cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2192
Views
0
Helpful
0
Comments
TCC_2
Level 10
Level 10

Core issue

A PC will not authenticate using 802.1x while connected via an IP phone.

Authentication works if a PC is plugged directly into the switch. With an IP phone in the middle, it does not authenticate.

When an 802.1x supplicant connects to the switch through an IP phone in the middle, there is no link-up event at the switch. So, the switch is not directly aware that a PC is connected, and it does not initiate the authentication procedure. If Guest-VLAN is also configured, the port may be placed in the Guest-VLAN first after the periodic (every 30 seconds by default) EAPOL-Identity-Request frames have gone unanswered. Also, once the Guest-VLAN is deployed, EAPOL stops on the wire and the switch can no longer initiate 802.1x. However, if any supplicant that connects to the phone sends EAPOL-Start frames unconditionally, 802.1x can work normally (in which a port is taken out of the Guest-VLAN and is authenticated).

Resolution

In order to resolve this issue, ensure that any known supplicants send EAPOL-Starts if the Guest-VLAN is configured in conjunction with IP Telephony. This can be achieved in the Microsoft supplicant via a registry change.


In order to do this, complete these steps:
  1. For SupplicantMode, choose Start > Run and type regedit.

  2. Go to HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global\SupplicantMode.

  3. Use a value of 3 for compliance with the IEEE 802.1x specification.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: