DOT1X authentication for IP Phones

Answered Question
May 29th, 2010
User Badges:

Hi,


I have DOT1X authentication configured on all switch ports. I also have Cisco IP phones.


My requirement is: to allow Cisco IP phones without DOT1X authentication..


Is this possible?


Kindly suggest..

Correct Answer by Jatin Katyal about 7 years 1 month ago

So do you have PC connected behine the phone, If yes and you just want to authenticate PC via DOT1x and bypass the uathentication for your IP phones then You need to use single-host mode command on the concern ports to disable authentication of the IP phone.


dot1x host-mode single-host
dot1x port-control auto


For newer version use these command

authentication host-mode single-host

authentication port-control auto


Also, you need to disable 802.1x on the IP phones.


HTH

JK


Do rate helpful posts-

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Marwan ALshawi Sun, 05/30/2010 - 00:41
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

Hi


By enabling forced authorization on a port, the clientless hosts can connect to it and still be part of the trusted VLAN. This has the same effect as not enabling dot1x on the port. This can be particularly useful if a user wants to connect an IP phone or other device that does not have a supplicant but still needs to be part of the secure VLAN. Any host can be connected to this port and be part of the secure VLAN without going through 802.1x authentication. Similarly, the port can be forced to be unauthorized. This has the same effect as shutting down the port


ALSO


Voice VLAN

Using this feature, Cisco IP phones can be placed in a separate VLAN when they are connected to Ethernet switch port. This is not an 802.1x feature. But it is useful because the IP phones may not support 802.1x supplicant. IP phones can be placed in a separate VLAN bypassing 802.1x authentication. That VLAN can be configured to provide only voice access. The voice VLAN can also use the same DHCP pool as the trusted VLAN by using the ip unnumbered Vlan 10 sub-interface command. If an IP phone is a non-Cisco IP phone, the Voice VLAN feature will not work automatically. Using MAC bypass will permit a non-Cisco phone to be placed onto the voice vlan.

interface FastEthernet2

switchport access vlan 10

switchport voice vlan 11

dot1x pae authenticator

dot1x port-control auto
good luck
if helpful Rate
Correct Answer
Jatin Katyal Sun, 05/30/2010 - 04:48
User Badges:
  • Cisco Employee,

So do you have PC connected behine the phone, If yes and you just want to authenticate PC via DOT1x and bypass the uathentication for your IP phones then You need to use single-host mode command on the concern ports to disable authentication of the IP phone.


dot1x host-mode single-host
dot1x port-control auto


For newer version use these command

authentication host-mode single-host

authentication port-control auto


Also, you need to disable 802.1x on the IP phones.


HTH

JK


Do rate helpful posts-

Actions

This Discussion