Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1027
Views
0
Helpful
3
Replies

802.1x with voice vlan

louis0001
Level 3
Level 3

‎09-13-2018 05:03 AM - edited ‎03-10-2019 01:05 AM

Is it possible to have a port configured with 802.1x for data and ip phones to use a normal voice vlan setup ie no 802.1x for phones.

Like so:

switchport mode access
switchport voice vlan 200
authentication event fail action authorize vlan 100
authentication event no-response action authorize vlan 100
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast

 

Labels:
0 Helpful
3 Replies 3

Collin Clark
VIP Alumni
VIP Alumni

‎09-13-2018 05:38 AM

AFAIK no. You will have to setup MAB for the phone.

0 Helpful

louis0001
Level 3
Level 3
In response to Collin Clark

‎09-13-2018 11:35 PM

At the moment, our phones seem to hookup (no mab or 802.1x) and we do have authorization for the clients (802.1x) so it appears to be working. Should it be doing this?

0 Helpful

Aravind Ravichandran
Level 3
Level 3
In response to louis0001

‎10-01-2018 02:12 AM

Hi,

You should enable mab in switch port interface for IP-phone authentication & the IP phone mac address should be authorized with voice permission.

A typical switch port configuration which looks like:

description ACCESS (Closed Mode)
switchport mode access
switchport access vlan <data vlan>
switchport voice vlan <voice vlan>
authentication event fail action next-method
authentication event server dead action authorize
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-domain
mab
authentication violation restrict
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server dynamic
dot1x timeout tx-period 10
spanning-tree portfast
authentication port-control auto
dot1x pae authenticator

 

you can refer this link https://community.cisco.com/t5/security-documents/cisco-ise-wired-access-deployment-guide/ta-p/3641515

-Aravind
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents