https://community.cisco.com/t5/network-access-control/802-1x-authentication-and-phones/m-p/2811189#M45600 <P>I have just begun&nbsp;to roll out 802.1x authentication and am finding that while I got authentication for PC's on the data VLAN to work, phones on the VOICE VLAN are not unless I set "authentication host-mode" to "multi-host". &nbsp;</P> <P>We have been running un-authenticated for 7 years with phones and PC's both working.</P> <P>What I want to do (i.e. what Management has told me to make happen) is have phones connect unauthenticated (accepting CDP to handle correct VLAN assignment) but require PC's to authenticate.&nbsp;</P> <P>I suppose the easy question is; is that even possible? If it is, any advice is greatly appreciated. &nbsp;(switch config is below).</P> <P>Thank you</P> <P>Arch</P> <P></P> <P><BR />!<BR />version 12.2<BR />no service pad<BR />service timestamps debug datetime msec localtime show-timezone<BR />service timestamps log datetime msec localtime show-timezone<BR />service password-encryption<BR />!<BR />hostname switch<BR />!<BR />boot-start-marker<BR />boot-end-marker<BR />!<BR />logging console emergencies<BR />logging monitor emergencies<BR />enable secret 5 *****<BR />!<BR />aaa new-model<BR />!<BR />!<BR />aaa authentication dot1x default group radius<BR />!<BR />!<BR />!<BR />aaa session-id common<BR />clock timezone cst -6<BR />clock summer-time cdt recurring<BR />switch 1 provision ws-c3750g-24ps<BR />system mtu routing 1500<BR />vtp mode transparent<BR />no ip domain-lookup<BR />!<BR />!<BR />ip igmp snooping vlan 41 mrouter interface Gi1/0/27<BR />ip igmp snooping vlan 41 mrouter interface Gi1/0/28<BR />!<BR />mls qos omitted<BR />!</P> <P>spanning-tree mode pvst<BR />spanning-tree extend system-id<BR />!<BR />vlan internal allocation policy ascending<BR />!<BR />vlan 13<BR /> name data-VLAN<BR />!<BR />vlan 857<BR /> name voice-VLAN<BR />!<BR />vlan 1611<BR /> name guest-VLAN<BR />lldp run<BR />!<BR />!<BR />class-map match-all AutoQoS-VoIP-RTP-Trust<BR />match ip dscp ef<BR />class-map match-all AutoQoS-VoIP-Control-Trust<BR /> match ip dscp cs3 af31<BR />!<BR />!<BR />policy-map AutoQoS-Police-CiscoPhone<BR /> class AutoQoS-VoIP-RTP-Trust<BR /> set dscp ef<BR /> police 320000 8000 exceed-action policed-dscp-transmit<BR /> class AutoQoS-VoIP-Control-Trust<BR /> set dscp cs3<BR /> police 32000 8000 exceed-action policed-dscp-transmit<BR />!<BR />!<BR />!<BR />interface GigabitEthernet1/0/1<BR /> switchport access vlan 13<BR /> switchport mode access<BR /> switchport voice vlan 857<BR /> switchport port-security violation protect<BR /> srr-queue bandwidth share 10 10 60 20<BR /> srr-queue bandwidth shape 10 0 0 0<BR /> queue-set 2<BR /> priority-queue out<BR /> authentication control-direction in<BR /> authentication event no-response action authorize vlan 1611<BR /> authentication host-mode multi-host<BR /> authentication port-control auto<BR /> authentication violation protect<BR /> mls qos trust device cisco-phone<BR /> mls qos trust cos<BR /> auto qos voip cisco-phone<BR /> dot1x pae authenticator<BR /> spanning-tree portfast<BR /> service-policy input AutoQoS-Police-CiscoPhone<BR />!<BR />interface GigabitEthernet1/0/2<BR />!<BR />interface GigabitEthernet1/0/3<BR />!<BR />interface GigabitEthernet1/0/4<BR />!<BR />interface GigabitEthernet1/0/5<BR />!<BR />interface GigabitEthernet1/0/6<BR />!<BR />interface GigabitEthernet1/0/7<BR />!<BR />interface GigabitEthernet1/0/8<BR />!<BR />interface GigabitEthernet1/0/9<BR />!<BR />interface GigabitEthernet1/0/10<BR />!<BR />interface GigabitEthernet1/0/11<BR />!<BR />interface GigabitEthernet1/0/12<BR />!<BR />interface GigabitEthernet1/0/13<BR />!<BR />interface GigabitEthernet1/0/14<BR />!<BR />interface GigabitEthernet1/0/15<BR />!<BR />interface GigabitEthernet1/0/16<BR />!<BR />interface GigabitEthernet1/0/17<BR />!<BR />interface GigabitEthernet1/0/18<BR />!<BR />interface GigabitEthernet1/0/19<BR />!<BR />interface GigabitEthernet1/0/20<BR />!<BR />interface GigabitEthernet1/0/21<BR />!<BR />interface GigabitEthernet1/0/22<BR />!<BR />interface GigabitEthernet1/0/23<BR />!