Cisco Catalyst 1300 and Dynamic VLAN

Alexander Vasilev · ‎06-15-2025

Hello colleagues,

i'm trying to configure 802.1x authentication for Cisco IP Phone (79xx series) and computer connected on its switch port and this together connected to Cisco Catalyst 1300 switch (the new name of the SG-series SMB). Unfortunately i don't have luck. If the phone or the PC is connected alone on the port (single-host mode on the port) - everything is ok. The phone is not in a voice VLAN.

Port config:

bg08swacc21#sh run int gi1/0/25
interface GigabitEthernet1/0/25
dot1x host-mode multi-sessions
dot1x reauthentication
dot1x authentication 802.1x mac
dot1x radius-attributes vlan
dot1x port-control auto
description IPPhone_802.1x_Test_port
spanning-tree portfast
spanning-tree bpduguard enable

Authentication for both is successful:

14-Jun-2025 22:56:05 :%SEC-I-SUPPLICANTAUTHORIZED: MAC 30:37:a6:17:e6:70 is authorized on port gi1/0/25
14-Jun-2025 22:56:05 :%SEC-I-SUPPLICANTAUTHORIZED: username host/somename with MAC 24:6a:0e:9f:f6:ba is authorized on port gi1/0/25
14-Jun-2025 22:56:04 :%LINK-I-Up: gi1/0/25
14-Jun-2025 22:56:04 :%STP-W-PORTSTATUS: gi1/0/25 of vlan 1: STP status Forwarding
14-Jun-2025 22:55:59 :%LINK-W-Down: gi1/0/25

Each session received correct VLAN from the RADIUS server:

bg08swacc21#sho dot1x users

MAC Auth Auth Session VLAN
Port Username Address Method Server Time
-------- ---------------- ----------------- ------ ------ -------------- ----
gi1/0/25 host/somename 24:6a:0e:9f:f6:ba 802.1X Remote 00:00:14 1065
gi1/0/25 30-37-A6-17-E5-7 30:37:a6:17:e6:70 MAC Remote 00:08:21 1068
0

But MAC table doesn't show the VLANs and MACs:

bg08swacc21#sh mac address-table interface gi1/0/25
Flags: I - Internal usage VLAN
Aging time is 300 sec

Vlan Mac Address Port Type
------------ --------------------- ---------- ----------
1 30:37:a6:17:e6:70 gi1/0/25 dynamic

Can someone help with understanding how exactly multi-session should be implemented?

Thank you!

Jens Albrecht · ‎06-15-2025

Hello @Alexander Vasilev,

if I understand your post correctly, then you want to authenticate a PC and a Phone on the same port but in different Vlans, right?

However, while multi-session enforces that each client connected to this port must be authenticated, it requires that all clients connected to this port must be in the same Vlan.

The Catalyst 1300/1200 series lacks a couple of enterprise-class features and the lack of the 'multi-domain' option is one of them. On the enterprise-class Catalyst switches you can use 'multi-domain' to authenticate PCs and Phones in 2 different Vlans but this is simply not possible on the 1300 series.

There appear to be 2 known workarounds for this issue:

You can enable the voice VLAN feature on the port, so that the switch uses a static MAC OUI table to detect phones and place them into the configured voice vlan.
However, this is not controlled by RADIUS or 802.1X authentication but only controlled by the static MAC OUI table of the switch.
You can ab-use the guest vlan to redirect traffic for the phone to a second vlan on the port.
This trick allows the PCs and a phone to be in different Vlans on the same port.

You can find more details about these 2 options including each configuration when you check out the following discussion:

https://community.cisco.com/t5/network-access-control/cisco-c1300-voice-vlan-via-radius-like-an-ios-switch-possible-or/td-p/5274600

HTH!

Alexander Vasilev · ‎06-15-2025

Thank you, Jens!

Yes,exactly this is my idea. Phone and PC on same port, but different VLANs. For the multi-domain i got it there is no support, but neither of the VLANs is voice, i.e I don't have multi-domain situation.

