cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2757
Views
0
Helpful
2
Replies

dot1x config with Alcatel VoIP handset

RyanJohnstone
Level 1
Level 1

Hi there,

I am trying to configure 802.1x for a port with an Alcatel VoIP handset and PC connected, the VoIP device is connected to the LAN and the PC connected via the VoIP handset.  The switch is a 3750 running 12.2(50) IOS and i am using ACS 4.0(1) Build 27 to do the authorisation. 

Our default config uses trunks with a voice vlan set and a native vlan for the data traffic. The VoIP device is configured to use the vlan as per the voice vlan configured on the port, traffic from the data port on the phone is untagged and uses the vlan as per the native vlan on the port.

A sample of our current setup is shown below, i believe you cant use dot1x for this setup as it uses a trunk


switchport trunk encapsulation dot1q
switchport trunk native vlan 21
switchport trunk allowed vlan 21,122
switchport mode trunk
switchport voice vlan 122
power inline static
speed 100
duplex full
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
priority-queue out
mls qos trust cos
no snmp trap link-status
auto qos voip trust
no cdp enable
spanning-tree portfast trunk

Can anyone advise on an alternative config or provide any guidance to allow an Alcatel VoIP handset to use dot1x for authentication (using MAC Address Bypass) and the PC to also use use dot1x?

Thanks

Ryan

2 Replies 2

Tarik Admani
VIP Alumni
VIP Alumni

Will this not work in your case, I had a customer run this for non cisco phones and let me know if this works for you.

interface FastEthernet x/x/x

switchport access vlan 21

switchport mode access

switchport voice vlan 122

srr-queue bandwidth share 10 10 60 20

priority-queue out

authentication host-mode multi-domain

authentication port-control auto

mls qos trust cos

auto qos voip trust

no cdp enable

spanning-tree portfast

end

You will have to make sure that the radius server sends back the voice av pair (device-traffic-class=voice) for the phone. You can use "show authentication sessions interface x/x/x" to verify if the phone authenticates and connects to the correct vlan. I dont know if lldp uses the voice vlan feature like cdp does but your phones should already know via dhcp or if they have connected to the voice vlan before.

thanks,

Tarik

Thanks Tarik will give this a go, i have been off so not had the chance yet!

I believe the Alcatel handsets do support LLDP and the switch/IOS we are using does also so hopefully this will be ok.

Will let you know how it goes.

Ryan