802.1X Authentication

Revised: May 11, 2017

IEEE 802.1X Authentication Overview

This section describes how to monitor and troubleshoot 802.1X authentication in the Cisco TelePresence System. 802.1X is an IEEE standard for port-based network access control. It offers the capability to permit or deny network connectivity, control Virtual LAN (VLAN) access, and apply traffic policy, based on user or machine identity.

802.1X permits or denies device access to the network by using authentication. Ethernet switch ports can be enabled dynamically based on the identity of the device that connects to it. Devices which are not authenticated cannot gain access to the network.

802.1X Authentication Components

802.1X authentication involves the following three network devices:

  • A supplicant : a client device (such as a laptop or endpoint) that attempts to access a LAN/Wireless LAN (WLAN), or the software that runs on this device and that provides credentials to the authenticator.
  • An authenticator : a network device (such as an Ethernet switch or wireless access point) that acts as an access point to a protected network. For 802.1X authentication, the supplicant provides network credentials, such as username, password, digital security certificate, or a combination of these, to the authenticator. The authenticator then forwards the credentials to the authentication server for verification.
  • An authentication server : a server (such as Cisco Secure Access Control Server) that guards the protected network. For 802.1X authentication, the authentication server receives the supplicant’s network credentials from the authenticator and verifies the supplicant’s identity. Then the supplicant is able to access the resources located on the network.

Figure 8-1 Diagram of 802.1X Authentication Process

 

345205.eps

Authenticating Your IX System

Your Cisco TelePresence IX system is equipped to function as an 802.1X-compliant supplicant. 802.1X authentication is enabled by default.

note.gif

Noteblank.gif Cisco recommends that you configure your switch port (or authenticator) for multi-domain mode.


Checking IX 802.1X Authentication Status

To check 802.1X authentication status in the Cisco TelePresence System, use either of the following options:

Checking 802.1X Authentication Status on the Main Display Screen

To check the 802.1X authentication status on the Cisco TelePresence IX system main display screen, complete the following steps:


Step 1blank.gif Power off the Cisco TelePresence IX system.

Step 2blank.gif Power on the Cisco TelePresence IX system.

Step 3blank.gif View the bottom right of the main display screen. In a three-screen system, view the bottom-right of the center screen. Text will display to indicate whether 802.1X is authenticated, not authenticated, or not required on your system.

Example:

802.1X: Connecting...
802.1X: Not Authenticated


 

This text, as viewed on the Cisco TelePresence System main display screen, indicates the success or failure of 802.1X authentication on that system. If the status line reads “Not Required,” 802.1X authentication is not required for that system.

Figure 8-2 Screenshot of Cisco TelePresence System Boot-Up Screen

 

413887.tif

 

See Table 8-1 for a summary of 802.1X authentication status displays for enabled and non-enabled networks.

 

Table 8-1 802.1X Authentication Status Display Summary

Status
802.1X-Enabled Network
Non-802.1X-Enabled Network

In Progress

Connecting / Authenticating

Connecting

Success

Authenticated

Not Required

Failure

Not Authenticated

Not Required

note.gif

Noteblank.gif The 802.1X authentication status can only be viewed on your Cisco TelePresence System primary screen, not on a secondary screen (for example, a presentation screen, or in a three-screen system, the left or right screen). If the 802.1X authentication status does not show on the primary screen, follow the steps below listed under the “Checking 802.1X Authentication Status with a CLI Command” section


Checking 802.1X Authentication Status with a CLI Command

To check the 802.1X authentication status with a CLI command, complete the following steps:


Step 1blank.gif Log into the CLI.

Step 2blank.gif Input the following command: show dot1x status

Step 3blank.gif View resulting text. Text will display indicating whether 802.1X is authenticated, not authenticated, or not required on your system.

