Hi Carlos,
CDP Bypass is not a security feature at all actually. Its only a mechanism
to allow the Cisco IP phone not take part in the identity framework
(authentication and/or other processes). All the switchport checks is the
'Cisco IP Phone' string in the CDP messages, and the phone is allowed
access on to the Voice VLAN (ofcourse, when 802.1X is enabled on the
switchport in single host-mode).
By the way, MAB is not any more secure than the above IMHO actually. In MAC
Authentication Bypass, a device is indeed authenticated, Carlos. The
'Bypass' keyword there is in reference to 802.1X but not authentication in
general. Please note the difference between the use of 802.1X and
authentication here. As we all know, Cisco IP phones come with their MAC
addresses printed on an attached sticker. It not rocket science to spoof
this MAC address to get access to the network for a hacker. If you want a
more secure mechanism for the IP phone, you should be looking into MDA or
Multi-Auth; both will authenticate the IP phone itself. Ofcourse, any
authentication is only as strong as the method used and hence, 802.1X on
the phone will be better.
Back to Amin's enquiry though; if you are trying to exclude the IP phone
from authenticating altogether, then you need CDP Bypass. If you are trying
to exclude the IP phone from peforming 802.1X authentication, then you need
MAB (good point Radioactive Frog).
HTH in the mean time.
Sadiq
On Sun, Apr 29, 2012 at 12:42 PM, Carlos G Mendioroz <tron_at_huapi.ba.ar>wrote:
> Does any of the security gurus out here know how secure is the CDP based
> recognition ? Because I would presume CDP is not based on any
> security token, so impersonation of a "cisco phone" would be a rather
> trivial task for an attacker... hence CDP bypass would be, well, just for
> the photo as we say.
>
> Also, Sadiq, why do you say "MAB will not exclude the phone from
> authenticating" ? In all respects, MAB does static exclusions from the
> authenticating process, hence its name.
> The phone does not do anything to aithenticate with MAB, it's all static
> configuration elsewhere.
>
> -Carlos
>
> Radioactive Frog @ 28/04/2012 21:57 -0300 dixit:
>
> rigth on Sadiq.. but AFAIK this feature is not available in newer code (52
>> or above) anymore :(
>>
>> MAB is common and very practical practice for production. Otherwise why
>> would you go for dot1x, that defeats the purpose of of dot1x
>> implementation.
>>
>> Other simple one without creating a username/password in radius:
>> keep all port configs identical for dot1x or non-dot1x supplicants. If you
>> want to exclude a port from dot1x auth process, just use a command "dot1x
>> authentication open". This works on newer and older codes. So basically
>> you
>> are keeping configs identical, except this one command. This command
>> suppose to meant for troubleshooting but I have to implement it in some
>> instances.
>>
>> HTH.
>>
>>
>> On Sun, Apr 29, 2012 at 8:58 AM, Sadiq Yakasai<sadiqtanko_at_gmail.com>
>> wrote:
>>
>> MAB will not exclude the IP phone from authenticating; it would
>>> authenticate the IP phone using its MAC address; hence MAC auth bypass.
>>>
>>> If you configure the host mode as single, then if the IP phone is a Cisco
>>> one, its excluded from authentication. This is called CDP Bypass.
>>>
>>> HTH,
>>>
>>> Sadiq
>>>
>>>
>>> On Sat, Apr 28, 2012 at 10:35 AM, Radioactive Frog<pbhatkoti_at_gmail.com>*
>>> *wrote:
>>>
>>> MAB
>>>>
>>>> On Sat, Apr 28, 2012 at 4:16 PM, amin<amin_at_axizo.com> wrote:
>>>>
>>>> Hi Experts,
>>>>>
>>>>> How to configure 802.1x for the PC that is connected to a switch port
>>>>>
>>>> and
>>>>
>>>>> exclude the IP phone?
>>>>>
>>>>> Regards,
>>>>>
>>>>> Amin
>>>>>
>>>>>
>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>
>>>>> ______________________________**______________________________**
>>>>> ___________
>>>>> Subscription information may be found at:
>>>>> http://www.groupstudy.com/**list/CCIELab.html<http://www.groupstudy.com/list/CCIELab.html>
>>>>>
>>>>
>>>>
>>>> Blogs and organic groups at http://www.ccie.net
>>>>
>>>> ______________________________**______________________________**
>>>> ___________
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/**list/CCIELab.html<http://www.groupstudy.com/list/CCIELab.html>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>> --
>>> CCIEx2 (R&S|Sec) #19963
>>>
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> ______________________________**______________________________**
>> ___________
>> Subscription information may be found at:
>> http://www.groupstudy.com/**list/CCIELab.html<http://www.groupstudy.com/list/CCIELab.html>
>>
>>
>>
>>
>>
>>
>>
>>
> --
> Carlos G Mendioroz <tron_at_huapi.ba.ar> LW7 EQI Argentina
>
-- CCIEx2 (R&S|Sec) #19963 Blogs and organic groups at http://www.ccie.netReceived on Mon Apr 30 2012 - 10:18:39 ART
This archive was generated by hypermail 2.2.0 : Tue May 01 2012 - 08:20:46 ART