Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

802.1x authetication when PC is connected to the back of the IP phone

I am testing 802.1x authentication MAC address bypass feature to allow dynamic vlan allocation based on the MAC address We are converting cat OS based 65ks to IOS based . The plan is to replace VMPS with 802.1x MAC bypass feature . Everything works great if the PCs are directly connected to the switch port. If the PC is connected to the back of the IP Phone, it will be put on the right vlan the very first time. When that PC is moved to some other port (to the back of some other IP phone) on the same switch , the swith throws an error message saying its a security voilation because the a secure MAC address is alreay present in MAC table for another port for the same vlan. This is because when the PC was diconnected the switch port stayed up apparently causing the switch not to clear the mac-address enrty. If the PC is directly connected to the switch , the port will go down and the MAC entry would be deleted.

This allows the same device to be plugged to other ports , and put in the same vlan on the same switch. Any ideas how to work around this problem??

4 REPLIES
Community Member

Re: 802.1x authetication when PC is connected to the back of the

Yes, there is a timer you can set that will flush inactive MACs out of the table theat 802.1X creates. There is also a command you can use to flush it manually.

http://www.cisco.com/en/US/partner/docs/routers/7600/ios/12.2SXF/configuration/guide/dot1x.html

Brian ": )

Community Member

Re: 802.1x authetication when PC is connected to the back of the

Hi Brian,

Thanks for the info . I tried clear mac-address-table dynamic, but it didnt help. The only way to get rid of it was to reboot the switch. This doesnt even come close to the transparency and resiliency provide by VPMS and CISCO stopped VMPS server support on 65k IOS . We dont want to be clearing MACs everytime a user moves to different ports.

Just a thought :-)

-Rakesh

Re: 802.1x authetication when PC is connected to the back of the

Cisco added 802.1x Proxy EAPOL-Logoff to some of its IP Phones. It works by sending an 802.1x EAPOL-Logoff message when the PC is disconnected.

http://www.cisco.com/en/US/products/hw/phones/ps379/prod_release_note09186a0080621244.html#wp1152927

I'm not sure if any other vendors have added this funtionality to their IP Phones?

Andy

Community Member

Re: 802.1x authetication when PC is connected to the back of the

Hi Andy,

That was helpful. Atlest we now have a potential workaround. Right now the only way is to either reboot the switch or diable/enable the switch port conencting the IPphone and the PC (atelast that's what I figured )

-Rakesh

298
Views
4
Helpful
4
Replies
CreatePlease to create content