It is required that any interface can authenticate user, phone and PC, the deploy is this:
- All PC are connected to IP Phone
- IP Phone are connected to switch
- Switch interface must authenticate IP Phone MAC on RADIUS server.
- Also, the user on the PC behind the IP Phone must be able to authenticate with network domain user/password through dot1x on RADIUS server, if the credentials are correct, user can access the network.
- After this, the PC gets IP with DHCP.
Topology like this :
1. Configure Authentication:
dot1x enable //Enable the dot1x globally.
dot1x authentication-method chap //Here Keep the protocol the same with radius server .
mac-authen //Here Enable the MAC authentication for IP PHONE.
mac-authen username macaddress format with-hyphen
mac-authen domain CNT
radius-server template test
radius-server shared-key simple test123 //Here the password should be the same with radius server.
radius-server authentication 22.214.171.124 1812
radius-server retransmit 2
2.voice-vlan mac-address ****-**00-0000 mask ffff-ff00-0000 //Here we use voice vlan to separate voice service and data service.
3.Configure interface :
description Authentication MAC Bypass
voice-vlan 1010 enable // Vlan 1010 is for voice service.
port hybrid pvid vlan 19 //Vlan 19 is for data .
port hybrid untagged vlan 19
dot1x mac-bypass //This means the user use dot1x authentication first ,if fail, turn to MAC authentication.
dot1x max-user 2
dot1x enable //enable the dot1x in this interface.
Configure the password and user name for PC on radius server ,for IP PHONE,
the username and password is Mac address, and the format should be with hyphen.
After test , PC and IP PHONE can connect to this network successfully.