<BR />interface GigabitEthernet1/0/24<BR />!<BR />interface GigabitEthernet1/0/25<BR />!<BR />interface GigabitEthernet1/0/26<BR />!<BR />interface GigabitEthernet1/0/27<BR />!<BR />interface GigabitEthernet1/0/28<BR /> switchport trunk encapsulation dot1q<BR /> switchport trunk allowed vlan 13,857,1611<BR /> switchport mode trunk<BR /> srr-queue bandwidth share 10 10 60 20<BR /> srr-queue bandwidth shape 10 0 0 0<BR /> queue-set 2<BR /> mls qos trust cos<BR /> auto qos voip trust<BR />!<BR />radius-server host 10.1.2.10 auth-port 1645 acct-port 1646<BR />radius-server key 7 ***<BR />radius-server vsa send authentication<BR />end</P> Mon, 11 Mar 2019 06:26:18 GMT astockton 2019-03-11T06:26:18Z https://community.cisco.com/t5/network-access-control/802-1x-authentication-and-phones/m-p/2811189#M45600 Catalyst 3750G new configuration for 802.1x authentication does not allow Cisco Phone on Voice VLAN Mon, 11 Mar 2019 06:26:18 GMT https://community.cisco.com/t5/network-access-control/802-1x-authentication-and-phones/m-p/2811189#M45600 astockton 2019-03-11T06:26:18Z https://community.cisco.com/t5/network-access-control/802-1x-authentication-and-phones/m-p/2811190#M45604 <P>Hi,</P> <P>authentication with PC and Phone needs "<STRONG>authentication host-mode multi-domain</STRONG>". You con use the MAC-Adress or 802.1X (username &amp; password) for authentication of IP-Phone.</P> <P>The authenticatipo profile must send "<STRONG><SPAN style="font-size: 11.0pt; line-height: 115%; font-family: 'Arial','sans-serif';">device-traffic-class=voice</SPAN></STRONG><SPAN style="font-size: 11.0pt; line-height: 115%; font-family: 'Arial','sans-serif';">." to the switch. Then PC is in DATA-DOMAIN and Phone in VOICE-Domain.</SPAN></P> <P><SPAN style="font-size: 11.0pt; line-height: 115%; font-family: 'Arial','sans-serif';"></SPAN></P> <P><SPAN style="font-size: 11.0pt; line-height: 115%; font-family: 'Arial','sans-serif';">see attachment:</SPAN></P> <P></P> Fri, 29 Jan 2016 10:25:34 GMT https://community.cisco.com/t5/network-access-control/802-1x-authentication-and-phones/m-p/2811190#M45604 hdussa 2016-01-29T10:25:34Z https://community.cisco.com/t5/network-access-control/802-1x-authentication-and-phones/m-p/2811191#M45608 <P><SPAN style="font-size: 10pt;">Yes you can do that. When a Cisco IP phone is plugged into a port that is configured with a voice VLAN and single-host mode, the phone is silently allowed onto the network by way of a feature known as CDP Bypass. The phone, or any device, that sends the appropriate type-length-value (TLV) messages in a CDP message is allowed access to the voice VLAN. CDP Bypass is a legacy feature that has been deprecated in favor of MDA for <A href="http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.html#12033">these reasons.</A></SPAN></P> <P><SPAN style="font-size: 10pt;"></SPAN></P> <P><SPAN style="font-size: 10pt;">HTH</SPAN></P> <P><SPAN style="font-size: 10pt;">~ Jatin</SPAN></P> Sun, 31 Jan 2016 15:10:54 GMT https://community.cisco.com/t5/network-access-control/802-1x-authentication-and-phones/m-p/2811191#M45608 Jatin Katyal 2016-01-31T15:10:54Z https://community.cisco.com/t5/network-access-control/802-1x-authentication-and-phones/m-p/2811192#M45612 <P>Jatin and hdussa,&nbsp;</P> <P>thank you both for the answers. &nbsp;They both pointed me in the right direction and I was able to make MAB work.</P> <P></P> <P>Arch</P> Tue, 02 Feb 2016 19:13:37 GMT https://community.cisco.com/t5/network-access-control/802-1x-authentication-and-phones/m-p/2811192#M45612 astockton 2016-02-02T19:13:37Z https://community.cisco.com/t5/network-access-control/802-1x-authentication-and-phones/m-p/3191052#M45613 <P>Hi,</P><P>The CDP Bypass feature is stoneage solution that is only supported on the old platforms like 2960/3750 but not 3750X. Do you know any other options that can be used to authenticate only the PC but not IP-Phone?</P><P>Exluding:</P><P>MIC</P><P>MAB</P><P>&nbsp;</P> Thu, 28 Sep 2017 13:38:33 GMT https://community.cisco.com/t5/network-access-control/802-1x-authentication-and-phones/m-p/3191052#M45613 amin.amor 2017-09-28T13:38:33Z