As for the multi-session, my understanding is/was that multi-host dictates everyone to be on the same VLAN, but not the multi-session?

Guest VLAN is not something that i consider, because i also found this -https://community.cisco.com/t5/cisco-bug-discussions/cscvs35681-sg350-dhcp-relay-unauthenticated-users-on-guest-vlan/td-p/4086829

Regards,

Alexander

Jens Albrecht · ‎06-15-2025

Hi Alexander,

regarding the Guest Vlan the post you mention is quite old. Based on the pretty recent discussion I mentioned it might work now, even though I still consider it to be a dirty trick and the only way to authenticate pc and phone in different vlans. Just try and check whether it works or not.

Multi-session and multi-host both only allow authentication of all hosts in the same Vlan.
The difference is that multi-session enforces that every single host on this port must be authenticated - for the same Vlan.
With multi-host on the other hand, only one host must authenticate and then all other connected clients on this port can join the same Vlan without any authentication. As stated in the documentation: "the port is authorized after at least one host is authorized" meaning all other hosts do not need to authenticate. This is an old legacy option that was used e.g. to open a port for a bunch of printers that are not dot1x-capable so that a single PC did the authentication for all of them. Definitely not recommended and hence multi-host should never be used.

The only other option would be the use of the voice Vlan but again without any authentication as these switches only check the MAC address based on the preconfigured OUI table to detect the phone.

Regards, Jens

Alexander Vasilev · ‎06-17-2025

Hey Jens,

unfortunately i cannot make it work stable. With this configuration:

interface GigabitEthernet1/0/25
dot1x host-mode multi-sessions
dot1x guest-vlan enable
dot1x reauthentication
dot1x authentication 802.1x mac
dot1x radius-attributes vlan
dot1x max-hosts 3
dot1x port-control auto
description IPPhone_802.1x_Test_port
spanning-tree portfast
spanning-tree bpduguard enable

I see:

bg08swacc21#show dot1x users

MAC Auth Auth Session VLAN
Port Username Address Method Server Time
-------- ---------------- ----------------- ------ ------ -------------- ----
gi1/0/25 someuser/fromcert 24:6a:0e:9f:f6:ba 802.1X Remote 00:12:30 1065

But on the port from MAC table perspective:

bg08swacc21#show mac address-table int gi1/0/25
Flags: I - Internal usage VLAN
Aging time is 300 sec

Vlan Mac Address Port Type
------------ --------------------- ---------- ----------
1068 30:37:a6:17:e6:70 gi1/0/25 dynamic

I.e the phone fails authentication and it is in guest VLAN, but the PCs, marked as successfuly authenticated and it is missing in the MAC table.

And btw, the authentication fails for the phone constantly:

bg08swacc21#17-Jun-2025 15:30:10 %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 30:37:a6:17:e6:70 was rejected on port gi1/0/25 due to wrong user name or password in Radius server
17-Jun-2025 15:32:10 %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 30:37:a6:17:e6:70 was rejected on port gi1/0/25 due to wrong user name or password in Radius server
17-Jun-2025 15:33:10 %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 30:37:a6:17:e6:70 was rejected on port gi1/0/25 due to wrong user name or password in Radius server
17-Jun-2025 15:34:10 %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 30:37:a6:17:e6:70 was rejected on port gi1/0/25 due to wrong user name or password in Radius server

For multi-host the understanding is the same,at least one successful authentication,same VLAN for everyone. But for multi-session it should be possible different VLANs? Can you share reference that theymust be in same VLAN? From the documentation about the guest VLAN functionality, the phone in my case must be not authorized - "After linkup, if the software doesn’t detect the 802.1X supplicant, or the authentication has failed, the port is added to the guest VLAN, only after the Guest VLAN timeout period has expired."

From tests what you've said for multi-session is correct

Regards,

Aleksandar