cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3584
Views
5
Helpful
6
Replies

801.x and AVAYA

lel_chavez
Level 1
Level 1

Hey everyone, I was wondering if someone could help me. I am trying to implement 801.x port security in my network. In our switch ports we have an IP AVAYA phone connected and a workstation connected to the IP phone. I enable dot1x authentication on the ports specifying the data vlan and the voice vlan. I configure the avaya phone 1608 in pass-thru mode, so that the authetication is forwaded to the PC. Supposedly, the phone would be able to connect without any authentication but it doesn't! I can't communicate with the dhcp server to get an ip:

here is what I configure on the switch ports:

interface FastEthernet1/0/2

switchport access vlan 200

switchport mode access

switchport voice vlan 45

dot1x pae authenticator

dot1x port-control auto

dot1x host-mode multi-host

dot1x violation-mode protect

spanning-tree portfast

thanx for the help!!!

6 Replies 6

lel_chavez
Level 1
Level 1

Is there a way I can exclude any authentication on the voice VLAN but implement the dot1x for the data vlan on the same port? I would like to have authentication only for the workstation attached to the phone...\

Thanx so much for your help!

You can go for Multiple-Hosts Mode

In multiple-hosts mode, you can attach multiple hosts to a single 802.1X-enabled port. Figure 39-4 shows 802.1X port-based authentication in a wireless LAN. In this mode, only one of the attached clients must be authorized for all clients to be granted network access. If the port becomes unauthorized (re-authentication fails or an EAPOL-logoff message is received), the switch denies network access to all of the attached clients. In this topology, the wireless access point is responsible for authenticating the clients attached to it, and it also acts as a client to the switch.

With multiple-hosts mode enabled, you can use 802.1X authentication to authenticate the port and port security to manage network access for all MAC addresses, including that of the client.

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/50sg/configuration/guide/dot1x.html#wp1308773

Regards,

~JG

Do rate helpful posts

scadora
Cisco Employee
Cisco Employee

You will need to configure the port for multi-domain-authentication host-mode and authenticate the workstation *and* the Avaya phone via 802.1X or MAB.

Here is a link for configuring MDA:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_46_se/configuration/guide/sw8021x.html#wp1335550

Hope that helps,

Shelly

Hi,

As you stated in your second post that you only want to authenticate your pc behind the phone so I would suggest you to configure ports with multi-host command.

And for Phone you need to configure MAB (mac authentication bypass)

On the radius\ACS server you need to add the phone mac address as username and password.

Username:aabbcc112233

password:aabbcc112233

Mac format: aabbcc112233

In case you want to authenticate your Phone and PC via 802.1x then you may go through this:

http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a00808abf2d.shtml#MDA

Configuring Avaya phone for MDA

http://www.avaya.com/usa/resource/assets/applicationnotes/802_1x_ciscomda.pdf

HTH

JK

Plz rate helpful posts-

~Jatin

Hey JK, thanx for your help. Is there a way that the phone doesn't even have to do the MAB? just plugit in and then voila!

thanx!

Looking for options for similar options...

I have 802.1x working fine, need to work around the Avaya IP phones for a remote office..

interface GigabitEthernet0/2
 switchport access vlan xxx
 switchport mode access
 switchport voice vlan yyy
 priority-queue out
 authentication event fail retry 5 action authorize vlan zzz
 authentication event server dead action authorize vlan xxx
 authentication event no-response action authorize vlan xxx
 authentication event server alive action reinitialize
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate 4000
 no snmp trap link-status
 mls qos trust cos
 dot1x pae authenticator
 spanning-tree portfast
 spanning-tree bpduguard enable
end

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: