cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1302
Views
5
Helpful
4
Replies

Using Auto voice VLAN for IP Phone and 802.1x/Guest access passthrough

mdsgnmds
Level 1
Level 1

Hello dear experts!

Recently I finally got my order of 3x CBS350-48P-4G switches. So far we were working in a simple and insecure manner - we have one workstation VLAN, IP phones connect directly to the switch ports and via passthrough on the IP Phone we connect our laptops. Now I would like to configure ports that go to our workstations to have the following features:

1) IP Phone itself gets Auto Voice VLAN(10), We use Grandstream GXP2170.

2) If a corporate laptop is connected to passthrough port, it authenticates via 802.1X and gets Workstation VLAN(3).

3) If a device fails 802.1X auth it gets guest network(Vlan 6) for simple internet access.

Now the issues - all these features I have configured and they work fine, if I connect one device directly to the Switch, IP phone gets an Auto Voice VLAN, Workstations get on corporate network and any other devices are assigned the guest network. The issue is when using the passthrough port - If a corporate laptop is connected, it authenticates and get on the internal network, but then so does the phone, that after a while switches to Voice VLAN. If i move the passthrough cable to a non-corporate laptop, the authorisation still is active and that device also gets on the corporate workstation VLAN.

Is there anything I am missing in configuration, or is this simply the issue with my setup and I wont get it to work this way?

Appreciating all thoughts!

 

1 Accepted Solution

Accepted Solutions

Rodrigo Diaz
Cisco Employee
Cisco Employee

Hello ,  I would check if within the port you have multiple authentication configured , as with this feature, both devices connected ( the PC and the ip-phone) will have an independent Radius session within the switchport , also confirm that the feature is valid within the platform where you're working , 

For your reference https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_8021x/configuration/xe-3se/5700/sec-user-8021x-xe-3se-5700-book/sec-ieee-802x-multi-auth.pdf 

I hope it helped you. 

View solution in original post

4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

how is your port config - can you post that information

do you have smart port enabled on the port ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hello! I have tried it with Smart port enabled and disabled, the working situation I described is with Smartport enabled, seemed to give the best results. 

Can you tell me what settings are you interested in? The port is in trunk mode, added workstation vlan(3U) and voip vlan(10T) to it and operational vlans are 3U, 6G(Guest vlan), 10T. Smartport is set to static ip phone + Desktop.

802.1x: Port authentication is set to auto, with guest vlan and 802.1x based auth enabled. Re-auth is set to default 3600 so are other settings. Host and session auth is set to: Multiple Host (802.1X).

Thank you for the idea, the passthrough port now authenticates nicely and  devices that fail authentication get on the guest vlan!

For some reason the auto voice vlan is not assigned anymore for the phone itself, instead it gets on the guest VLAN, but that must be a mistake I have made somewhere while trying to get this to work. 

 

 

Rodrigo Diaz
Cisco Employee
Cisco Employee

Hello ,  I would check if within the port you have multiple authentication configured , as with this feature, both devices connected ( the PC and the ip-phone) will have an independent Radius session within the switchport , also confirm that the feature is valid within the platform where you're working , 

For your reference https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_8021x/configuration/xe-3se/5700/sec-user-8021x-xe-3se-5700-book/sec-ieee-802x-multi-auth.pdf 

I hope it helped you.