09-13-2018 05:03 AM - edited 03-10-2019 01:05 AM
Is it possible to have a port configured with 802.1x for data and ip phones to use a normal voice vlan setup ie no 802.1x for phones.
Like so:
switchport mode access
switchport voice vlan 200
authentication event fail action authorize vlan 100
authentication event no-response action authorize vlan 100
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
09-13-2018 05:38 AM
AFAIK no. You will have to setup MAB for the phone.
09-13-2018 11:35 PM
At the moment, our phones seem to hookup (no mab or 802.1x) and we do have authorization for the clients (802.1x) so it appears to be working. Should it be doing this?
10-01-2018 02:12 AM
Hi,
You should enable mab in switch port interface for IP-phone authentication & the IP phone mac address should be authorized with voice permission.
A typical switch port configuration which looks like:
description ACCESS (Closed Mode)
switchport mode access
switchport access vlan <data vlan>
switchport voice vlan <voice vlan>
authentication event fail action next-method
authentication event server dead action authorize
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-domain
mab
authentication violation restrict
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server dynamic
dot1x timeout tx-period 10
spanning-tree portfast
authentication port-control auto
dot1x pae authenticator
you can refer this link https://community.cisco.com/t5/security-documents/cisco-ise-wired-access-deployment-guide/ta-p/3641515
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: