Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
694
Views
0
Helpful
4
Replies

NAC bypassing IP Phone switch

slupetti
Level 1
Level 1

‎04-07-2005 02:49 AM - edited ‎02-21-2020 12:03 AM

On NAC configuration (1751 router )

i try to bypass IP Phone configuring ip phone identification with :

identity profile eapoudp

device authorize type cisco ip phone policy ip_phone

identity policy ip_phone

access-group nac_ip_phone_acl

eou allow clientless

!

!

ip access-list extended nac_ip_phone_acl

permit ip any any

If IP Phone is directly connected to the router the identity profile is metched and NAC work fine .

But if IP Phone is connected to a switch port (C3550)and router is connected to another switch port (C3550) router NAC fail to identify device IP Phone.

I think because router CDP don't see IP Phone but i am not shure.

Is there anyone who can lend me a hand ???

0 Helpful
4 Replies 4

stevanp
Level 1
Level 1

‎04-08-2005 08:13 AM

It might also be the use of trunking between the switch and the router. If you have trunking, remove it and use the connection between the two devices, router and switch, as an access port only.

Let me know if this works out for you.

Also, any other devices on the switch that the NAC identifies?

0 Helpful

slupetti
Level 1
Level 1
In response to stevanp

‎04-09-2005 12:32 AM

All switch ports are access port and router ,phone are the only devices .

I think the CDP is protocol with the router identify Phone ,if this is true , router don't see Phone

0 Helpful

pcomeaux
Cisco Employee
Cisco Employee

‎04-12-2005 09:59 AM

Yes - you are right.

The router can use CDP to discover a phone and apply it to your clientless group.

When the same phone plugs into a switch, the CDP packets are not forwarded by the switch to the router, so the router is not able to use CDP to have the phone be clientless.

So what are the possible solutions?

I would guess that I would permit access to the DHCP server for the IP Phone vlan on the default interface ACL. I would place my phones and PCs in seperate Vlans and then exempt the ip addresses from the phone vlans from NAC.

Does this sound feasible?

thanks

peter

0 Helpful

cko
Level 1
Level 1
In response to pcomeaux

‎04-27-2007 02:18 PM

All,

I have similar issue with wireless 7920 IP Phone connecting to 871W when I apply admission to BVI1 interface. Does any know if NAC is supported for 7920 wireless? TIA

!

identity profile eapoudp

device authorize type cisco ip phone policy VoicePolicy

identity policy VoicePolicy

access-group VoiceACL

!

ip admission name SDM_EOU_1 eapoudp inactivity-time 60

!

interface BVI1

ip access-group 100 in

ip admission SDM_EOU_1

!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card