https://community.cisco.com/t5/network-access-control/802-1x-port-authentication-ip-phone-bypass/m-p/4748532#M579051 <P>We need to find a way of bypassing 802.1x port authentication for Avaya IP phones.&nbsp; The switch ports on our Cisco 9200 switches all have 802.1x authentication with NPS acting as the radius (No ISE or ACS servers).</P> <P>This works fine for PC's/Laptops when plugged in but doesn't work when plugging in Avaya phones and piggy backing the laptop through the phone.</P> <P>I'm aware of how to achieve this using host-mode&nbsp;<SPAN>multi-domain and MAB when an ACS server is used but we have Microsoft NPS running instead.</SPAN></P> <P>Separating laptops and phones in to separate switches/ports is not an option as we would have to find another 500 ports.</P> Tue, 03 Jan 2023 14:22:06 GMT andy_4578 2023-01-03T14:22:06Z https://community.cisco.com/t5/network-access-control/802-1x-port-authentication-ip-phone-bypass/m-p/4748532#M579051 <P>We need to find a way of bypassing 802.1x port authentication for Avaya IP phones.&nbsp; The switch ports on our Cisco 9200 switches all have 802.1x authentication with NPS acting as the radius (No ISE or ACS servers).</P> <P>This works fine for PC's/Laptops when plugged in but doesn't work when plugging in Avaya phones and piggy backing the laptop through the phone.</P> <P>I'm aware of how to achieve this using host-mode&nbsp;<SPAN>multi-domain and MAB when an ACS server is used but we have Microsoft NPS running instead.</SPAN></P> <P>Separating laptops and phones in to separate switches/ports is not an option as we would have to find another 500 ports.</P> Tue, 03 Jan 2023 14:22:06 GMT https://community.cisco.com/t5/network-access-control/802-1x-port-authentication-ip-phone-bypass/m-p/4748532#M579051 andy_4578 2023-01-03T14:22:06Z https://community.cisco.com/t5/network-access-control/802-1x-port-authentication-ip-phone-bypass/m-p/4748569#M579052 <P>&nbsp;</P> <P>&nbsp;- Review this thread :&nbsp;<A href="https://community.cisco.com/t5/network-access-control/802-1x-authentication-for-cisco-2960-and-avaya-ip-phone/td-p/2876422" target="_blank">https://community.cisco.com/t5/network-access-control/802-1x-authentication-for-cisco-2960-and-avaya-ip-phone/td-p/2876422</A></P> <P>&nbsp;M.</P> Tue, 03 Jan 2023 15:39:31 GMT https://community.cisco.com/t5/network-access-control/802-1x-port-authentication-ip-phone-bypass/m-p/4748569#M579052 Mark Elsen 2023-01-03T15:39:31Z https://community.cisco.com/t5/network-access-control/802-1x-port-authentication-ip-phone-bypass/m-p/4748577#M579053 <P>check below Blog :</P> <P><A href="https://mikepembo.wordpress.com/2016/11/07/dynamic-vlan-assignment-cisco-and-nps/comment-page-1/" target="_blank">https://mikepembo.wordpress.com/2016/11/07/dynamic-vlan-assignment-cisco-and-nps/comment-page-1/</A></P> <P><A href="https://mikepembo.wordpress.com/2016/11/14/802-1x-mac-authentication-bypass-mab-to-an-nps-server/" target="_blank">https://mikepembo.wordpress.com/2016/11/14/802-1x-mac-authentication-bypass-mab-to-an-nps-server/</A></P> <P>&nbsp;</P> Tue, 03 Jan 2023 15:50:18 GMT https://community.cisco.com/t5/network-access-control/802-1x-port-authentication-ip-phone-bypass/m-p/4748577#M579053 balaji.bandi 2023-01-03T15:50:18Z https://community.cisco.com/t5/network-access-control/802-1x-port-authentication-ip-phone-bypass/m-p/4749141#M579065 <P>Configuring MAC Authentication Bypass for the Avaya phones is an option, but the responses above would be better.</P> Wed, 04 Jan 2023 15:43:16 GMT https://community.cisco.com/t5/network-access-control/802-1x-port-authentication-ip-phone-bypass/m-p/4749141#M579065 Delano Thompson 2023-01-04T15:43:16Z https://community.cisco.com/t5/network-access-control/802-1x-port-authentication-ip-phone-bypass/m-p/4749517#M579079 <P>Hi All,</P> <P>Thanks for the responses, im still working on getting MAB working with NPS, without the phone in play 802.1x works perfectly along with automatic vlan assignment - adding the phone to the mix just shuts down the switchport at the point the phone tries to register on the network, the port then goes to an err-disable state. It might be a firmware issue on the phones although the managed by another company so cant change it.</P> <P>Also creating a connection request policy in NPS for each of the phone/MAC might be a bit much.&nbsp;&nbsp;</P> Thu, 05 Jan 2023 10:24:54 GMT https://community.cisco.com/t5/network-access-control/802-1x-port-authentication-ip-phone-bypass/m-p/4749517#M579079 andy_4578 2023-01-05T10:24:54Z