801.x and AVAYA

Unanswered Question
Nov 6th, 2009

Hey everyone, I was wondering if someone could help me. I am trying to implement 801.x port security in my network. In our switch ports we have an IP AVAYA phone connected and a workstation connected to the IP phone. I enable dot1x authentication on the ports specifying the data vlan and the voice vlan. I configure the avaya phone 1608 in pass-thru mode, so that the authetication is forwaded to the PC. Supposedly, the phone would be able to connect without any authentication but it doesn't! I can't communicate with the dhcp server to get an ip:

here is what I configure on the switch ports:

interface FastEthernet1/0/2

switchport access vlan 200

switchport mode access

switchport voice vlan 45

dot1x pae authenticator

dot1x port-control auto

dot1x host-mode multi-host

dot1x violation-mode protect

spanning-tree portfast

thanx for the help!!!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
lel_chavez Fri, 11/06/2009 - 09:47

Is there a way I can exclude any authentication on the voice VLAN but implement the dot1x for the data vlan on the same port? I would like to have authentication only for the workstation attached to the phone...\

Thanx so much for your help!

Jagdeep Gambhir Fri, 11/06/2009 - 10:04

You can go for Multiple-Hosts Mode

In multiple-hosts mode, you can attach multiple hosts to a single 802.1X-enabled port. Figure 39-4 shows 802.1X port-based authentication in a wireless LAN. In this mode, only one of the attached clients must be authorized for all clients to be granted network access. If the port becomes unauthorized (re-authentication fails or an EAPOL-logoff message is received), the switch denies network access to all of the attached clients. In this topology, the wireless access point is responsible for authenticating the clients attached to it, and it also acts as a client to the switch.

With multiple-hosts mode enabled, you can use 802.1X authentication to authenticate the port and port security to manage network access for all MAC addresses, including that of the client.




Do rate helpful posts

Jatin Katyal Fri, 11/06/2009 - 13:57


As you stated in your second post that you only want to authenticate your pc behind the phone so I would suggest you to configure ports with multi-host command.

And for Phone you need to configure MAB (mac authentication bypass)

On the radius\ACS server you need to add the phone mac address as username and password.



Mac format: aabbcc112233

In case you want to authenticate your Phone and PC via 802.1x then you may go through this:


Configuring Avaya phone for MDA




Plz rate helpful posts-

lel_chavez Fri, 11/06/2009 - 15:16

Hey JK, thanx for your help. Is there a way that the phone doesn't even have to do the MAB? just plugit in and then voila!


thompson318 Mon, 12/08/2014 - 13:34

Looking for options for similar options...

I have 802.1x working fine, need to work around the Avaya IP phones for a remote office..

interface GigabitEthernet0/2
 switchport access vlan xxx
 switchport mode access
 switchport voice vlan yyy
 priority-queue out
 authentication event fail retry 5 action authorize vlan zzz
 authentication event server dead action authorize vlan xxx
 authentication event no-response action authorize vlan xxx
 authentication event server alive action reinitialize
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate 4000
 no snmp trap link-status
 mls qos trust cos
 dot1x pae authenticator
 spanning-tree portfast
 spanning-tree bpduguard enable



This Discussion