Cisco Support Community
Community Member

Cisco ip phone and wired user authenticate form ISE

Hi dears,

I configurate wired users from Cisco ISE. The authentication protocol is Eap-fast, the external device is DC. The wired user authenticate from ISE normally. I use labminutes web sites for configuration video.


Now the customer also want the cisco phone is authenticate from ISE. the physical connection is that: the cable connect to phone from switch. and one cable is connec from phone to pc.(standard physiacl connection.)

I create new authentication policy and use mab, and  new authorization police.

The problem is : the phone is authenticate is normally but the wired user want to authenticate but it can not authenticate.

Can someone provide me a best practice configuration on ise and switch for phone and wired user authentication. or please say the source of problem.




can you share the switch side

can you share the switch side port configurations? also  show  the output of

show authentication sessions interface fastEthernet..

Community Member

interface GigabitEthernet1/0

interface GigabitEthernet1/0/48
 switchport access vlan 10
 switchport mode access
 switchport voice vlan 14
 ip access-group ACL-ALLOW in
 authentication event fail action next-method
 authentication event server dead action authorize vlan 20
 authentication event server alive action reinitialize
 authentication host-mode multi-auth
 authentication open
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 authentication violation restrict
 dot1x pae authenticator
 dot1x timeout tx-period 10
 spanning-tree portfast


do you need ISE configuration??

Community Member

I would use <authentication

I would use <authentication host-mode multi-auth> with caution. With that state it is possible for a switch or hub to be attached to the phone and multiple devices attached to the hub.

With <authentication host-mode multi-domain> you restrict it to one device per domain. 1 phone and 1 data device. any more then that and the port is err-disabled.

Cisco Employee

Your switch interface

Your switch interface configuration seems to be fine for authenticating Phone with PC connected behind it.If you can provide screenshot of live authentication then we can find the reason why its failing

Community Member

please provide me any

please provide me any documentation how configure ip phone and behind the pc from ISE. i did not find any documentation.

Cisco Employee

Can you provide the output

Can you provide the output from the following command:

show authentication session interface interface_name

Replace the interface_name the the interface that the phone/pc are connecting

Also, please proivde answers to the following questions:

1. What happens if you plug in the PC directly (bypassing the phone)

2. Model and firmware of Cisco Phone

3. PC OS type and supplicant used

4. Make, model and OS version of switch


Thank you for rating helpful posts!

Community Member

Thank you your helping. When

Thank you your helping.


When i connect only pc on that port of switch the authentication is OK(normal working). when i connect both of them the same port the phone is authenticate normaly. the pc want to authenticate but it can not. i think it is oouthorization problems. do you need ise configuration??


Pc: windows 7

Sw:Cisco IOS Software, C2960S Software (C2960S-UNIVERSALK9-M), Version 12.2(55)SE7,

I can connect remotely the sites. i will send you the others information asap.


Cisco Employee

The more info you provide the

The more info you provide the better :) In addition to what I already requested please post screen shots from the live authenticaiton screen and then screen shot from the detailed screen for the mac address of the PC (when it fails authenticaiton). 

CreatePlease to create content