802.1x using guest vlans with PCs connected to IP Phones

Unanswered Question
Apr 11th, 2008

Hi,

I have a problem at the moment deploying a Guest vlan in 802.1x that hopefully someone will have a suggestion for. My issue is as follows:-

I have a 3750 port configured for 802.1x authentication and with a voice vlan and guest vlan. I am not 802.1x authenticating the phone. The data vlan ( PC connected to the phone ) will only drop into the guest vlan if it sees *NO* EAPOL packets since the physical switch port has come up. This is a problem in a hot desk type environment where the connection may be used for a 802.1x user first and then later by a non 802.1x user ( guest ) - because the IP phone holds the port up the switch will no longer drop into the guest VLAN. I understand that this is a behavour change that occured round 12.2.25. Anybody come across this and found a workaround ?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ivillegas Thu, 04/17/2008 - 07:42

When you configure a guest VLAN, clients that are not 802.1X-capable are put into the guest VLAN when the server does not receive a response to its EAPOL request/identity frame. Clients that are 802.1X-capable but fail authentication are not granted access to the network. The switch supports guest VLANs in single-host or multiple-hosts mode.

Any VLAN can be configured as an 802.1x guest VLAN except

internal (routed port) VLANs, RSPAN VLANs, or voice VLANs.

A PC will not authenticate using 802.1x while connected via an IP phone.

Authentication works if a PC is plugged directly into the switch. With an IP phone in the middle, it does not authenticate. When an 802.1x supplicant connects to the switch through an IP phone in the middle, there is no link-up event at the switch. So, the switch is not directly aware that a PC is connected, and it does not initiate the authentication procedure. If Guest-VLAN is also configured, the port may be placed in the Guest-VLAN first after the periodic (every 30 seconds by default) EAPOL-Identity-Request frames have gone unanswered. Also, once the Guest-VLAN is deployed, EAPOL stops on the wire and the switch can no longer initiate 802.1x. However, if any supplicant that connects to the phone sends EAPOL-Start frames unconditionally, 802.1x can work normally (in which a port is taken out of the Guest-VLAN and is authenticated).

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/dot1x.html#wp1053658

dmitry Thu, 06/19/2008 - 15:23

Hi,

I'm running into the same problem on c3560s with 12.2.37SE1, once a port sees 802.1x packets from a PC connected to an IP phone, it would refuse to put another, non-802.1x PC connected instead to the same phone into the guest vlan until the SW interface is down/up.

Was just wondering if you found any solution to this issue?

Thanks

Actions

This Discussion