Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

802.1x / dot1x Authentication, including Voice-Vlan and Guest-Vlan


i have tried to configure a dot1x based Authentication.

With an single host including guest-vlan, everything works fine.

But i want to use an IP-Phone (wich is every times authenticated) and behind the Phone an Client.

Is there a possible solution? And unfortunately IP-Phones are Avaya-Phones.

i have  just tried so...

interface GigabitEthernet0/4

switchport access vlan 121

switchport mode access

switchport voice vlan 200

authentication event fail action authorize vlan 99

authentication event server dead action authorize vlan 121

authentication event server alive action reinitialize

authentication host-mode multi-host

authentication order dot1x

authentication port-control auto

authentication periodic

authentication violation restrict

dot1x pae authenticator

dot1x timeout quiet-period 10

dot1x timeout tx-period 1

spanning-tree portfast

Thanks, for any possible solution!

Cisco Employee

802.1x / dot1x Authentication, including Voice-Vlan and Guest-Vl

unfortunately because they are Avaya phones, the easy answer CDP-Bypass fails in this instance. When you plug in the phone, the switch will assume it's the 'single host' for this port, and restrict the port due to the authentication for the phone failing. Maybe you can just hard-code the voice-vlans on each phone, but that could get tedious depending on the amount of phones.

I believe there is a DHCP option you can pass back that indicates the phone should be running on vlan 200, but for this to work you'd also need to set up a pre-auth ACL that would allow DHCP to work in the unauthorized state. I think it's 147 off the top of my head.

Another solution (which isn't what you originally wanted, but it would work) is to just use multi-domain instead of single-host, and authenticate both the phone and the PC. The raduis server should be able to distinguish between what is configured as a phone and what is a host, and will send back the appropriate vlan if configured correctly.

What are using for a radius server?

New Member

802.1x / dot1x Authentication, including Voice-Vlan and Guest-Vl

Hi Sam and everybody,

1st it's correct - Avaya did not use CDP - the Voice-VLAN-ID is configured by the DHCP-Server and Call-Manager. So the Phones "know" they VLAN-ID.

2nd yes it looks like the solution to use multi-domain instead of singel-host. But once the Switchport is authenticated by the phone, anyone can use the PC-Port on the Phone and gain network-access?

What about old Printers (they can't use dot1X).

Radius-Server is a Windows machine (did not now correctly).

So the questions - is it secure to use multi-domain?

How to handle old printers (mac-security?)?



CreatePlease to create content