Security

Reply
Highlighted
Occasional Contributor II

802.1x - voice bypass

Do voice marked vlan devices automically bypass 802.1x?

 

On my 3810 running WC.16.05.0013 with the following config, the PC attached through the IP Phones goes through an authentication process to my clearpass server, but not the phone itself;

 

vlan 100
name "Auth"
untagged 1-2
no ip address
exit
vlan 101
name "UnAuth"
no ip address
exit
vlan 111
name "Voip"
tagged 1-2
no ip address
voice
exit


interface 1
tagged vlan 111
untagged vlan 100
aaa port-access authenticator
aaa port-access authenticator reauth-period 3600
aaa port-access authenticator auth-vid 100
aaa port-access authenticator unauth-vid 101

 

Super Contributor II

Re: 802.1x - voice bypass

VOICE phones will not bypass 802.1x.

Do the VOICE phones support 802.1x? If not, you should configure MAC auth to authenticate the devices.

 

Also, the 802.1x client limit is by default 1. Personally I don't like  the unauth/auth VID. We have ClearPass for this. 

 

Please read the  wired policy enforcement guide. This gives a lot of details.

 

https://community.arubanetworks.com/t5/Security/ClearPass-Solution-Guide-Wired-Policy-Enforcement/td-p/298161


Willem Bargeman ACMX#935 | ACCX #822

Please give me kudos if my post was useful!
If your issue is solved mark the post as solution!
Occasional Contributor II

Re: 802.1x - voice bypass

Mixed bag of support for 802.1x on the phones. The newer cisco IP phones support it, the older ones dont.

 

I have read the wired policy enforcement guide. Whilst I appreciate it captures alot of information, and kudos for Tim providing it - but I found it missing elements, and the format a little jumbled.Maybe a newer release (which was indicated) might clean it up.

 

 

 

 

 

Super Contributor II

Re: 802.1x - voice bypass

Please configure a higher client limit. Also enable mac auth at the port.

 

Example config

 

aaa port-access authenticator active

aaa port-access authenticator 1
aaa port-access authenticator 1 client-limit 2

aaa port-access mac-based 1
aaa port-access mac-based 1 addr-limit 2

 

It's also advisable to use (downloadable) user roles


Willem Bargeman ACMX#935 | ACCX #822

Please give me kudos if my post was useful!
If your issue is solved mark the post as solution!
Occasional Contributor II

Re: 802.1x - voice bypass

WIth regards to assigning a voice role for VoIP devices, is there an equivelant command to authorise the phone in the event the switch is unable to contact the authentication server?

 

Cisco equiv command would be;

 

authentication event server dead action authorize voice

 

 

Occasional Contributor II

Re: 802.1x - voice bypass

Aha, found it myself ;)

 

aaa port-access <PORT-LIST> critical-auth voice-vlan <VLAN-ID>

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: