Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

802.1x help

Hi all,

I am/will be beginning a deployment of dot1x to our campus. We will be authenticating to a Windows 2003 IAS Domain Controller, but I have a few questions before we begin:

1) I have found no documentation as to the setup of switchports in regards to Cisco IP Phones....namely, how do the phones get around the authentication (or do they)? Can anyone point me into the right direction for some docs and/or sample configs?

2) We have an environment of about 23 Catalyst 3560's and 23 Catalyst 500 Expresses all with PoE. I can get the 3560's to authenticate to IAS with no problem. However, the 500's have got me stumped. I know it needs to be done through SDM, but there seems to be virtually NO documentation on the configuration aspects for these guys. I read somewhere that it can only be done using the Desktop Smartport role? Is this true, and if so, is there a way around it for the IP Phones? Are future OS releases going to support the IP Phone+Desktop role?

Any help would be MUCH appreciated!

Thanks!

Aaron

2 REPLIES
New Member

Re: 802.1x help

Essentially, you create a voice VLAN on your access port (the port where your phone plugs in), enable dot1x on it, plug your phone in and that's it. The phone sends a CDP packet to the switch identifying itself as a Cisco IP phone. The switch then bypasses 802.1x authentication for the phone and enables communication from the MAC of the IP phone on the voice VLAN (VVID) only. So when a computer plugs into the back of the phone, it's forced to authenticate via 802.1x because it traverses the PVID. Here's some documentation that should make it clear.

http://www.cisco.com/en/US/products/hw/switches/ps5528/products_configuration_guide_chapter09186a00801e85c4.html#1062454

And I don't know what SDM is so I can't help you out with your second question.

Good luck.

New Member

Re: 802.1x help

Hello, Aaron! Below is some information that should help answer your questions.

Regarding your first question, devices that connect to the switch using the configured voice vlan (ie - IP phones) automatically bypass 802.1X authentication. Here is a URL for the Catalyst 3560 that explains this: http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3560/12225see/scg/sw8021x.htm#wp1062454. The same concept applies to other switches such as the Catalyst Express 500.

Regarding your second question, you need to use Cisco Network Assistant (CNA) in order to configure the Catalyst Express 500 switches to use 802.1X. The only other way to configure the CE 500 is via its web interface, but this does not provide all of the switch configuration options. In CNA, if you click on the Configure tab, then choose Security, and Network Security Settings a window will open where you can set the host access security level to High. You will then be able to enter the RADIUS server information. Also, the IP Phone+Desktop smartports role is supported by the CE 500, even with its first SW release 12.2(25)FY.

Hope this helps!

324
Views
0
Helpful
2
Replies
CreatePlease to create content