topic Re: Using Auto voice VLAN for IP Phone and 802.1x/Guest access passthr in Network Access Control

Using Auto voice VLAN for IP Phone and 802.1x/Guest access passthrough

mdsgnmds — Fri, 30 Dec 2022 08:51:59 GMT

Hello dear experts!

Recently I finally got my order of 3x CBS350-48P-4G switches. So far we were working in a simple and insecure manner - we have one workstation VLAN, IP phones connect directly to the switch ports and via passthrough on the IP Phone we connect our laptops. Now I would like to configure ports that go to our workstations to have the following features:

1) IP Phone itself gets Auto Voice VLAN(10), We use Grandstream GXP2170.

2) If a corporate laptop is connected to passthrough port, it authenticates via 802.1X and gets Workstation VLAN(3).

3) If a device fails 802.1X auth it gets guest network(Vlan 6) for simple internet access.

Now the issues - all these features I have configured and they work fine, if I connect one device directly to the Switch, IP phone gets an Auto Voice VLAN, Workstations get on corporate network and any other devices are assigned the guest network. The issue is when using the passthrough port - If a corporate laptop is connected, it authenticates and get on the internal network, but then so does the phone, that after a while switches to Voice VLAN. If i move the passthrough cable to a non-corporate laptop, the authorisation still is active and that device also gets on the corporate workstation VLAN.

Is there anything I am missing in configuration, or is this simply the issue with my setup and I wont get it to work this way?

Appreciating all thoughts!

Re: Using Auto voice VLAN for IP Phone and 802.1x/Guest access passthr

balaji.bandi — Fri, 30 Dec 2022 12:26:53 GMT

how is your port config - can you post that information

do you have smart port enabled on the port ?

Re: Using Auto voice VLAN for IP Phone and 802.1x/Guest access passthr

Rodrigo Diaz — Fri, 30 Dec 2022 23:04:06 GMT

Hello , I would check if within the port you have multiple authentication configured , as with this feature, both devices connected ( the PC and the ip-phone) will have an independent Radius session within the switchport , also confirm that the feature is valid within the platform where you're working ,

For your reference https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_8021x/configuration/xe-3se/5700/sec-user-8021x-xe-3se-5700-book/sec-ieee-802x-multi-auth.pdf

I hope it helped you.

Re: Using Auto voice VLAN for IP Phone and 802.1x/Guest access passthr

mdsgnmds — Mon, 02 Jan 2023 08:29:25 GMT

Hello! I have tried it with Smart port enabled and disabled, the working situation I described is with Smartport enabled, seemed to give the best results.

Can you tell me what settings are you interested in? The port is in trunk mode, added workstation vlan(3U) and voip vlan(10T) to it and operational vlans are 3U, 6G(Guest vlan), 10T. Smartport is set to static ip phone + Desktop.

802.1x: Port authentication is set to auto, with guest vlan and 802.1x based auth enabled. Re-auth is set to default 3600 so are other settings. Host and session auth is set to: Multiple Host (802.1X).

Re: Using Auto voice VLAN for IP Phone and 802.1x/Guest access passthr

mdsgnmds — Mon, 02 Jan 2023 11:25:45 GMT

Thank you for the idea, the passthrough port now authenticates nicely and devices that fail authentication get on the guest vlan!

For some reason the auto voice vlan is not assigned anymore for the phone itself, instead it gets on the guest VLAN, but that must be a mistake I have made somewhere while trying to get this to work.