Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2414
Views
0
Helpful
3
Replies

MAB on Voice Vlan for non-Cisco phone

ccr_cisco
Level 1
Level 1

‎07-22-2009 03:05 AM - edited ‎03-10-2019 04:36 PM

Hello,

I try to do MAB authentification for a non-cisco phone. My port config is :

switchport mode access

switchport nonegotiate

switchport voice vlan 41

dot1x mac-auth-bypass

dot1x pae authenticator

dot1x port-control auto

dot1x host-mode multi-host

dot1x guest-vlan 100

dot1x auth-fail vlan 100

no cdp enable

spanning-tree portfast

It seems that the 2960 switch doesn't even try to do MAB on voice vlan because it try to do CDP.

If i don't use voice vlan, the phone can authenticate with MAB but I cannot connect a pc behind the phone

Regards

Labels:
0 Helpful
3 Replies 3

jafrazie
Cisco Employee
Cisco Employee

‎07-22-2009 05:05 AM

Would not recommend multi-host mode, since it intentionally allows port piggybacking.

You need MDA. See here:

http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a00808abf2d.shtml#MDA

This will allow you to MAB the phone, treat it as a phone, then do the same for the PC as well.

HTH,

0 Helpful

ccr_cisco
Level 1
Level 1
In response to jafrazie

‎07-22-2009 05:42 AM

I've tried this technote, the problem is when command 'switchport voice vlan' my switch automaticaly try to detect the phone via cdp and doesn't fallback to authenticate phone via MAB

I'm using catalyst 2960 12.2.25 SEE3

Regards

0 Helpful

jafrazie
Cisco Employee
Cisco Employee
In response to ccr_cisco

‎07-22-2009 05:45 AM

If you have MDA enabled it won't. Also, I thought you have non-cisco phones? ;-).

HTH,

0 Helpful
Customers Also Viewed These Support Documents