  • Rookie
  • **
  • Posts: 2
Re: 1140E eap-peap
« Reply #2 on: September 22, 2011, 10:47:06 AM »
Hello Michael, thanks for replying.

I have to confess up front I am not a data person so there are a lot of gaps in my knowledge and I don't know what I don't know.  I have to work with my networking group and they have no experience with voip.  We use cisco switches so I don't think the config guide for Nortel switches apply to me.

What I have is an 1140e on my desk working as a voip phone but the data access port is not used.

This is what I know from asking questions in our shop -

We are a cisco shop and use Cisco NAC to authenticate all devices that plug into a data jack.
Users log in and Active Directory authenticates the cpu and sends ticket to radius to allow user access on cisco switch port.
With 1140E, we need to authenticate users on the 1140E access port using eap-tls but I can convince our network group to use eap-peap to make it easier to configure and manage in the future.

I kind of understand how eap-peap works using root certificates and following the eap overview I can see the handshaking required to allow access.  However, I don't understand the big picture when you use eap-peap on the 1140E phone.  When a cpu plugs into the 1140E access port what happens?  Does the cpu mac have to be authenticated by the radius first before being allowed access to servers?  Or is the cpu presented with a logon and Active Directory authenicates user and sends ticket to radius to allow access?

The next question is once a cpu is authenticated and granted access, will the 1140E access port detect if someone switches cpu and plugs in unknown cpu and start the authentication from beginning?  We cannot allow strangers to plug cpu into 1140E access ports and gain access to our network.

Can someone outline the steps I have to follow to configure the 1140E and the cisco acs to ensure the cpu device is authenticated before allowing access to our network?  I have read the TCG for Inter-working with Cisco L2 Switches and it makes sense but I don't know how to pull all the information together to make it work.  And our networking group is not much help so asking them is not a solution, our Nortel support just points me to user guides.

Thanks,

Logged
Pages: [1]
« previous next »