Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
377
Views
0
Helpful
2
Replies

802.1X MDA Packet Format Question

bdowney
Level 1
Level 1

‎03-04-2008 11:31 AM - edited ‎03-09-2019 08:14 PM

When a phone is on the voice vlan packet destined for it should have a 802.1q tag with a VLAN ID of the voice vlan.

Does the EAP packet (for the phone) have an 802.1q vlan header when using 802.1X MDA? What about re-authentication packets?

The RFC says VLAN tagging is not supported but it was not written with MDA in mind.

Labels:
0 Helpful
2 Replies 2

ebreniz
Level 6
Level 6

‎03-10-2008 01:55 PM

You can add MAC address on ACS for MAB with asterix *. ---> This immediately allows you to get the IP-phones added to the

voice-VLAN. guess its not possible, that a "2-VLAN-trunk" between the ATA186 and the switch is getting build up. Exactly for all those devices MDA has been developed.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_35_se/configuration/guide/sw8021x.html#wp1062454

0 Helpful

jafrazie
Cisco Employee
Cisco Employee
In response to ebreniz

‎03-10-2008 02:01 PM

EAPOL frames are not tagged. It wouldn't matter what vlan a device thinks it should be on. If the switch has not authenticated it, it wouldn't know it's a phone (yet) anyway.

EAPOL is sent to the specific MAC address of the device for ports enabled for MDA. This includes re-auth frames.

0 Helpful
Customers Also Viewed These Support Documents