Disabling 802.1x and other settings globely

[DevilWAH]

Hi,

Quite new to mitel and actually a network engineer so all a bit new to me.

I am currently implementing 802.1x authentication on our network, but an issue I have is that the mitel 52xx and 53xx phones by default have 802.1x enabled ,but no credentials. This means they simply hang and never can access the network unless some one manually either enters  come credentials or disables 802.1x on the phone.

I want to know if it is possible to download a config file to the phone during boot to either set up or disable this setting.

I did see some thing about phone configuration files which have this in them

[NETWORK1]
Enable = 1
SIP_Outbound_Proxy =
SSID = SIP
Enable_DHCP = 1
Address = 0.0.0.0
Netmask = 0.0.0.0
Gateway = 0.0.0.0
DNS1 = 0.0.0.0
DNS2 = 0.0.0.0
Security = 2
WEP_Bits = 0
Default_WEP_Key = 1
WEP_Key1 =
WEP_Key2 =
WEP_Key3 =
WEP_Key4 =
Post_Authentication_Mode = 0
8021X_Name =
8021X_Password =
WPA_PSK_PassPhrase = password
WPA_PSK_Key =
Use_WPA_PSK_Key_Hex_Mode = 0
Proactive_Key_Caching = 1
PMK_LifeTime = 43200
PMK_Max_Count = 32
DiffServ_Signal = 46
DiffServ_Media = 46
WMM = 1
Jitter_Buffer_Size = 60
Payload_Type = 8,18,0
Multiframe = 2,2,2

but I think this is well out of date, any ideas how to do this? I am running a 3300 controller.

[pakman]

Hello,

I also have implemented 802.1x a few months ago and tired to research this same thing as we did end up going to each phone at each location and manually entering the username and pw. It was a pain....if you find out if this is possible remotely or through a file I sure would like to know. Side note since then I've had multiple phones just start resetting themselves or fall of the network all together and the server we use for authentication doesn't provide any answers and all the switch Say's is AAA blocked it. I have found by deleting the 802 settings in the phone and simple re-adding them resolves this issue. Hopefully, you don't have this problem.

[jrg0852]

Silly question....do you have to go with 802.1x for the voice network?

[DevilWAH]

That depends for security all ports have to have 802.1x enabled.

now if the case is that a PC is attached then it can authenticate and allow the phone on by proxy to the voice network.

or if 802.1x is disabled on the phone then I can allow on to the voice vlan via mac authentication bypass (authorised base on mac address)

however if authentication is enabled on the port then even if i explicitly allow the phone vlan with out authentication because it is active at a port level it will request the phones credentials.  Sadly this stops the phone booting as by default 802.1x is enabled, it just hangs asking for a user name and password and does not seem to time out.

So that's the issue, even if you don't want to use port security you still have to disable it for it to work for you other devices, or put in a lot of extra config and rules.

I wont be sorry to see the back of our mitle system.

[DevilWAH]

So what files can be downloaded to a phone when it boots from TFTP, are there no config files like the one posted above?

It seems crazy that should a company want to deploy port based authentication on there network the only option is to manually go in to the menu of each phone and disable 802.1x!

Surely if a phone is currently connected to the network and the ICP, there should be some way to remotely manage the settings? do the phones have an built in web server/portal to allow management?

2 sites, 50 buildings, high bio-containment, doing it manually is a nasty job.

[619Tech]

I am hoping someone chimes in with a work around for this. I also have a large deployment coming up (1500 endpoints at 5 sites in 3 states). It appears we are going to have to disable 802.1x manually on all endpoints.

[TrunCs]

Just wondering if there was a solution to this. We're trying to do the same thing and need to disable 802.1x on the phones.

[DevilWAH]

HI,

no never found a way to do this with out manually doing each phone.

[v2win]

Depending on the type of switchs you are using you should be able to do a lldp med bypass or MAC bypass to skip the authentication.

[v2win]

https://supportforums.cisco.com/document/90821/deploying-8021x-when-workstations-are-connected-behind-ip-phones

[DevilWAH]

Hi,

yes but this does not answer the question of disabling 802.1x, Because 802.1x is enabled on the phones by default but no user name is set, they will hang trying to authenticate on 802.1x and never fail-over to MAB.  The only way you can do a MAB is to change the priority of authentication on the switch from 802.1x first followed by MAB to try MAB first. This causes another host of issues as device you want to do 802.1x will authenticate with MAB.

you can also try LLDP/CDP to bypass authentication for the voice vlan, but again once you actually try this you start causing issues for other devices that might want to use LLDP/CDP

Both possible but both feel like a bit of a "hack" to get it working.