04-24-2012 07:59 AM - edited 03-10-2019 07:02 PM
Ok so here is my dilema, Avaya Phone with Docking station plugged in to it, dot1q passes the workstation fine, but hangs the phone. With out creating a voice vlan is there any way I can have the phone authenticat with mab, and the workstation with dot1q? I know the best solution is a re-design of the vlans, but thought I would throw this out to the group.
Jeff
04-24-2012 08:09 AM
I found the answer digging through some old notes I wrote.
On the interface if you use authentication host-mode single-host this allows the phone to bypass, and lets the workstation authenticate.
Jeff
04-25-2012 11:51 AM
Ok, so the above sort of worked...while the phone goes through fine, the workstation does not authenticate with dot1x.
full config of that interface is
!
interface GigabitEthernet4/11
description User Ports
switchport access vlan 123
switchport mode access
authentication event fail action next-method
authentication host-mode multi-host
authentication order dot1x mab webauth
authentication priority dot1x mab
authentication port-control auto
authentication timer inactivity server
authentication violation restrict
authentication fallback webauth
mab
snmp trap mac-notification change added
dot1x pae authenticator
flowcontrol receive off
flowcontrol send off
tx-queue 3
priority high
service-policy input IPPHONE+PC-BASIC
service-policy output DBL
!
04-26-2012 10:36 PM
Jeffrey,
The first command "authentication host mode single host" only allows the phone to bypass authentication on the voice domain, and the only phone that can do that is Cisco phones since they run cdp to find the voice vlan information, I have heard that avaya runs lldp which should be able to exchange that information but really havent seen it work as of recent.
On the other hand you are deploying something different. You can use "..host mode multi-auth" and the phone should authenticate with mab, once the phone authenicates the port then the client will authenticate with dot1x, since every client detected on the port will have to pass authentication.
Give that a shot and let me know if that works, for a quick guide of host mode settings (cause i get the confused often) here is a quick reference guide that we have:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/whitepaper_c27-574041.pdf
Thanks,
Tarik Admani
04-27-2012 06:08 AM
Hi Jeffrey,
Just read your comment on my blog post on 802.1x with IP Phones.
To add to what Tarik said, mutli-domain authentication mode is what you are looking for but for that also you will need voice VLANs. MDA will not work with a single VLAN.
Regards,
Vivek
06-22-2012 08:44 AM
Hi all,
My problem is the oposite. I have a Siemens phone connected to a c2960. The phone will do MAC authentication.
Connected to the phone I have a PC which authenticates using dot1x.
The MAC authentication is successfull but the Siemens phone is placed on the DATA vlan instead of the VOICE vlan.
At this point, for testing purposes I tried eliminating the dot1x configuration of the port. My current interface config is:
interface GigabitEthernet0/13
switchport access vlan 124
switchport mode access
switchport voice vlan 310
authentication host-mode multi-domain
authentication order mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate 300
mab
spanning-tree portfast
end
I'm using an ACS radius server which is returning the "device-traffic-class=voice" but still the phone will always end up on the Data vlan.
If no auth is configured the phone ends up in the voice vlan as expected.
Any help here will be appreciated since all the config guides I've read untill now just present the above as the necessary config.
Best Regards,
Pedro
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide