802.1x port authentication - IP Phone bypass

andy_4578 · ‎01-03-2023

We need to find a way of bypassing 802.1x port authentication for Avaya IP phones. The switch ports on our Cisco 9200 switches all have 802.1x authentication with NPS acting as the radius (No ISE or ACS servers).

This works fine for PC's/Laptops when plugged in but doesn't work when plugging in Avaya phones and piggy backing the laptop through the phone.

I'm aware of how to achieve this using host-mode multi-domain and MAB when an ACS server is used but we have Microsoft NPS running instead.

Separating laptops and phones in to separate switches/ports is not an option as we would have to find another 500 ports.

marce1000 · ‎01-03-2023

- Review this thread : https://community.cisco.com/t5/network-access-control/802-1x-authentication-for-cisco-2960-and-avaya-ip-phone/td-p/2876422

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

balaji.bandi · ‎01-03-2023

check below Blog :

https://mikepembo.wordpress.com/2016/11/07/dynamic-vlan-assignment-cisco-and-nps/comment-page-1/

https://mikepembo.wordpress.com/2016/11/14/802-1x-mac-authentication-bypass-mab-to-an-nps-server/

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Delano Thompson · ‎01-04-2023

Configuring MAC Authentication Bypass for the Avaya phones is an option, but the responses above would be better.

andy_4578 · ‎01-05-2023

Hi All,

Thanks for the responses, im still working on getting MAB working with NPS, without the phone in play 802.1x works perfectly along with automatic vlan assignment - adding the phone to the mix just shuts down the switchport at the point the phone tries to register on the network, the port then goes to an err-disable state. It might be a firmware issue on the phones although the managed by another company so cant change it.

Also creating a connection request policy in NPS for each of the phone/MAC might be a bit much.