06-03-2010 06:14 AM - edited 03-06-2019 11:24 AM
We are deploying dot1x in a relativly large network. We are going to use PEAP-TLS machine authentication (no user auth) with mac-address bypass. How do we handle ip-phones in this scenario? Do we need to authenticate the phone with PEAP-TLS or can we use mac-address authentication for the phones? How do we handle the voice vlan on a dot1x enabled port, will the static command voice vlan xxx work on a dot1x enabled port and is this a security issue?
06-15-2010 03:35 AM
Hi Kaare,
It is now possible to authenticate the phone against Cisco ACS using either EAP-MD5 or EAP-FAST, this assumes that your access switches are reasonably new and support MDA (multi domain authentication). I will try and post some documentation on how this is achieved as I had a case open with TAC who were able to get this scenario working for us.
Having said that MAC Auth Bypass is a perfectly acceptable option as is putting the phones into a guest vlan.
Kind Regards
Elliott
06-15-2010 08:35 AM
We are deploying dot1x in a relativly large network. We are going to use PEAP-TLS machine authentication (no user auth) with mac-address bypass. How do we handle ip-phones in this scenario? Do we need to authenticate the phone with PEAP-TLS or can we use mac-address authentication for the phones? How do we handle the voice vlan on a dot1x enabled port, will the static command voice vlan xxx work on a dot1x enabled port and is this a security issue?
Hi,
Check out the below link for ip phone configuration with 802.1x integration
http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a00808abf2d.shtml
Hope to Help !!
Ganesh.H
Remember to rate the helpful post
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide