Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
909
Views
0
Helpful
3
Replies

802.1x with Vlan assignment and IP phone and PC

raul.cuevas
Level 1
Level 1

‎01-23-2007 05:15 AM - edited ‎03-10-2019 02:56 PM

I have a Catalyst 4510R and I want to im plement 802.1x with dynamic VLAN assignment via Radius server. I am going to plug to switch ports Cisco IP phones and PCs (PCs are plugged in the IP phone).

For this implementation I need to configure the switch port in mode trunk because I have voice vlan corresponding IP phone and data vlan corresponding to PC.

However I have read that I can not enable 802.1x on a trunk port.

How could I configure this?

I need that when the PC is authenticated correctly is assigned to his cooresponding data vlan and the IP phone is in the voice vlan.

Thanks

Labels:
0 Helpful
3 Replies 3

jafrazie
Cisco Employee
Cisco Employee

‎01-23-2007 08:08 AM

You should configure the port as an access port with an aux-vlan. Here's an example:

!

interface GigabitEthernet2/2

switchport access vlan 701

switchport mode access

switchport voice vlan 702

load-interval 30

qos trust device cisco-phone

qos trust cos

auto qos voip cisco-phone

dot1x pae authenticator

dot1x port-control auto

tx-queue 3

bandwidth percent 33

priority high

shape percent 33

spanning-tree portfast

spanning-tree bpduguard enable

service-policy output autoqos-voip-policy

Hope this helps,

0 Helpful

raul.cuevas
Level 1
Level 1
In response to jafrazie

‎01-24-2007 12:05 AM

Thanks for your help and for your example.

I have one question about this.

In the configuration example if you put "switchport access vlan 701" you are forcing the PC which is plugged to the Cisco IP Phone to be assigned to the data vlan 701 and I would like that this dynamic assignment was done for Microsoft IAS (Radius server) ,previously configured, according to the username and password set.

0 Helpful

jafrazie
Cisco Employee
Cisco Employee
In response to raul.cuevas

‎01-24-2007 08:42 AM

It doesn't matter either way. If you put "switchport access vlan 701" on the port, that just means 701 is whats configured. You can configure a VLAN from RADIUS with this just fine. It can be the same VLAN, a different VLAN, etc.

If you didn't have "switchport access vlan 701" configured, then you might as well have "switchport access vlan 1" configured anyway (which is the default, and wouldn't be recommended from a security best-practice anyway).

Hoep this helps,

0 Helpful
Customers Also Viewed These Support Documents