Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
663
Views
4
Helpful
4
Replies

802.1x authetication when PC is connected to the back of the IP phone

rakesh.hegde
Level 1
Level 1

‎10-25-2007 07:50 PM - edited ‎03-05-2019 07:20 PM

I am testing 802.1x authentication MAC address bypass feature to allow dynamic vlan allocation based on the MAC address We are converting cat OS based 65ks to IOS based . The plan is to replace VMPS with 802.1x MAC bypass feature . Everything works great if the PCs are directly connected to the switch port. If the PC is connected to the back of the IP Phone, it will be put on the right vlan the very first time. When that PC is moved to some other port (to the back of some other IP phone) on the same switch , the swith throws an error message saying its a security voilation because the a secure MAC address is alreay present in MAC table for another port for the same vlan. This is because when the PC was diconnected the switch port stayed up apparently causing the switch not to clear the mac-address enrty. If the PC is directly connected to the switch , the port will go down and the MAC entry would be deleted.

This allows the same device to be plugged to other ports , and put in the same vlan on the same switch. Any ideas how to work around this problem??

Labels:
0 Helpful
4 Replies 4

bbayer
Level 1
Level 1

‎10-25-2007 10:57 PM

Yes, there is a timer you can set that will flush inactive MACs out of the table theat 802.1X creates. There is also a command you can use to flush it manually.

http://www.cisco.com/en/US/partner/docs/routers/7600/ios/12.2SXF/configuration/guide/dot1x.html

Brian ": )

0 Helpful

rakesh.hegde
Level 1
Level 1
In response to bbayer

‎10-26-2007 06:20 AM

Hi Brian,

Thanks for the info . I tried clear mac-address-table dynamic, but it didnt help. The only way to get rid of it was to reboot the switch. This doesnt even come close to the transparency and resiliency provide by VPMS and CISCO stopped VMPS server support on 65k IOS . We dont want to be clearing MACs everytime a user moves to different ports.

Just a thought :-)

-Rakesh

0 Helpful

andrew.butterworth
Level 7
Level 7
In response to rakesh.hegde

‎10-27-2007 06:23 AM

Cisco added 802.1x Proxy EAPOL-Logoff to some of its IP Phones. It works by sending an 802.1x EAPOL-Logoff message when the PC is disconnected.

http://www.cisco.com/en/US/products/hw/phones/ps379/prod_release_note09186a0080621244.html#wp1152927

I'm not sure if any other vendors have added this funtionality to their IP Phones?

Andy

rakesh.hegde
Level 1
Level 1
In response to andrew.butterworth

‎10-27-2007 09:39 AM

Hi Andy,

That was helpful. Atlest we now have a potential workaround. Right now the only way is to either reboot the switch or diable/enable the switch port conencting the IPphone and the PC (atelast that's what I figured )

-Rakesh

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card