02-25-2013 05:41 AM - edited 03-10-2019 12:00 AM
Hello everyone,
I am doing some design piece of work and I need to understand (because I couldn't find it clearly written anywhere) the following thing:
If I am using LLDP-MED in order to assign the VVID (Voice Vlan), instead of Cisco's CDP, will that be just fine with the Single-Host mode? I want to bypass phone authentication, if it is recognized by the LLDP-MED, but to keep authenticating the workstation that is attached physically to the phone.
If that has any mater - the phones will be Avaya.
Cheers & thanks in advance!
Dani
02-26-2013 02:20 AM
I think in that case you need to configure Mac authentication bypass (MAB) for your phone with multi-host mode.
Jatin Katyal
- Do rate helpful posts -
02-26-2013 03:05 AM
Thanks Jatin for your response!
Do you have something in mind or you just share an opinion? I need to get more information about that and if you have some paper/document to provide - it'll be really great!
Also, if I stick to that approach - I do believe I'll to have perform multi-domain option, rather the multi-host (since I'll need to authenticate/authorize both - phone and the workstation).
Yet another question here - If I go for that option, do you think it'll be possible to make single RADIUS rule to accept the OUI part of the MAC address (vendor part, for i.e. 00040D*) and thus to instruct the RADIUS to return the Access-Accept with the A/V "device-traffic-class=voice"? It'll be real nightmare to put 2000+ phones in RADIUS...
Cheers,
Dani
03-06-2013 04:27 PM
If you are using Cisco ISE as your radius server you can create a single rule that authorizes phones using the vendor code, you could also look into the option of having the phones configured to do dot1x.
multi-domain is used to support having one device in the voice vlan, and one in the data vlan, multi-auth is for one device in the voice vlan, and many devices in the data vlan.
04-29-2013 11:54 PM
Hi Danail,
In addition to the private message I replied to you, I think MAB is more feasible way to depoly VOIP in dot1x network environment than LLDP-MED for the following reason:
1. MAB complies with dot1x framework, it works in very simliar way as dot1x.
2. MAB has been widely deployed on Cisco switches and works fine.
3. MAB can be deployed for any kind of endpoints which doesn't support dot1x supplicant function in dot1x network environment.
While LLDP-MED IMO is a revision of LLDP, you may have the capablity to bypass the phone on switches of some vendors with LLDP-MED, but it will be higher risk on deployment than MAB on Cisco switches.
BTW, generate 2000 MAC for VOIP phone is not biggy as normally you can ask the vendor send you the list of MAC. The OUI check with wildcard is definitely doable but it is Radius software related. IMO these two questions actually are not design questions, they are more likely deployment questions which should be considered after your high level design.
Which can win the race: increasing bandwidth with new technologies VS QoS?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide