Avaya Phone in same VLAN as workstation

Jeffrey Jones · ‎04-24-2012

Ok so here is my dilema, Avaya Phone with Docking station plugged in to it, dot1q passes the workstation fine, but hangs the phone. With out creating a voice vlan is there any way I can have the phone authenticat with mab, and the workstation with dot1q? I know the best solution is a re-design of the vlans, but thought I would throw this out to the group.

Jeff

Jeffrey Jones · ‎04-24-2012

I found the answer digging through some old notes I wrote.

On the interface if you use authentication host-mode single-host this allows the phone to bypass, and lets the workstation authenticate.

Jeff

Jeffrey Jones · ‎04-25-2012

Ok, so the above sort of worked...while the phone goes through fine, the workstation does not authenticate with dot1x.

full config of that interface is

!

interface GigabitEthernet4/11

description User Ports

switchport access vlan 123

switchport mode access

authentication event fail action next-method

authentication host-mode multi-host

authentication order dot1x mab webauth

authentication priority dot1x mab

authentication port-control auto

authentication timer inactivity server

authentication violation restrict

authentication fallback webauth

mab

snmp trap mac-notification change added

dot1x pae authenticator

flowcontrol receive off

flowcontrol send off

tx-queue 3

priority high

service-policy input IPPHONE+PC-BASIC

service-policy output DBL

!

Tarik Admani · ‎04-26-2012

Jeffrey,

The first command "authentication host mode single host" only allows the phone to bypass authentication on the voice domain, and the only phone that can do that is Cisco phones since they run cdp to find the voice vlan information, I have heard that avaya runs lldp which should be able to exchange that information but really havent seen it work as of recent.

On the other hand you are deploying something different. You can use "..host mode multi-auth" and the phone should authenticate with mab, once the phone authenicates the port then the client will authenticate with dot1x, since every client detected on the port will have to pass authentication.

Give that a shot and let me know if that works, for a quick guide of host mode settings (cause i get the confused often) here is a quick reference guide that we have:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/whitepaper_c27-574041.pdf

Thanks,

Tarik Admani

Vivek Santuka · ‎04-27-2012

Hi Jeffrey,

Just read your comment on my blog post on 802.1x with IP Phones.

To add to what Tarik said, mutli-domain authentication mode is what you are looking for but for that also you will need voice VLANs. MDA will not work with a single VLAN.

Regards,

Vivek

pedro.lourenco · ‎06-22-2012

Hi all,

My problem is the oposite. I have a Siemens phone connected to a c2960. The phone will do MAC authentication.

Connected to the phone I have a PC which authenticates using dot1x.

The MAC authentication is successfull but the Siemens phone is placed on the DATA vlan instead of the VOICE vlan.

At this point, for testing purposes I tried eliminating the dot1x configuration of the port. My current interface config is:

interface GigabitEthernet0/13

switchport access vlan 124

switchport mode access

switchport voice vlan 310

authentication host-mode multi-domain

authentication order mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate 300

mab

spanning-tree portfast

end

I'm using an ACS radius server which is returning the "device-traffic-class=voice" but still the phone will always end up on the Data vlan.

If no auth is configured the phone ends up in the voice vlan as expected.

Any help here will be appreciated since all the config guides I've read untill now just present the above as the necessary config.

Best Regards,

Pedro