01-17-2019 12:57 PM - edited 03-17-2019 01:58 PM
Hello everyone,
On a network with 802.1x on all switch ports when I connect a newly configured phone it will not register ("Verify Network Connection" message on the phone) unless I take out the switch command line authentication port-control auto. Once I issue a "no" on that command the phone can find CUCM and register. If I ut it back in after it register the phone de-registers. Anyone know what I can do to keep this line in AND have the phone register?
Thanks in advance!!!
01-17-2019 01:09 PM
Can you post the configuration to have look.
01-17-2019 01:19 PM
switchport access vlan 111
switchport mode access
switchport voice vlan 222
srr-queue bandwidth share 1 30 35 5
priority-queue out
authentication event fail action next-method
authentication event server dead action authorize vlan 111
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server dynamic
authentication violation restrict
mab
mls qos trust device cisco-phone
mls qos trust cos
dot1x pae authenticator
dot1x timeout tx-period 5
auto qos voip cisco-phone
storm-control broadcast level 10.00
storm-control multicast level 10.00
spanning-tree portfast
spanning-tree bpduguard enable
01-18-2019 11:45 AM
The QOS configuration aside, the port looks to be configured fine for 802.1x. There are other configurations you need to make sure exist on the switch, such as "dot1x system-auth-control" and RADIUS configuration (radius servers, dot1x configuration for aaa, etc.).
We are missing quite a few details though. Assuming your configuration is correct outside the specific interface you've pasted, you may want to check if any RADIUS traffic is leaving from your switch and encapsulating EAPOL traffic for the phone port.
01-18-2019 10:49 AM
The authentication port-control auto command is what controls whether you device must authenticate with your authentication servers such as Cisco ISE. Depending on your authentication server setup the device is allowed or denied access to the network. If you want to make sure your device can access the network with that in place you need to consult with your Admin of that authentication server to make sure everything is in place to allow the device access. Without knowing what you are using it is impossible to get any more detailed than that.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide