08-28-2015 11:39 AM - edited 03-10-2019 11:00 PM
I'm trying to setup 802.1x on switch with Microsoft NPS Server as RADIUS Server just for DATA VLAN authentication, no voice VLAN authentication...
When I run the command "authentication host-mode single-host" it doesn't apply the config on the interface. If I run "multi-domain" the config is applied.
The environment is a PC behind a Cisco 6911 IP Phone.
I have this config on the port:
interface FastEthernetX/XX
switchport access vlan XXX
switchport mode access
switchport voice vlan XXX
switchport port-security maximum 3
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
spanning-tree bpduguard enable
Switch hardware: WS-C2960-48PST-L
Switch IOS: 15.0(2)SE8
08-28-2015 01:59 PM
Hello Daniel,
The Single-host mode is the default mode when you enable dot1x on a switchport, that might be the reason you do not see it when try to enabled it, try to execute the following command to make completely sure this is the host mode being used:
show authentication session interface <interface> detail.
Now, if you are implementing IP phone and PC, it would be best to use "Multi-domain" since single host used to be implemented on old IOS codes when CDPBypass feature was available, but with "Multi domain" you will enforce phone and PC authentication.
08-31-2015 10:50 AM
Hello Ivan,
Thanks for your reply. I tested connecting just the phone to the switch, below is the output, it's trying to authenticate to data domain, even with the voice VLAN setup on interface. How can I setup to don't authenticate IP Phones?
Interface: FastEthernet0/20
MAC Address: c062.6b63.01cc
IP Address: Unknown
User-Name: CP-6911-SEPC0626B6301CC
Status: Authz Failed
Domain: DATA
Oper host mode: single-host
Oper control dir: both
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A0852080000011814BA4A38
Acct Session ID: 0x0000019F
Handle: 0xF6000119
Runnable methods list:
Method State
dot1x Authc Failed
08-31-2015 10:58 AM
Hello Daniel,
That used to be accomplished by a feature called CDPBypass, but it has been depricated due to the following reasons:
• Lack of Visibility: Phones are effectively invisible since they access the network without generating any kind of accounting record or syslog • Lack of Access Control: Since the phones are not authenticated, their identity is not validated prior to allowing access. Anyone who can spoof CDP can access the voice network. • Lack of Authorization: Without an authentication event, the phone cannot be authorized with a dynamic ACL or dynamic VLAN. • Incompatibility: CDP Bypass cannot be used with WebAuth or dynamic ACL assignment for data devices. • No support for 3rd party phones: CDP Bypass only works with Cisco phones. • Not supported across all switch platforms: The 3560e and 3750e platforms do not support CDP Bypass.
So on new IOS codes, you will need to authenticate the IP phones as well, there is not an option to bypass the authentication on it.
Just as as suggestions for a single phone and PC, the best option is to use "Multi-domain", and you need to make sure that Radius server is sending the attribute "device-traffic-class=voice" for the IP phone to be assigned to the voice vlan.
Note: Please marked as answered if applies.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide