Ah, I figured you meant using 802.1X for both devices. As long as authenticator and mac-based are configured on the port, both services are available for any devices that connect. Whether or not an EAP authentication (802.1X) happens is based on whether or not the connecting device supports 802.1X.
My starting point for a configuration looks like:
aaa port-access mac-based 1/1-1/48
aaa port-access mac-based 1/1-1/48 addr-limit 2
aaa port-access mac-based 1/1-1/48 mac-pin
aaa port-access mac-based 1/1-1/48 quiet-period 30
aaa port-access authenticator 1/1-1/48 client-limit 2
aaa port-access authenticator 1/1-1/48 supplicant-timeout 6
aaa port-access authenticator 1/1-1/48 tx-period 6
aaa port-access authenticator 1/1-1/48 max-requests 2
aaa port-access authenticator 1/1-1/48 max-eap-retries 2
aaa port-access authenticator 1/1-1/48
aaa port-access authenticator active
aaa port-access 1/1-1/48 auth-order authenticator mac-based
aaa port-access 1/1-1/48 auth-priority authenticator mac-based
The important piece here is the auth-order
and auth-priority
, that decides which method gets attempted first and which method's result gets applied. When attempting authenticator
first, make sure to tune the process so that a client device doesn't spend two minutes before the MAC auth happens.
------------------------------
Carson Hulcher, ACEX#110
------------------------------
Original Message:
Sent: May 14, 2024 05:13 PM
From: barry.stollberg
Subject: laptop (dot1x) and ip-phone DUR on same switch-port
on the 2930, where do I configure this? Just to be sure the phone will use the mac profile and the laptop will use the dot1x profile?
aaa port-access authenticator 1/2-1/8
aaa port-access authenticator 1/2 tx-period 10
aaa port-access authenticator 1/2 supplicant-timeout 10
aaa port-access authenticator 1/2 client-limit 5
aaa port-access authenticator 1/3 tx-period 10
aaa port-access mac-based 1/2-1/8
aaa port-access mac-based 1/2 addr-limit 4
aaa port-access mac-based 1/3 addr-limit 4
aaa port-access mac-based 1/4 addr-limit 4
aaa port-access mac-based 1/5 addr-limit 4
aa port-access 1/2 mixed
aaa port-access 1/3 mixed
aaa port-access 1/4 mixed
Original Message:
Sent: May 14, 2024 04:04 PM
From: chulcher
Subject: laptop (dot1x) and ip-phone DUR on same switch-port
This is just standard 802.1X configuration, just don't set the port to "device-mode".
------------------------------
Carson Hulcher, ACEX#110
Original Message:
Sent: May 14, 2024 02:41 PM
From: barry.stollberg
Subject: laptop (dot1x) and ip-phone DUR on same switch-port
Is there a good document on using a laptop (dot1x) and ip-phone DUR on same switch-port? I have a ClearPass service for dot1x and another for mac auth.