Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
565
Views
0
Helpful
4
Replies

dot1x and ip phone

Kashish_Patel
Level 2
Level 2

‎07-15-2013 12:43 AM - edited ‎03-10-2019 08:38 PM

We have dot1x enabled with MDA. Consider this scenario:

Only one Cisco IP phone is connected to the switchport (no PC). And phone fails both dot1x and MAB. Switch will place it in DATA vlan by default. This works as expected....Why doesn't IP phone work while in DATA vlan? It keeps showing "registering", "configuring IP" etc. IP helpers are same for both data and voice vlan.

Labels:
0 Helpful
4 Replies 4

Eduardo Aliaga
Level 4
Level 4

‎07-15-2013 08:32 AM

If the phone has passed authentication and authorization succesfully then it's a connectivity issue. The ip phone keeps saying "registering" because it can't reach the Call Manager. Could you please check connectivity ?

0 Helpful

Kashish_Patel
Level 2
Level 2
In response to Eduardo Aliaga

‎07-15-2013 09:30 AM

Phone has not passed authentication. I am letting it fail intentionally to understand the behavior. It lands in DATA domain and can be seen on switch. But phone shows "registering".

0 Helpful

Eduardo Aliaga
Level 4
Level 4
In response to Kashish_Patel

‎07-15-2013 12:13 PM

Hello Kashish

If hte phone has failed authentication then the behavior depends on both the switch configuration and the radius configuration.

For example if the switch has "authentication open" in the switchport configuration, then all traffic will be allowed.

If the radius configuration says that a failed authentication is OK then all traffic will be allowed, if the radius configuration says that a failed authentication is not OK it can deny all traffic.

what radius server are you using ? what is your switch configuration ?

0 Helpful

dynamitec1
Level 1
Level 1

‎07-16-2013 05:05 PM

Kashish,

Pretty sure you meant MDA puts it on either on DATA or VOICE "domain."

You have to create a RULE in your RADIUS server that places VOIP phones into VOICE domain.

If you look at topics I responded to, you will see what I have gone through.



Sent from Cisco Technical Support iPhone App

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents