NAC-L2-802.1x with 7940 IP Phones and builtin swithport?

Unanswered Question
Jun 25th, 2008


I've got the NAC Framework, NAC-L2-802.1x working in a test LAB with network hosts (PCs) connected directly to the L2 switch. In our production environment, we have Cisco 7940 IP phones on every desk, and the PCs connect to the switchport on the back of these phones. How would one configure NAC-L2-802.1x to work in a setup like this? I've done quite a bit of searching on Cisco and only found this reference to IP phones and NAC;

IP Telephone and Device Mobility

The computer connected to the PC port on an IP phone will get posture validated successfully.

It does not help much...

Thanks very much.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jafrazie Mon, 06/30/2008 - 11:29

You have 2 choices:

1) Ignore the phones based on CDP. You get this be just configuring 802.1X along with a VVID. Here's an example port config from a 3750:

interface GigabitEthernet1/0/2

description endpoints

switchport access vlan 2

switchport mode access

switchport voice vlan 200

srr-queue bandwidth share 10 10 60 20

srr-queue bandwidth shape 10 0 0 0

queue-set 2

mls qos trust device cisco-phone

mls qos trust cos

dot1x pae authenticator

dot1x port-control auto

spanning-tree portfast

spanning-tree bpduguard enable

ip verify source

ip dhcp snooping limit rate 10

The config above will allow a Cisco phone in "for free" just b/c it can do CDP.

2) Authenticate IP phones via 1X or MAC-Authentication for phones that cannot support 1X. This would be the same config as above, with the addition of this line:

dot1x host-mode multi-domain

And if your IP phone cannot do 1X (for example the 7940 cannot) then you'll need to check it's MAC for entry into the network by adding this line:

dot1x mac-auth-bypass

Hope this helps,


This Discussion