[802.1x Authentication with DATA VLAN and VOICE VLAN]

net buzz · ‎05-22-2018

Dear Support,

I have configured a Cisco switch for 802.1x Authentication with RADIUS NPS.

The switch ports are configured with DATA VLAN and VOICE VLAN.

Only the PCs should authenticate with the RADIUS server and the IP Phones should bypass 802.1x authentication.

The IP Phones are registering successfully and but the PC is having issues with Authorization.

See below switch config and log error messages.

Grateful if someone can advise.

See attached the switch configuration and error messages.

Rob Ingram · ‎05-22-2018

Hi,
Can you send a screenshot of the radius authorisation errors?
Can you enable debugging on the switch "debug radius" and "debug aaa authorization" and upload the output.

If you are bypassing 802.1x for the Phones, do you intend to use MAB?

On the interface 0/1 you have defined an access and voice vlan, but 802.1x is configured to use host mode = single-host.

interface fas0/1
authentication host-mode multi-domain|multi-host|multi-auth*

* = pick one or the 3 host modes

HTH

Tubster123 · ‎06-04-2018

Like RJI say's, you need to change the mode on the port, probably multi-domain.

Single mode – only one mac address learnt on the switchport
Mulit-mode – first mac is authenticated then all others after are allowed to pass
Muliti – domain – 2 vlans data and voice. 1 mac for each vlan
Multi-auth – every separate mac needs to be authenticated (each mac would need a supplicant)

Regards