Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1218
Views
0
Helpful
4
Replies

dot1x with voice vlan

rashad_cisco
Level 1
Level 1

‎10-31-2013 04:29 AM - edited ‎03-10-2019 12:07 AM

Hi guys,

recently i have configured the dot1x security feature on the cisco c3650x switches with IOS 15.2(1)E. But when I added voice vlan to the port, the ip phone can't register.

My switch port configuration as below:

interface GigabitEthernet0/47

switchport mode access

switchport voice vlan 60

switchport port-security maximum 2

switchport port-security

switchport port-security aging time 1

switchport port-security violation restrict

switchport port-security aging type inactivity

switchport port-security mac-address sticky

srr-queue bandwidth share 10 10 60 20

queue-set 2

priority-queue out

authentication event fail action authorize vlan 203

authentication event no-response action authorize vlan 203

authentication host-mode multi-host

authentication port-control auto

mls qos trust device cisco-phone

mls qos trust cos

macro description USER

dot1x pae authenticator

auto qos voip cisco-phone

spanning-tree portfast

spanning-tree bpduguard enable

service-policy input AutoQoS-Police-CiscoPhone

Guys, please advice is there any other feature shuld be activated on swith to resolve this issue? i done all configuration on guidance of cisco documents.

BR

Rashad

Labels:
0 Helpful
4 Replies 4

Karsten Iwen
VIP
VIP

‎10-31-2013 04:34 AM

At least you have to specify the right host-mode for the switchport:

authentication host-mode multi-domain


And if you are running .1x, you don't need port-security any longer.

You find many information in the "Cisco IOS Quick Reference Guide for IBNS":

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/whitepaper_c27-574041.pdf

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

rashad_cisco
Level 1
Level 1
In response to Karsten Iwen

‎10-31-2013 04:54 AM

I just changed the multi-host mode to multi-domain and removed all port-security features under port. But again the same thing.

BR

Rashad

0 Helpful

Karsten Iwen
VIP
VIP
In response to rashad_cisco

‎10-31-2013 05:14 AM

What do you see on the RADIUS-Server when the phone tries to authenticate?

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

rashad_cisco
Level 1
Level 1
In response to Karsten Iwen

‎10-31-2013 06:44 AM

just nothing.

BR

Rashad

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents