topic Looking for options for in Network Access Control

801.x and AVAYA

lel_chavez — Wed, 13 Mar 2019 00:38:34 GMT

Hey everyone, I was wondering if someone could help me. I am trying to implement 801.x port security in my network. In our switch ports we have an IP AVAYA phone connected and a workstation connected to the IP phone. I enable dot1x authentication on the ports specifying the data vlan and the voice vlan. I configure the avaya phone 1608 in pass-thru mode, so that the authetication is forwaded to the PC. Supposedly, the phone would be able to connect without any authentication but it doesn't! I can't communicate with the dhcp server to get an ip:

here is what I configure on the switch ports:

interface FastEthernet1/0/2

switchport access vlan 200

switchport mode access

switchport voice vlan 45

dot1x pae authenticator

dot1x port-control auto

dot1x host-mode multi-host

dot1x violation-mode protect

spanning-tree portfast

thanx for the help!!!

Re: 801.x and AVAYA

lel_chavez — Fri, 06 Nov 2009 17:47:50 GMT

Is there a way I can exclude any authentication on the voice VLAN but implement the dot1x for the data vlan on the same port? I would like to have authentication only for the workstation attached to the phone...\

Thanx so much for your help!

Re: 801.x and AVAYA

Jagdeep Gambhir — Fri, 06 Nov 2009 18:04:36 GMT

You can go for Multiple-Hosts Mode

In multiple-hosts mode, you can attach multiple hosts to a single 802.1X-enabled port. Figure 39-4 shows 802.1X port-based authentication in a wireless LAN. In this mode, only one of the attached clients must be authorized for all clients to be granted network access. If the port becomes unauthorized (re-authentication fails or an EAPOL-logoff message is received), the switch denies network access to all of the attached clients. In this topology, the wireless access point is responsible for authenticating the clients attached to it, and it also acts as a client to the switch.

With multiple-hosts mode enabled, you can use 802.1X authentication to authenticate the port and port security to manage network access for all MAC addresses, including that of the client.

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/50sg/configuration/guide/dot1x.html#wp1308773

Regards,

~JG

Do rate helpful posts

Re: 801.x and AVAYA

scadora — Fri, 06 Nov 2009 20:40:56 GMT

You will need to configure the port for multi-domain-authentication host-mode and authenticate the workstation *and* the Avaya phone via 802.1X or MAB.

Here is a link for configuring MDA:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_46_se/configuration/guide/sw8021x.html#wp1335550

Hope that helps,

Shelly

Re: 801.x and AVAYA

Jatin Katyal — Fri, 06 Nov 2009 21:57:41 GMT

Hi,

As you stated in your second post that you only want to authenticate your pc behind the phone so I would suggest you to configure ports with multi-host command.

And for Phone you need to configure MAB (mac authentication bypass)

On the radius\ACS server you need to add the phone mac address as username and password.

Username:aabbcc112233

password:aabbcc112233

Mac format: aabbcc112233

In case you want to authenticate your Phone and PC via 802.1x then you may go through this:

http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a00808abf2d.shtml#MDA

Configuring Avaya phone for MDA

http://www.avaya.com/usa/resource/assets/applicationnotes/802_1x_ciscomda.pdf

HTH

Plz rate helpful posts-

Re: 801.x and AVAYA

lel_chavez — Fri, 06 Nov 2009 23:16:16 GMT

Hey JK, thanx for your help. Is there a way that the phone doesn't even have to do the MAB? just plugit in and then voila!

thanx!

Looking for options for

thompson318 — Mon, 08 Dec 2014 21:34:54 GMT

Looking for options for similar options...

I have 802.1x working fine, need to work around the Avaya IP phones for a remote office..

interface GigabitEthernet0/2
switchport access vlan xxx
switchport mode access
switchport voice vlan yyy
priority-queue out
authentication event fail retry 5 action authorize vlan zzz
authentication event server dead action authorize vlan xxx
authentication event no-response action authorize vlan xxx
authentication event server alive action reinitialize
authentication port-control auto
authentication periodic
authentication timer reauthenticate 4000
no snmp trap link-status
mls qos trust cos
dot1x pae authenticator
spanning-tree portfast
spanning-tree bpduguard enable
end