cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
680
Views
0
Helpful
3
Replies

baypass 802.1X for ip phone

Hi,

I'm working in the deployment of ISE ver2.0. currently I have  carried out some test with 802.1X,   PCs that are in the domain get access to network, the PCs that are not in the domain are rejected to get access to network.  That's ok.

Now when I connect an ip phone  7945 to the switch's port configured to handle 802.1X ,the phone  does not registered with CUCM. If I connect my laptop to ipphone, the laptop is authenticated . For the moment I don't need 802.1.X for ip phones.

The current config I have is the next, is something left or something wrong 


interface GigabitEthernet1/0/15
 switchport mode access
 switchport voice vlan 10
 authentication event no-response action authorize vlan 50
 authentication event server alive action reinitialize
 authentication host-mode multi-auth
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 mab
 snmp trap mac-notification change added
 snmp trap mac-notification change removed
 dot1x pae authenticator
 spanning-tree portfast

is something left or something wrong , so that the ip phone can registered in this port??

Interface    MAC Address    Method  Domain  Status Fg Session ID
Gi1/0/15     3417.eb5a.a7ac N/A     DATA    Auth      C0A800900000002D017A5D44
Gi1/0/15     0024.142d.d847 N/A     UNKNOWN Unauth    C0A800900000002E017A6338  (IP PHONE)

if I change authentication host-mode multi-auth to authentication host-mode multi-host,  the ip phone can registered but the laptop  does not

authenticate, it is assigned vlan guest network segment  (vlan 50).

SW_ISE#sh authentication sessions

Interface    MAC Address    Method  Domain  Status Fg Session ID
Gi1/0/15     3417.eb5a.a7ac N/A     DATA    Auth      C0A800900000001100DD998F    (laptop does not authenticate, received vlan 50 ip address)

regards

3 Replies 3

milan.kulik
Level 10
Level 10

Hi,

so  the IP phone should  be authenticated by MAB?

And CDP is permitted on the switch port to recognize Cisco IP phones?

I guess you can see the phone's MAC address among Cisco IP phones  in your ISE Identity Endpoint  database?

And finally the Authorization Profile for Cisco IP Phones on your ISE is assigning them to the Voice Domain?

Best regards,

Milan

Hi Milan, thanks for your recommendations and time.

yes, I want IP phone authenticated by MAB and the computer connected to ip phone must authenticated by 802.1X.

IP phone is shown in database and authorization profile for ip phone has the following options as is shown in screenshot.


SW_ISE#sh authentication sessions

Interface    MAC Address    Method  Domain  Status Fg Session ID
Gi1/0/15     0024.142d.d847 N/A     UNKNOWN Unauth    C0A8009000000010004753F4

Any other option I can check?

regards

Hi,

how does you authentication/authorization policy for MAB look like then?

Can't you se anything from the ISE Authentication Detail Report for the phone?

BR,

Milan

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: