Hi, I'm trying to find a way to enable 802.1x authentication on switchports that are using non-Cisco VoIP phones. These phones don't support 802.1x themselves and need DHCP access to the Primary VLAN to learn the correct Voice VLAN ID.
I thought the problem was solved with MAC address Bypass Authentication and 802.1x in Multi-host mode (for the PC behind the VoIP phone) but this is still insecure as now any PC behind the phone can access the network.
What I really want is for the switchport to apply a L3 ACL (Per-User ACL) when the Phone authenticates (restricting access to just VoIP) and then when a 802.1x capable PC is plugged into the phone, the switchport would re-authenticate the port and apply another ACL or remove the ACL completely.
I've just read however that 802.1x Per-User ACL is disabled in multi-host mode! Is there another way around this problem?