Solved: 802.1x Authentication and Phones

astockton · ‎01-28-2016

I have just begun to roll out 802.1x authentication and am finding that while I got authentication for PC's on the data VLAN to work, phones on the VOICE VLAN are not unless I set "authentication host-mode" to "multi-host".

We have been running un-authenticated for 7 years with phones and PC's both working.

What I want to do (i.e. what Management has told me to make happen) is have phones connect unauthenticated (accepting CDP to handle correct VLAN assignment) but require PC's to authenticate.

I suppose the easy question is; is that even possible? If it is, any advice is greatly appreciated. (switch config is below).

Thank you

Arch

!
version 12.2
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname switch
!
boot-start-marker
boot-end-marker
!
logging console emergencies
logging monitor emergencies
enable secret 5 *****
!
aaa new-model
!
!
aaa authentication dot1x default group radius
!
!
!
aaa session-id common
clock timezone cst -6
clock summer-time cdt recurring
switch 1 provision ws-c3750g-24ps
system mtu routing 1500
vtp mode transparent
no ip domain-lookup
!
!
ip igmp snooping vlan 41 mrouter interface Gi1/0/27
ip igmp snooping vlan 41 mrouter interface Gi1/0/28
!
mls qos omitted
!

spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 13
name data-VLAN
!
vlan 857
name voice-VLAN
!
vlan 1611
name guest-VLAN
lldp run
!
!
class-map match-all AutoQoS-VoIP-RTP-Trust
match ip dscp ef
class-map match-all AutoQoS-VoIP-Control-Trust
match ip dscp cs3 af31
!
!
policy-map AutoQoS-Police-CiscoPhone
class AutoQoS-VoIP-RTP-Trust
set dscp ef
police 320000 8000 exceed-action policed-dscp-transmit
class AutoQoS-VoIP-Control-Trust
set dscp cs3
police 32000 8000 exceed-action policed-dscp-transmit
!
!
!
interface GigabitEthernet1/0/1
switchport access vlan 13
switchport mode access
switchport voice vlan 857
switchport port-security violation protect
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
queue-set 2
priority-queue out
authentication control-direction in
authentication event no-response action authorize vlan 1611
authentication host-mode multi-host
authentication port-control auto
authentication violation protect
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
dot1x pae authenticator
spanning-tree portfast
service-policy input AutoQoS-Police-CiscoPhone
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 13,857,1611
switchport mode trunk
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
queue-set 2
mls qos trust cos
auto qos voip trust
!
radius-server host 10.1.2.10 auth-port 1645 acct-port 1646
radius-server key 7 ***
radius-server vsa send authentication
end

hdussa · ‎01-29-2016

Hi,

authentication with PC and Phone needs "authentication host-mode multi-domain". You con use the MAC-Adress or 802.1X (username & password) for authentication of IP-Phone.

The authenticatipo profile must send "device-traffic-class=voice." to the switch. Then PC is in DATA-DOMAIN and Phone in VOICE-Domain.

see attachment:

View solution in original post

Jatin Katyal · ‎01-31-2016

Yes you can do that. When a Cisco IP phone is plugged into a port that is configured with a voice VLAN and single-host mode, the phone is silently allowed onto the network by way of a feature known as CDP Bypass. The phone, or any device, that sends the appropriate type-length-value (TLV) messages in a CDP message is allowed access to the voice VLAN. CDP Bypass is a legacy feature that has been deprecated in favor of MDA for these reasons.

HTH

~ Jatin

~Jatin

View solution in original post

hdussa · ‎01-29-2016

Hi,

authentication with PC and Phone needs "authentication host-mode multi-domain". You con use the MAC-Adress or 802.1X (username & password) for authentication of IP-Phone.

The authenticatipo profile must send "device-traffic-class=voice." to the switch. Then PC is in DATA-DOMAIN and Phone in VOICE-Domain.

see attachment:

Jatin Katyal · ‎01-31-2016

Yes you can do that. When a Cisco IP phone is plugged into a port that is configured with a voice VLAN and single-host mode, the phone is silently allowed onto the network by way of a feature known as CDP Bypass. The phone, or any device, that sends the appropriate type-length-value (TLV) messages in a CDP message is allowed access to the voice VLAN. CDP Bypass is a legacy feature that has been deprecated in favor of MDA for these reasons.

HTH

~ Jatin

~Jatin

amin.amor · ‎09-28-2017

Hi,

The CDP Bypass feature is stoneage solution that is only supported on the old platforms like 2960/3750 but not 3750X. Do you know any other options that can be used to authenticate only the PC but not IP-Phone?

Exluding:

MIC

MAB

Your network partner in Luxembourg
http://www.itnet.lu

astockton · ‎02-02-2016

Jatin and hdussa,

thank you both for the answers. They both pointed me in the right direction and I was able to make MAB work.

Arch