Re: 802.1x problem with non-Cisco IP Phone, VVID enabled.

brian.leitch · ‎10-09-2006

I am testing with a 3750 PoE switch running 12.2(25)SEE1 and trying to configure 802.1x to work with Mitel IP phones.

I have voice and data vlans configured on each port. Turning on 802.1x causes the phone to hang and timeout in DHCP Discovery. The port status from the switch is "Unauthorized".

interface FastEthernet1/0/2

switchport access vlan 1

switchport mode access

switchport voice vlan 2

dot1x pae authenticator

dot1x port-control auto

no mdix auto

spanning-tree portfast

end

Should anything be configured besides the Voice VLAN to let phones onto the network? There is no computer behind the phone right now. The only information I can find says I need a VVID, and any clients behind it will cross the PVID.

Thanks.

jafrazie · ‎10-09-2006

Does your phone have 802.1X supplicant capability?

brian.leitch · ‎10-10-2006

Yes it does.

Apparently the Mitel phones (testing a 5215 dual-mode) we have support EAP-MD5, but we have a primarily PEAP/EAP-TTLS environment. Apparently the phones need to use a username/password entered on each phone before they will send that to a Radius server doing EAP-MD5. Our PEAP clients authenticate to a Microsoft Radius server, and our EAP-TTLS to a Funk box. Hopefully the Microsoft can support both EAP-MD5 phones and PEAP on the laptops, I'll have to find out.

I was hoping this was a quick and easy Cisco configuration error... oh well.

jafrazie · ‎10-10-2006

The config on your siwtchport is fine, and need not change. If you have other wirking suppliacnts (PC or otherwise) you can plug into the port with that config, the rest of your Cisco-switch config would be fine too (like the RADIUS defnition, key, etc.)

Don't expect a PC behind the phone to work though.

Hope this helps,