ā04-20-2016 05:30 AM - edited ā03-10-2019 11:41 PM
Hi All,
We are configuring Dynamic VLAN 802.1x authentication for our domain users using Windows 2008 server as authentication server and cisco catalyst switch 2960 as the authenticator.
Authentication is working fine when we directly connect the user laptops to the 802.1x enabled port.
Now, authentication is failing when we connect the client machine via Avaya 9608 IP-Phone.(802.1x enabled port --> IP phone --> Client PC)
Need your help on how to bypass 802.1x authentication for IP phone alone and the configuration to achieve the same.
Thanks in advance,
Gowtham Elamurugan
ā04-21-2016 06:44 PM
Hi Gowtham-
A couple of options come to mind:
1. You can configure the switchport(s) for multi-host authentication mode with the following command:
authentication host-mode multi-host
The multi-host command will instruct the switch to allow any mac addresses that it sees on the port, as long as at least one mac address is authenticated and authorized. This is not as secure but it will
2. Configure MAB (MAC Authentication Bypass). This will allow the Avaya phone to authenticate itself with its mac address. The drawback here is that you will have to manually maintain a mac address database and it is also not very secure.
3. Configure 802.1x on the Avaya Phones. I am not sure if this is possible as I have not done this with Avaya phones but I have done it many times with Cisco IP Phones. From a quick google search, it appears that certain Avaya Phones do support EAP-TLS:
https://downloads.avaya.com/css/P8/documents/100178129
I hope this helps!
Thank you for rating helpful posts!
ā04-25-2016 06:26 AM
Hi Neno,
Thanks for the idea and i tried it. But the Customer has their own password policy which supports of upper,lower and numerical passwords only.
So, i am unable to register the IP-Phone's mac-address as password. Because of this, i cant deploy MAB as well as Multi-Domain.
I have registered the ip-phone in domain as user. And enabled 802.1x option in the ip-phone. After boot up it is asking password for dot1x authentication. But only numbers are able to enter.
So, dot1x also not possible.
Is there any other possible authentication methods for bypassing the ip-phone for voice and enable dot1x for pc behind the phone.
It will be very helpfull if you have any suggestions.
Thanks in advance.
Gowtham.
ā04-25-2016 10:26 AM
What about using EAP-TLS with certificates instead of Username/password?
if that is not an option, then I am unaware of any other options.
Thank you for rating helpful posts!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide