In this Chalk Talk, we will look at various options available for deploying 802.1x on Cisco switches when workstations are connected behind IP Phones. This article assumes that you have knowledge of 802.1x, EAP types, RADIUS servers and the configuration required on a Cisco switch to enable 802.1x.
Deploying 802.1x was simple when a switch port in access mode could carry traffic from a single VLAN only. With the introduction of voice VLANs, a new layer gets added to the deployment. 802.1x, by default, drops all non-EAP traffic until a port is authorized. With an IP phone, this may not be a desirable behavior depending on whether an IP phone is EAP capable or not. In most cases, IP Phones are not EAP capable and require a way to bypass 802.1x authentication. On the other hand, with or without an EAP capable IP Phone, it may be desirable to authorize all IP phones before allowing them to connect.
Depending on your requirement, the following options are available for deploying 802.1x with workstations connected behind IP phones:
- Bypass 802.1x authentication for IP phones while authenticating workstations
- Authenticate both IP Phones and workstations when IP phones are EAP capable
- Authenticate both IP Phones and workstations when IP phones are not EAP capable
In the following sections, we look at each of the above options. Before proceeding to each of the options, you have to remember that a switchport configured with voice VLAN has two VLAN identifiers associated with it:
- Voice VLAN Identified (VVID) to carry traffic to and from the IP Phone
- Port VLAN ID (PVID) to carry data traffic to and from the workstation. This is the native VLAN of the switchport.
Bypass 802.1x authentication for IP phones while authenticating workstations
When 802.1x is enabled on an interface, by default, it is in dot1x single-host mode. In this mode, one host in each of the VLAN – voice and data – is allowed to connect to the interface. When the IP phone is connected to such an interface, the switch will allow it to bypass 802.1x authentication and give it full network access. Any traffic received on the PVID (from the workstation connected to the IP phone) though, will not be allowed till the workstation is authenticated.
You can leave the 802.1x host mode to default single-host mode if you want the IP Phone to bypass authentication. To change the mode from anything else to single-host mode, use the authentication host-mode single-host or the dot1x host-mode single-host command on the interface configuration mode.
The following caveats apply when 802.1x single-host mode is configured and an IP phone is connected to the interface:
- The VVID and PVID cannot be same.
- You cannot connect an IP Phone behind another one. The switch will recognize only the directly connected IP Phone.
- If 802.1x is enabled while the IP phone is connected, the IP Phone will lose connectivity for up to 30 seconds.
Authenticate both IP Phones and workstations when IP phones are EAP capable
While 802.1x single-host mode allows IP phones to bypass 802.1x authentication, the 802.1x Multi-Domain Authentication (MDA) mode enforces authentication on both the IP phone as well as the workstation.
If your IP phone is EAP capable and you want it to be authenticated before being allowed network access, you can change the 802.1x mode on the switchport to MDA using the dot1x host-mode multi-domain or authentication host-mode multi-domain command in the interface configuration mode.
When MDA is enabled, all non-EAP traffic from both the IP phone and the workstation will be dropped until they are authenticated. Each of them will need to be authenticated separately. If the IP phone is authenticated but the workstation is not, the switch will continue to drop traffic from the workstation while the traffic from the IP phone is allowed.
Figure 1 :RADIUS attribute configuration for IP Phone authentication
To authenticate the IP phone, the configuration on the RADIUS server is similar to what you would use to authenticate a user, and it depends on the EAP protocol supported by the IP phone. In addition to this configuration, the RADIUS server must be configured to send the value “device-traffic-class=voice” in the cisco-av-pair attribute. Cisco-av-pair is attribute number 001 of vendor id 009 and is sent as a part of RADIUS IETF attribute 26. Figure 1 shows an example of the attribute configuration on CiscoSecure ACS 5. If this attribute is not present in the RADIUS Access-Accept packet from the server, the IP Phone will be treated as a data device instead of a voice device.
Apart from the required attribute, the following caveats apply:
- The voice VLAN can be dynamically assigned by the RADIUS server, but this is supported only on IOS version 12.2(40) and later. On previous versions, dynamic voice VLAN assignment will cause the IP Phone to fail authorization. The attributes used to assign the VLAN are same for data and voice VLAN –  Tunnel-Type=VLAN,  Tunnel Medium-Type=802 and  Tunnel-Private-Group-ID = VLAN name or VLAN ID
- An IP Phone that fails authentication or is not EAP capable will not be assigned into a Guest VLAN or Restricted VLAN. These fallback options do not apply to devices in the voice VLAN.
Authenticate both IP Phones and workstations when IP phones are not EAP capable
As mentioned earlier, if MDA is enabled and the IP Phone is not EAP capable, it will not be assigned to the guest VLAN and will not be allowed network access. If you need to authenticate such IP Phones, you can use MAC Authentication Bypass (MAB) with MDA.
With MAB enabled, when the switch does not get a response to EAP packets, it will take the MAC address of the device and send it to the RADIUS server for authentication. The MAC address of the device should be added to the RADIUS server as a user or host. MAB can be enabled using the dot1x mac-auth-bypass command in the interface configuration mode.
If the MAC address of the device exists in the database, the IP phone will be authenticated. With MAB also, you will need to configure the RADIUS server to send the cisco-av-pair attribute with a value of “device-traffic-class=voice”. Additionally, you can also configure the RADIUS server to dynamically assign the voice VLAN.
The only caveat that you need to be aware of is that once MAB is enabled, it applies to both the data VLAN as well as the voice VLAN. If the workstation does not respond to the EAP packets, its MAC address will be used to try and authenticate it.
Deploying 802.1x with workstations connected to IP Phones requires quiet a bit of planning. This Chalk Talk aims to make planning easier by providing the available deployment options. The actual configuration may require tweaking of some dot1x timers to suit your environment, especially if MAB is used. I would like to point that port security in such a deployment is one option that I did not consider in this Chalk Talk because in single-host mode, port security does not limit the number of hosts that can connect to the voice VLAN. So, port security cannot be considered as an alternative to MDA and MAB for controlling which IP phones can connect.
Vivek Santuka is a Customer Support Engineer with Cisco TAC AAA team. In the last 7 years, Vivek has helped resolve thousands of AAA, ACS and NAC related cases for organizations of all sizes. He holds two CCIEs, one in Security and the other in Routing and Switching. In addition to that, he holds a RHCE certification. Vivek is also the co-author for the Cisco Press title 'AAA Identity Management Security'