06-03-2010 06:14 AM - edited 03-06-2019 11:24 AM
We are deploying dot1x in a relativly large network. We are going to use PEAP-TLS machine authentication (no user auth) with mac-address bypass. How do we handle ip-phones in this scenario? Do we need to authenticate the phone with PEAP-TLS or can we use mac-address authentication for the phones? How do we handle the voice vlan on a dot1x enabled port, will the static command voice vlan xxx work on a dot1x enabled port and is this a security issue?
06-15-2010 03:35 AM
Hi Kaare,
It is now possible to authenticate the phone against Cisco ACS using either EAP-MD5 or EAP-FAST, this assumes that your access switches are reasonably new and support MDA (multi domain authentication). I will try and post some documentation on how this is achieved as I had a case open with TAC who were able to get this scenario working for us.
Having said that MAC Auth Bypass is a perfectly acceptable option as is putting the phones into a guest vlan.
Kind Regards
Elliott
06-15-2010 08:35 AM
We are deploying dot1x in a relativly large network. We are going to use PEAP-TLS machine authentication (no user auth) with mac-address bypass. How do we handle ip-phones in this scenario? Do we need to authenticate the phone with PEAP-TLS or can we use mac-address authentication for the phones? How do we handle the voice vlan on a dot1x enabled port, will the static command voice vlan xxx work on a dot1x enabled port and is this a security issue?
Hi,
Check out the below link for ip phone configuration with 802.1x integration
http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a00808abf2d.shtml
Hope to Help !!
Ganesh.H
Remember to rate the helpful post
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: