A PC will not authenticate using 802.1x while connected via an IP phone.
Authentication works if a PC is plugged directly into the switch. With an IP phone in the middle, it does not authenticate.
When an 802.1x supplicant connects to the switch through an IP phone in the middle, there is no link-up event at the switch. So, the switch is not directly aware that a PC is connected, and it does not initiate the authentication procedure. If Guest-VLAN is also configured, the port may be placed in the Guest-VLAN first after the periodic (every 30 seconds by default) EAPOL-Identity-Request frames have gone unanswered. Also, once the Guest-VLAN is deployed, EAPOL stops on the wire and the switch can no longer initiate 802.1x. However, if any supplicant that connects to the phone sends EAPOL-Start frames unconditionally, 802.1x can work normally (in which a port is taken out of the Guest-VLAN and is authenticated).
In order to resolve this issue, ensure that any known supplicants send EAPOL-Starts if the Guest-VLAN is configured in conjunction with IP Telephony. This can be achieved in the Microsoft supplicant via a registry change.
In order to do this, complete these steps:
For SupplicantMode, choose Start > Run and type regedit.
Go to HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global\SupplicantMode.
Use a value of 3 for compliance with the IEEE 802.1x specification.
I have a pair of ASA 5525-X that I want to convert to FTD image. I built a new FMCv 6.6 to manage them.I converted the ASA firepower classic licenses to the smart license already. I also registered the new FMC to the license portal...But the license quant...