Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
604
Views
0
Helpful
1
Replies

DOT1X authentication for IP Phones

sanns desi
Level 1
Level 1

‎02-08-2023 08:08 AM

Hi,

I have DOT1X authentication configured on all switch ports (Both data & voice VLAN). 

I also have Cisco IP phones.

My requirement is: to allow Cisco IP phones without DOT1X authentication. 

I have tried using "authentication host-mode single-host", but the issue is any IP phone can be connected making this a security loophole.

Is there a way to only a single IP phone on this port without DOT1x. (NOTE: There are around 200 IP phones [belong to a specific VLAN] which need to be connected this way - if there is any other alternative on how to only whitelist the macaddress of these IP phones to authenticate without DOT1x. Please let me know)

Kindly suggest.

0 Helpful
1 Reply 1

Rob Ingram
VIP
VIP

‎02-08-2023 11:39 AM

@sanns desi yes, you can use MAC Authentication Bypass (MAB), for this you need a database of the MAC addresses. You can achieve this with Cisco ISE as the RADIUS server.

https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/MAB/MAB_Dep_Guide.html

https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card