
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-20-2020 10:37 AM
Hi,
Is it possible to make 802.1x only for data while there is both data and voice definition under the same port?
Regards,
Sp@wn
Solved! Go to Solution.
- Labels:
-
Identity Services Engine (ISE)
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-20-2020 01:04 PM
If you are using Cisco IP Phones and have CDP enabled, you can use CDP Bypass to allow the phones on in the Voice VLAN automatically and then only authenticate/authorize the Data device. You would need to configure the switchport host-mode to be "single-host". That will limit you to just one MAC address on the Data VLAN. The downside of this type of setup is the lack of visibility of what phones are on the network and on which switches/ports. Someone could spoof the phone MAC address and CDP messages to gain access to the Voice VLAN. You could just authenticate the phones using MAB. Just build a whitelist of your phone MAC addresses in ISE and it would only use up a Base license. But that gives you the flexibility to use dACL's, centrally configured timeouts, etc.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-20-2020 01:02 PM
it is possible. Look at Multi-Domain Authentication Link below>
https://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/98523-8021x-cat-layer3.html#MDA
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-20-2020 01:04 PM
If you are using Cisco IP Phones and have CDP enabled, you can use CDP Bypass to allow the phones on in the Voice VLAN automatically and then only authenticate/authorize the Data device. You would need to configure the switchport host-mode to be "single-host". That will limit you to just one MAC address on the Data VLAN. The downside of this type of setup is the lack of visibility of what phones are on the network and on which switches/ports. Someone could spoof the phone MAC address and CDP messages to gain access to the Voice VLAN. You could just authenticate the phones using MAB. Just build a whitelist of your phone MAC addresses in ISE and it would only use up a Base license. But that gives you the flexibility to use dACL's, centrally configured timeouts, etc.
