11-06-2009 09:11 AM - edited 03-12-2019 05:38 PM
Hey everyone, I was wondering if someone could help me. I am trying to implement 801.x port security in my network. In our switch ports we have an IP AVAYA phone connected and a workstation connected to the IP phone. I enable dot1x authentication on the ports specifying the data vlan and the voice vlan. I configure the avaya phone 1608 in pass-thru mode, so that the authetication is forwaded to the PC. Supposedly, the phone would be able to connect without any authentication but it doesn't! I can't communicate with the dhcp server to get an ip:
here is what I configure on the switch ports:
interface FastEthernet1/0/2
switchport access vlan 200
switchport mode access
switchport voice vlan 45
dot1x pae authenticator
dot1x port-control auto
dot1x host-mode multi-host
dot1x violation-mode protect
spanning-tree portfast
thanx for the help!!!
11-06-2009 09:47 AM
Is there a way I can exclude any authentication on the voice VLAN but implement the dot1x for the data vlan on the same port? I would like to have authentication only for the workstation attached to the phone...\
Thanx so much for your help!
11-06-2009 10:04 AM
You can go for Multiple-Hosts Mode
In multiple-hosts mode, you can attach multiple hosts to a single 802.1X-enabled port. Figure 39-4 shows 802.1X port-based authentication in a wireless LAN. In this mode, only one of the attached clients must be authorized for all clients to be granted network access. If the port becomes unauthorized (re-authentication fails or an EAPOL-logoff message is received), the switch denies network access to all of the attached clients. In this topology, the wireless access point is responsible for authenticating the clients attached to it, and it also acts as a client to the switch.
With multiple-hosts mode enabled, you can use 802.1X authentication to authenticate the port and port security to manage network access for all MAC addresses, including that of the client.
Regards,
~JG
Do rate helpful posts
11-06-2009 12:40 PM
You will need to configure the port for multi-domain-authentication host-mode and authenticate the workstation *and* the Avaya phone via 802.1X or MAB.
Here is a link for configuring MDA:
Hope that helps,
Shelly
11-06-2009 01:57 PM
Hi,
As you stated in your second post that you only want to authenticate your pc behind the phone so I would suggest you to configure ports with multi-host command.
And for Phone you need to configure MAB (mac authentication bypass)
On the radius\ACS server you need to add the phone mac address as username and password.
Username:aabbcc112233
password:aabbcc112233
Mac format: aabbcc112233
In case you want to authenticate your Phone and PC via 802.1x then you may go through this:
Configuring Avaya phone for MDA
http://www.avaya.com/usa/resource/assets/applicationnotes/802_1x_ciscomda.pdf
HTH
JK
Plz rate helpful posts-
11-06-2009 03:16 PM
Hey JK, thanx for your help. Is there a way that the phone doesn't even have to do the MAB? just plugit in and then voila!
thanx!
12-08-2014 01:34 PM
Looking for options for similar options...
I have 802.1x working fine, need to work around the Avaya IP phones for a remote office..
interface GigabitEthernet0/2
switchport access vlan xxx
switchport mode access
switchport voice vlan yyy
priority-queue out
authentication event fail retry 5 action authorize vlan zzz
authentication event server dead action authorize vlan xxx
authentication event no-response action authorize vlan xxx
authentication event server alive action reinitialize
authentication port-control auto
authentication periodic
authentication timer reauthenticate 4000
no snmp trap link-status
mls qos trust cos
dot1x pae authenticator
spanning-tree portfast
spanning-tree bpduguard enable
end
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: