I have a lab set up and I have been tinkering with pushing MACsec policies using EAP-TLS to workstations. When I have a workstation connected to an interface, everything works as intended. Link is secured using MACsec. When I plug in an IP phone to the port and connect the workstation behind the phone, it seems MKA can not negotiate properly and the link fails.
Has anyone been able to get a working configuration in order for a situation like this? I'm wondering if MACsec is just not supported in a situation like this. There is not much official Cisco documentation on Switch-to-Host MACsec and if there is, it's pretty vague but I interpret the language as if it should work. Could there be an IP phone setting that must be tweaked in order to get it in working order? Unfortunately I do not have access to our CUCM or IP phone device settings.
My current setup is: Cisco 9300 > Cisco 8851NR IP Phone > HP Workstation Win11 using AnyConnect NAM
Any information is appreciated!