Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2301
Views
5
Helpful
3
Replies

802.1x Authentication for Cisco 2960 and avaya ip phone

gowtham01
Level 1
Level 1

‎04-20-2016 05:30 AM - edited ‎03-10-2019 11:41 PM

Hi All,

We are configuring Dynamic VLAN 802.1x authentication for our domain users using Windows 2008 server as authentication server and cisco catalyst switch 2960 as the authenticator.

Authentication is working fine when we directly connect the user laptops to the 802.1x enabled port.

Now, authentication is failing when we connect the client machine via Avaya 9608 IP-Phone.(802.1x enabled port --> IP phone --> Client PC)

Need your help on how to bypass 802.1x authentication for IP phone alone and the configuration to achieve the same.

Thanks in advance,

Gowtham Elamurugan

1 person had this problem
Labels:
3 Replies 3

nspasov
Cisco Employee
Cisco Employee

‎04-21-2016 06:44 PM

Hi Gowtham-

A couple of options come to mind:

1. You can configure the switchport(s) for multi-host authentication mode with the following command:

authentication host-mode multi-host

The multi-host command will instruct the switch to allow any mac addresses that it sees on the port, as long as at least one mac address is authenticated and authorized. This is not as secure but it will 

2. Configure MAB (MAC Authentication Bypass). This will allow the Avaya phone to authenticate itself with its mac address. The drawback here is that you will have to manually maintain a mac address database and it is also not very secure.

3. Configure 802.1x on the Avaya Phones. I am not sure if this is possible as I have not done this with Avaya phones but I have done it many times with Cisco IP Phones. From a quick google search, it appears that certain Avaya Phones do support EAP-TLS:

https://downloads.avaya.com/css/P8/documents/100178129

I hope this helps!

Thank you for rating helpful posts!

0 Helpful

gowtham01
Level 1
Level 1
In response to nspasov

‎04-25-2016 06:26 AM

Hi Neno,

Thanks for the idea and i tried it. But the Customer has their own password policy which supports of upper,lower and numerical passwords only.

So, i am unable to register the IP-Phone's mac-address as password. Because of this, i cant deploy MAB as well as Multi-Domain.

I have registered the ip-phone in domain as user. And enabled 802.1x option in the ip-phone. After boot up it is asking password for dot1x authentication. But only numbers are able to enter.

So, dot1x also not possible.

Is there any other possible authentication methods for bypassing the ip-phone for voice and enable dot1x for pc behind the phone.

It will be very helpfull if you have any suggestions.

Thanks in advance.

Gowtham.

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to gowtham01

‎04-25-2016 10:26 AM

What about using EAP-TLS with certificates instead of Username/password?

if that is not an option, then I am unaware of any other options.

Thank you for rating helpful posts!

0 Helpful
Customers Also Viewed These Support Documents