Verify 802.1X State on a Cisco IP Phone 8800 Series Multiplatform Phone

Objective

802.1X is an IEEE standard that defines a client and server-based access control and authentication protocol that restricts unauthorized clients from connecting to a Local Area Network (LAN) through publicly accessible ports. The authentication server authenticates each client connected to a switch port and assigns the port to a Virtual Local Area Network (VLAN) before making available any resources offered by the switch or the LAN. Until the client is authenticated, 802.1X access control allows only Extensible Authentication Protocol over LAN (EAPoL) traffic through the port to which the client is connected. After authentication is successful, normal traffic can pass through the port.

802.1X authentication is particularly useful in larger networks since certificates and user credentials can be deployed for use in authenticating to the network. This provides security, scalability, ease of management, and ease of use.

The image below displays a network that have configured the devices according to the specific roles.

​

This article aims to show you how to check the state of the port authentication on the Cisco IP Phone 8800 Series Multiplatform Phones. It assumes that you have already configured the port authentication settings on the switch. For instructions, click here.

Applicable Devices

• 8800 Series

Software Version

• 11.0.1

Verify 802.1X State

Step 1. On the phone, press the Applications button.

Step 2. Navigate to Network configuration using the Navigation cluster button.

Step 3. Choose Ethernet configuration.

Step 4. Choose 802.1X authentication.

Step 5. Verify that Device authentication is On.

Step 6. Choose Transaction status.

The status can be any of the following:

• Disabled — This means that 802.1X is not active on the phone.
• Authenticated — This means that the credentials of the phone have passed the authentication process. In this state, traffic is allowed to the phone from the network. If Extensible Authentication Protocol Transport Layer Security (EAP-TLS) is chosen for 802.1X authentication, EAP-TLS is displayed in the Protocolarea. If the status is Authenticated and the Protocol is None, 802.1X authentication has been disabled or force-authenticated on the switch. It means that the phone has sent EAP Start messages to the switch. After failing to receive an Identity Request, the phone assumes that it is authenticated.
• Connecting — This means that the phone is sending EAP start messages to the switch. It will do so every 30 seconds. If it gets no Identity Request from the switch after three attempts, it changes the authentication state to Authenticated.
• Authenticating — This means that EAP-TLS/EAP-FAST is in progress. This is typically the state when PAC for EAP-FAST is not enabled. The phone is typically not on this state since authentication finishes within 600 ms.
• Held — This means that the EAP request of the phone has been processed by the switch. EAP-FAST or EAP-TLS authentication has been rejected and the phone is retrying. The phone will keep sending EAP Start message every 30 seconds.
• Acquired — This means that the EAP request of the phone has been rejected. No EAP-TLS or EAP-FAST challenge was received from the switch. The phone will keep sending EAP Start message to the switch every 30 seconds.
• Disconnected — This means that the Ethernet cable is disconnected.

Note: In this example, the Transaction status is Authenticated, and the Protocol is None.

You should now have verified the 802.1X state of the phone.