Hi Nitesh,

saxenanitesh8522 · ‎08-31-2015

Hi Guys,

Just want to clear a point, if i have a IP phone and Laptop connected behind it.

Is it possible only authenticate Laptop and not authenticate the IP Phone using MAB or anything other dot1x authentcation???

Any suggestion is welcomed, as we are using and we less number of count for base license hence finding out a way to bypass ip phone authentication so it doesnt take up a base license.

Ivan Gonzalez · ‎08-31-2015

Hi Nitesh,

That used to be a possible option when CDPBypass feature was available on older IOS codes, however, that feature was removed due to the following reasons:

• Lack of Visibility: Phones are effectively invisible since they access the network
without generating any kind of accounting record or syslog

• Lack of Access Control: Since the phones are not authenticated, their identity is not
validated prior to allowing access. Anyone who can spoof CDP can access the voice network.

• Lack of Authorization: Without an authentication event, the phone cannot be authorized
with a dynamic ACL or dynamic VLAN.

• Incompatibility: CDP Bypass cannot be used with WebAuth or dynamic ACL assignment for
data devices.

• No support for 3rd party phones: CDP Bypass only works with Cisco phones.

• Not supported across all switch platforms: The 3560e and 3750e platforms do not support
CDP Bypass.

This is documented on the following link:

http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/config_guide_c17-605524.html#wp9000480

Note:Please mark it as answered if it helps to clarify your concern.

802.1X authentication