IP Phone + dot1x + ACS 3.2

Answered Question
Jul 29th, 2008
User Badges:

Hello everybody!

The main idea: I need to authenticate Cisco IP Phone connected to C3750 and put it into voice VLAN. Authentication in ACS v.3.2 using IP Phone's MAC-address.

There's port configuration on C3750:

interface GigabitEthernet1/0/2

switchport mode access

switchport voice vlan 12

dot1x mac-auth-bypass

dot1x pae authenticator

dot1x port-control auto

dot1x host-mode multi-domain

spanning-tree portfast


In ACS I've created group "IP Phones" and in it's configuration I checked:

1) Voice-over-IP Support

2) IETF RADIUS Attributes:

[064] Tunnel-Type = VLAN

[065] Tunnel-Medium-Type = 802

[081] Tunnel-Private-Group-ID = 12

There's user 000d65707e7a (IP Phone's MAC-address) in this ACS group.

When I connect IP Phone to GigabitEthernet1/0/2 interface it don't get voice VLAN.

c3750#show mac-address-table interface gigabitEthernet 1/0/2

Mac Address Table


Vlan Mac Address Type Ports

---- ----------- -------- -----

1 000d.6570.7e7a STATIC Drop

12 000d.6570.7e7a STATIC Drop

In ACS choosing "Reports and Activity" -> "Failed Attemts" i see a mistake:

Authen failed - 000d65707e7a - Access denied to Voice-over-IP group

What's wrong? How to configure ACS group to authenticate IP Phone by it's MAC-address and put it into voice VLAN 12 on C3750?

Thanks for any help!

Correct Answer by jafrazie about 8 years 10 months ago

7940 will never do 802.1X. Neither will 7960. Newer phones will.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (3 ratings)
Farrukh Haroon Sun, 08/03/2008 - 20:13
User Badges:
  • Red, 2250 points or more

I think you need to add a radius VSA:


Also make sure your device-ID on the phone is same as the username you are putting (Not just the mac-address). It is in this format:



Please let me know how this turns out.



VladimirFilippov Sun, 08/03/2008 - 21:22
User Badges:

Thanks Farrukh for your help!

I've already learn these documents, did all the things in ACS and discovered that my IP Phone CP-7940G, firmware 8.0(7.0), do not support 802.1x-authentication.

Is there any other CP-7940G firmware with 802.1x feature enabled or I need to change model to 7961G (7970G)?

Correct Answer
jafrazie Mon, 08/04/2008 - 05:28
User Badges:
  • Cisco Employee,

7940 will never do 802.1X. Neither will 7960. Newer phones will.

VladimirFilippov Fri, 08/22/2008 - 05:46
User Badges:

Using this port-config:

interface GigabitEthernet1/0/15

switchport mode access

switchport voice vlan XXX

no logging event link-status

dot1x mac-auth-bypass

dot1x pae authenticator

dot1x port-control auto

dot1x host-mode multi-host

dot1x timeout quiet-period 5

dot1x timeout reauth-period server

dot1x guest-vlan XXX

dot1x auth-fail vlan XXX

spanning-tree portfast


I achieved putting 802.1x-PC to needed access VLAN, non-802.1x IP Phone to voice VLAN and authenticate devices by MAC-address.


This Discussion