Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
456
Views
0
Helpful
3
Replies

Authenticate IP Phone

Tmsna
Level 1
Level 1

‎09-12-2018 04:16 AM

Hi Guys,

Hope you can help me with my issue.

 

I'm trying to authenticate via ISE an IP phone (not Cisco) and laptop connected to the phone.

The phone is authenticated using mab and the laptop using 802.1x

 

My concerne is that phone and laptop are on the same VLAN and this is something I cannot change.

 

This is the configuration of my switch interface:

interface gigabitEthernet 1/0/1

switchport access vlan 10

switchport mode access

switchport voice vlan 10

authentication host-mode multi-domain

authentication order dot1x mab

authentication priority dot1x mab

mab

authentication port-control auto

dot1x pae authenticator

 

 

On my test switch everything is working when I have two different vlans.

 

My question is if it is possible to have this configuration working with same vlan.

 

Regards,

Albert

0 Helpful
3 Replies 3

paul
Level 10
Level 10

‎09-12-2018 05:18 AM

That is technically an illegal switch configuration, but is allowed to work when you don't have authentication enabled.  If you try that configuration with ISE and you are setting the voice domain for the IP Phone authorization profile the phone will be put into an Unauth state.  If you are in open mode the phone may still work, but you aren't technically authenticating it.

 

Why even use the voice VLAN?  Just have the data VLAN and change to multi-auth.

0 Helpful

Tmsna
Level 1
Level 1
In response to paul

‎09-12-2018 05:21 AM

Do you think if I change the configuration to authentication host-mode multi-auth will work?
Thanks anyway for your answer

0 Helpful

paul
Level 10
Level 10
In response to Tmsna

‎09-12-2018 05:24 AM

Multi-auth and you get rid of the "switch-port voice vlan" command it may work. Not sure if the phones absolutely require the voice VLAN command, but I would think they could be made to work without it. The correct solution if you want multi-domain is you should have different voice and data VLANs.


0 Helpful
Customers Also Viewed These Support Documents