No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

HOW IP PHONE and PC can be authenticated with one Ethernet Interface.

Publication Date:  2013-11-30 Views:  166 Downloads:  0
Issue Description
It is required that any interface can authenticate user, phone and PC, the deploy is this:
- All PC are connected to IP Phone
- IP Phone are connected to switch
- Switch interface must authenticate IP Phone MAC on RADIUS server.
- Also, the user on the PC behind the IP Phone must be able to authenticate with network domain user/password through dot1x on RADIUS server, if the credentials are correct, user can access the network.
- After this, the PC gets IP with DHCP.

Topology like this :
Alarm Information
NONE
Handling Process
1. Configure Authentication:
  

dot1x enable                                                             //Enable the dot1x globally.
dot1x authentication-method chap                      //Here Keep the protocol the same with radius server .
mac-authen                                                             //Here Enable the MAC authentication for IP PHONE.                           
mac-authen username macaddress format with-hyphen
mac-authen domain CNT
#
radius-server template test
radius-server shared-key simple test123               //Here the password should be the same with radius server.
radius-server authentication 181.12.27.33 1812
radius-server retransmit 2

aaa
domain CNT
authentication-scheme test
radius-server  radius
#  

2.voice-vlan mac-address ****-**00-0000 mask ffff-ff00-0000      //Here we use voice vlan to separate voice service and data service.


3.Configure interface :

interface Ethernet0/0/1
description Authentication MAC Bypass
voice-vlan 1010 enable                                // Vlan 1010 is for voice service.
port hybrid pvid vlan 19                                 //Vlan 19 is for data .
port hybrid untagged vlan 19
dot1x mac-bypass                                        //This means the user use dot1x authentication first ,if fail, turn to MAC authentication.
dot1x reauthenticate
dot1x max-user 2                
dot1x enable                                                 //enable the dot1x in this interface.

4.Follow-up:

   Configure the password and user name for PC on  radius server ,for IP PHONE,
   the username and password is Mac address, and the format should be with hyphen.

After test , PC and IP PHONE can connect to this network successfully.
Root Cause
NONE
Suggestions
NONE

END