Core issue
A PC will not authenticate using 802.1x while connected via an IP phone.
Authentication works if a PC is plugged directly into the switch. With an IP phone in the middle, it does not authenticate.
When an 802.1x supplicant connects to the switch through an IP phone in the middle, there is no link-up event at the switch. So, the switch is not directly aware that a PC is connected, and it does not initiate the authentication procedure. If Guest-VLAN is also configured, the port may be placed in the Guest-VLAN first after the periodic (every 30 seconds by default) EAPOL-Identity-Request frames have gone unanswered. Also, once the Guest-VLAN is deployed, EAPOL stops on the wire and the switch can no longer initiate 802.1x. However, if any supplicant that connects to the phone sends EAPOL-Start frames unconditionally, 802.1x can work normally (in which a port is taken out of the Guest-VLAN and is authenticated).
Resolution
In order to resolve this issue, ensure that any known supplicants send EAPOL-Starts if the Guest-VLAN is configured in conjunction with IP Telephony. This can be achieved in the Microsoft supplicant via a registry change.
In order to do this, complete these steps:
- For SupplicantMode, choose Start > Run and type regedit.
- Go to HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global\SupplicantMode.
- Use a value of 3 for compliance with the IEEE 802.1x specification.