Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2481
Views
0
Helpful
4
Replies

802.1X single-host; workstation attached to non-cisco IP Phone

danailpetrov
Level 1
Level 1

‎02-25-2013 05:41 AM - edited ‎03-10-2019 12:00 AM

Hello everyone,

I am doing some design piece of work and I need to understand (because I couldn't find it clearly written anywhere) the following thing:

If I am using LLDP-MED in order to assign the VVID (Voice Vlan), instead of Cisco's CDP,  will that be just fine with the Single-Host mode? I want to bypass phone authentication, if it is recognized by the LLDP-MED, but to keep authenticating the workstation that is attached physically to the phone.

If that has any mater - the phones will be Avaya.

Cheers & thanks in advance!

Dani

Labels:
0 Helpful
4 Replies 4

Jatin Katyal
Cisco Employee
Cisco Employee

‎02-26-2013 02:20 AM

I think in that case you need to configure Mac authentication bypass (MAB) for your phone with multi-host mode.

Jatin Katyal


- Do rate helpful posts -

~Jatin
0 Helpful

danailpetrov
Level 1
Level 1
In response to Jatin Katyal

‎02-26-2013 03:05 AM

Thanks Jatin for your response!

Do you have something in mind or you just share an opinion? I need to get more information about that and if you have some paper/document to provide - it'll be really great!

Also, if I stick to that approach - I do believe I'll to have perform multi-domain option, rather the multi-host (since I'll need to authenticate/authorize both - phone and the workstation).

Yet another question here - If I go for that option, do you think it'll be possible to make single RADIUS rule to accept the OUI part of the MAC address (vendor part, for i.e. 00040D*) and thus to instruct the RADIUS to return the Access-Accept with the A/V "device-traffic-class=voice"? It'll be real nightmare to put 2000+ phones in RADIUS...

Cheers,
Dani

0 Helpful

jan.nielsen
Level 7
Level 7
In response to danailpetrov

‎03-06-2013 04:27 PM

If you are using Cisco ISE as your radius server you can create a single rule that authorizes phones using the vendor code, you could also look into the option of having the phones configured to do dot1x.

multi-domain is used to support having one device in the voice vlan, and one in the data vlan, multi-auth is for one device in the voice vlan, and many devices in the data vlan.

0 Helpful

networkguy13111
Level 1
Level 1
In response to danailpetrov

‎04-29-2013 11:54 PM

Hi Danail,

In addition to the private message I replied to you, I think MAB is more feasible way to depoly VOIP in dot1x network environment than LLDP-MED for the following reason:

1. MAB complies with dot1x framework, it works in very simliar way as dot1x.

2. MAB has been widely deployed on Cisco switches and works fine.

3. MAB can be deployed for any kind of endpoints which doesn't support dot1x supplicant function in dot1x network environment.

While LLDP-MED IMO is a revision of LLDP, you may have the capablity to bypass the phone on switches of some vendors with LLDP-MED, but it will be higher risk on deployment than MAB on Cisco switches.

BTW, generate 2000 MAC for VOIP phone is not biggy as normally you can ask the vendor send you the list of MAC. The OUI check with wildcard is definitely doable but it is Radius software related. IMO these two questions actually are not design questions, they are more likely deployment questions which should be considered after your high level design.

Which can win the race: increasing bandwidth with new technologies VS QoS?

-- Best Regards
0 Helpful
Customers Also Viewed These Support Documents