Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4455
Views
5
Helpful
3
Replies

802.1x single host mode

DanielBrienza
Level 1
Level 1

‎08-28-2015 11:39 AM - edited ‎03-10-2019 11:00 PM

I'm trying to setup 802.1x on switch with Microsoft NPS Server as RADIUS Server just for DATA VLAN authentication, no voice VLAN authentication...

When I run the command "authentication host-mode single-host" it doesn't apply the config on the interface. If I run "multi-domain" the config is applied. 

The environment is a PC behind a Cisco 6911 IP Phone. 

I have this config on the port:

interface FastEthernetX/XX
 switchport access vlan XXX
 switchport mode access
 switchport voice vlan XXX
 switchport port-security maximum 3
 authentication port-control auto
 dot1x pae authenticator
 spanning-tree portfast
 spanning-tree bpduguard enable

Switch hardware: WS-C2960-48PST-L
Switch IOS: 15.0(2)SE8

 

Labels:
0 Helpful
3 Replies 3

Ivan Gonzalez
Cisco Employee
Cisco Employee

‎08-28-2015 01:59 PM

Hello Daniel,

 

The Single-host mode is the default mode when you enable dot1x on a switchport, that might be the reason you do not see it when try to enabled it, try to execute the following command to make completely sure this is the host mode being used:

 

show authentication session interface <interface> detail.

 

Now, if you are implementing IP phone and PC, it would be best to use "Multi-domain" since single host used to be implemented on old IOS codes when CDPBypass feature was available, but with "Multi domain" you will enforce phone and PC authentication.

 

0 Helpful

DanielBrienza
Level 1
Level 1
In response to Ivan Gonzalez

‎08-31-2015 10:50 AM

Hello Ivan,

 

Thanks for your reply. I tested connecting just the phone to the switch, below is the output, it's trying to authenticate to data domain, even with the voice VLAN setup on interface. How can I setup to don't authenticate IP Phones?

 

Interface:  FastEthernet0/20
MAC Address:  c062.6b63.01cc
IP Address:  Unknown
User-Name:  CP-6911-SEPC0626B6301CC
Status:  Authz Failed
Domain:  DATA
Oper host mode:  single-host
Oper control dir:  both
Session timeout:  N/A
Idle timeout:  N/A
Common Session ID:  0A0852080000011814BA4A38
Acct Session ID:  0x0000019F
Handle:  0xF6000119

Runnable methods list:
Method   State
dot1x    Authc Failed

0 Helpful

Ivan Gonzalez
Cisco Employee
Cisco Employee
In response to DanielBrienza

‎08-31-2015 10:58 AM

Hello Daniel,

 

 

That used to be accomplished by a feature called CDPBypass, but it has been depricated due to the following reasons:

 

• Lack of Visibility: Phones are effectively invisible since they access the network
without generating any kind of accounting record or syslog

• Lack of Access Control: Since the phones are not authenticated, their identity is not
validated prior to allowing access. Anyone who can spoof CDP can access the voice network.

• Lack of Authorization: Without an authentication event, the phone cannot be authorized
with a dynamic ACL or dynamic VLAN.

• Incompatibility: CDP Bypass cannot be used with WebAuth or dynamic ACL assignment for
data devices.

• No support for 3rd party phones: CDP Bypass only works with Cisco phones.

• Not supported across all switch platforms: The 3560e and 3750e platforms do not support
CDP Bypass.

 

So on new IOS codes, you will need to authenticate the IP phones as well, there is not an option to bypass the authentication on it.

Just as as suggestions for a single phone and PC, the best option is to use "Multi-domain", and you need to make sure that Radius server is sending the attribute "device-traffic-class=voice" for the IP phone to be assigned to the voice vlan.

 

Note: Please marked as answered if applies.

Customers Also Viewed These Support Documents