Example:

admin:show dot1x status
Authenticated


 

Troubleshooting 802.1X Authentication Issues

When 802.1X does not authenticate properly, review the following sections:

Troubleshooting Issues in 802.1X Authentication

Table 8-2 summarizes some issues that may appear during 802.1X authentication, as well as potential resolutions.

 

Table 8-2 Troubleshooting Issues in 802.1X Authentication

Symptom
Possible Root Causes
Resolution

Cisco Secure ACS authentication server rejects security certificate from the Cisco TelePresence System supplicant.

The security certificate is invalid, expired, or not issued by CAPF.

Install a valid, non-expired security certificate using the CAPF. See Viewing the Security Certificate.

Cisco TelePresence System fails 802.1X authentication.

Errors may be present in the system’s most recent log files.

Use the file list log dot1x command in the CLI to check logs for error or failure messages.

Cisco TelePresence System displays “802.1X: Not Required” on its boot-up screen.

The Ethernet switch is not configured to support 802.1X.

Check the 802.1X authentication status on the Ethernet switch by logging into the switch and using the CLI command show authentication sessions interface { FastEthernet | GigabitEthernet } { Interface Number }. If the Ethernet switch is not 802.1X-enabled, enable it. Please refer to Identity-Based Networking Services: IP Telephony in IEEE 802.1X-Enabled Networks Deployment and Configuration Guide for instructions.

Cisco Secure ACS authentication server rejects security certificate from the Cisco TelePresence System supplicant.

Cisco Secure ACS is not configured to support 802.1X.

Configure Cisco Secure ACS (and all backend network configurations) to support 802.1X. Please refer to Identity-Based Networking Services: IP Telephony in IEEE 802.1X-Enabled Networks Deployment and Configuration Guide for instructions.

Cisco TelePresence System attempts authentication with the MIC instead of the LSC.

The LSC has not been exported from CAPF and imported into Cisco Secure ACS.

Check that the LSC is exported from CAPF and imported into Cisco Secure ACS. See Installing the LSC.

After moving to a different CAPF and Unified CM, Cisco TelePresence System fails 802.1X authentication.

The LSC no longer supports 802.1X authentication, since it was installed from the previous CAPF and Unified CM. Moving the Cisco TelePresence System to a different CAPF and Unified CM requires reinstalling the LSC and upgrading the system.

Reinstall the LSC from Cisco Unified CM and upgrade the Cisco TelePresence System. See Installing the LSC.

Viewing the Security Certificate

You may need to examine the security certificate (MIC or LSC) in order to verify that the certificates are valid, not expired, and issued by the CAPF. For more information on security certificates, see Examining the Security Certificate in Your IX System.

You can use the CLI or a third-party tool to view the MIC or LSC.

Viewing the Security Certificate from the CLI

To show the MIC or LSC from the CLI, complete the following steps:


Step 1blank.gif Log in to the CLI.

Step 2blank.gif Enter the following command: show cert { mic | lsc }. You must enter either mic or lsc, not both.

Step 3blank.gif View the certificate that displays within the CLI. Verify that the certificate is valid, not expired, and issued by the CAPF.

Example:

> admin:show cert lsc
> Certificate:
Data:
Version: 3 (0x2)
Serial Number: 5 (0x5)
Signature Algorithm( sha1WithRSAEncryption
Issuer: C=US, O=organization, OU=department, CN=CAPF-1a234bcd, ST=CA, L=CH
Validity
Not Before: Mar 23 16:10:31 2012 GMT
Not After: Mar 22 16:10:30 2017 GMT

Subject: C=US, O=organization, OU=department, CN=SEPXXXXXXXXXXXX

If you enter show cert lsc on a system where the LSC is not installed, the command line will read as follows:

show cert lsc
There is no certificate to display


 

If the security certificate is expired, invalid, or issued by a different source, install a new certificate using the CAPF.

Viewing the Security Certificate from a Third-Party Tool

You can also view the MIC or LSC using a third-party tool. Consult the documentation provided with the tool for instructions.