Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3213
Views
6
Helpful
2
Replies

DOT1X authentication for IP Phones

Go to solution
acharyr123
Level 3
Level 3

‎05-29-2010 11:33 PM - edited ‎03-06-2019 11:20 AM

Hi,

I have DOT1X authentication configured on all switch ports. I also have Cisco IP phones.

My requirement is: to allow Cisco IP phones without DOT1X authentication..

Is this possible?

Kindly suggest..

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎05-30-2010 04:48 AM

So do you have PC connected behine the phone, If yes and you just want to authenticate PC via DOT1x and bypass the uathentication for your IP phones then You need to use single-host mode command on the concern ports to disable authentication of the IP phone.

dot1x host-mode single-host
dot1x port-control auto


For newer version use these command

authentication host-mode single-host

authentication port-control auto


Also, you need to disable 802.1x on the IP phones.


HTH

JK


Do rate helpful posts-

~Jatin

View solution in original post

2 Replies 2

Go to solution
Marwan ALshawi
VIP Alumni
VIP Alumni

‎05-30-2010 12:41 AM

Hi

By enabling forced authorization on a port, the clientless hosts can connect to it and still be part of the trusted VLAN. This has the same effect as not enabling dot1x on the port. This can be particularly useful if a user wants to connect an IP phone or other device that does not have a supplicant but still needs to be part of the secure VLAN. Any host can be connected to this port and be part of the secure VLAN without going through 802.1x authentication. Similarly, the port can be forced to be unauthorized. This has the same effect as shutting down the port

ALSO

Voice VLAN

Using this feature, Cisco IP phones can be placed in a separate VLAN when they are connected to Ethernet switch port. This is not an 802.1x feature. But it is useful because the IP phones may not support 802.1x supplicant. IP phones can be placed in a separate VLAN bypassing 802.1x authentication. That VLAN can be configured to provide only voice access. The voice VLAN can also use the same DHCP pool as the trusted VLAN by using the ip unnumbered Vlan 10 sub-interface command. If an IP phone is a non-Cisco IP phone, the Voice VLAN feature will not work automatically. Using MAC bypass will permit a non-Cisco phone to be placed onto the voice vlan.

interface FastEthernet2

switchport access vlan 10

switchport voice vlan 11

dot1x pae authenticator

dot1x port-control auto
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6660/ps6807/prod_white_paper0900aecd805a5ab5_ns855_Networking_Solutions_White_Paper.html
good luck
if helpful Rate
0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎05-30-2010 04:48 AM

So do you have PC connected behine the phone, If yes and you just want to authenticate PC via DOT1x and bypass the uathentication for your IP phones then You need to use single-host mode command on the concern ports to disable authentication of the IP phone.

dot1x host-mode single-host
dot1x port-control auto


For newer version use these command

authentication host-mode single-host

authentication port-control auto


Also, you need to disable 802.1x on the IP phones.


HTH

JK


Do rate helpful posts-

~Jatin
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card