https://community.cisco.com/t5/network-security/nac-bypassing-ip-phone-switch/m-p/316186#M790649 <HTML><HEAD></HEAD><BODY><P>It might also be the use of trunking between the switch and the router. If you have trunking, remove it and use the connection between the two devices, router and switch, as an access port only.</P><P></P><P>Let me know if this works out for you.</P><P></P><P>Also, any other devices on the switch that the NAC identifies?</P></BODY></HTML> Fri, 08 Apr 2005 15:13:52 GMT stevanp 2005-04-08T15:13:52Z https://community.cisco.com/t5/network-security/nac-bypassing-ip-phone-switch/m-p/316185#M790641 <P>On NAC configuration (1751 router )</P><P>i try to bypass IP Phone configuring ip phone identification with :</P><P></P><P>identity profile eapoudp</P><P>device authorize type cisco ip phone policy ip_phone</P><P>identity policy ip_phone</P><P>access-group nac_ip_phone_acl</P><P>eou allow clientless</P><P>!</P><P>!</P><P>ip access-list extended nac_ip_phone_acl</P><P>permit ip any any</P><P></P><P></P><P>If IP Phone is directly connected to the router the identity profile is metched and NAC work fine .</P><P>But if IP Phone is connected to a switch port (C3550)and router is connected to another switch port (C3550) router NAC fail to identify device IP Phone.</P><P>I think because router CDP don't see IP Phone but i am not shure.</P><P>Is there anyone who can lend me a hand ???</P><P></P><P></P> Fri, 21 Feb 2020 08:03:47 GMT https://community.cisco.com/t5/network-security/nac-bypassing-ip-phone-switch/m-p/316185#M790641 slupetti 2020-02-21T08:03:47Z https://community.cisco.com/t5/network-security/nac-bypassing-ip-phone-switch/m-p/316186#M790649 <HTML><HEAD></HEAD><BODY><P>It might also be the use of trunking between the switch and the router. If you have trunking, remove it and use the connection between the two devices, router and switch, as an access port only.</P><P></P><P>Let me know if this works out for you.</P><P></P><P>Also, any other devices on the switch that the NAC identifies?</P></BODY></HTML> Fri, 08 Apr 2005 15:13:52 GMT https://community.cisco.com/t5/network-security/nac-bypassing-ip-phone-switch/m-p/316186#M790649 stevanp 2005-04-08T15:13:52Z https://community.cisco.com/t5/network-security/nac-bypassing-ip-phone-switch/m-p/316187#M790661 <HTML><HEAD></HEAD><BODY><P>All switch ports are access port and router ,phone are the only devices .</P><P>I think the CDP is protocol with the router identify Phone ,if this is true , router don't see Phone </P></BODY></HTML> Sat, 09 Apr 2005 07:32:44 GMT https://community.cisco.com/t5/network-security/nac-bypassing-ip-phone-switch/m-p/316187#M790661 slupetti 2005-04-09T07:32:44Z https://community.cisco.com/t5/network-security/nac-bypassing-ip-phone-switch/m-p/316188#M790691 <HTML><HEAD></HEAD><BODY><P>Yes - you are right.</P><P></P><P>The router can use CDP to discover a phone and apply it to your clientless group. </P><P></P><P>When the same phone plugs into a switch, the CDP packets are not forwarded by the switch to the router, so the router is not able to use CDP to have the phone be clientless.</P><P></P><P>So what are the possible solutions?</P><P></P><P>I would guess that I would permit access to the DHCP server for the IP Phone vlan on the default interface ACL. I would place my phones and PCs in seperate Vlans and then exempt the ip addresses from the phone vlans from NAC.</P><P></P><P>Does this sound feasible?</P><P></P><P>thanks</P><P>peter</P></BODY></HTML> Tue, 12 Apr 2005 16:59:53 GMT https://community.cisco.com/t5/network-security/nac-bypassing-ip-phone-switch/m-p/316188#M790691 pcomeaux 2005-04-12T16:59:53Z https://community.cisco.com/t5/network-security/nac-bypassing-ip-phone-switch/m-p/316189#M790707 <HTML><HEAD></HEAD><BODY><P>All,</P><P></P><P>I have similar issue with wireless 7920 IP Phone connecting to 871W when I apply admission to BVI1 interface. Does any know if NAC is supported for 7920 wireless? TIA </P><P></P><P>!</P><P>identity profile eapoudp</P><P> device authorize type cisco ip phone policy VoicePolicy</P><P>identity policy VoicePolicy</P><P> access-group VoiceACL</P><P>!</P><P>ip admission name SDM_EOU_1 eapoudp inactivity-time 60</P><P>!</P><P>interface BVI1</P><P> ip access-group 100 in</P><P> ip admission SDM_EOU_1</P><P>!</P><P></P></BODY></HTML> Fri, 27 Apr 2007 21:18:27 GMT https://community.cisco.com/t5/network-security/nac-bypassing-ip-phone-switch/m-p/316189#M790707 cko 2007-04-27T21:18:27Z