No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


HOW IP PHONE and PC can be authenticated with one Ethernet Interface.

Publication Date:  2013-11-30 Views:  325 Downloads:  0

Issue Description

It is required that any interface can authenticate user, phone and PC, the deploy is this:
- All PC are connected to IP Phone
- IP Phone are connected to switch
- Switch interface must authenticate IP Phone MAC on RADIUS server.
- Also, the user on the PC behind the IP Phone must be able to authenticate with network domain user/password through dot1x on RADIUS server, if the credentials are correct, user can access the network.
- After this, the PC gets IP with DHCP.

Topology like this :

Alarm Information


Handling Process

1. Configure Authentication:

dot1x enable                                                             //Enable the dot1x globally.
dot1x authentication-method chap                      //Here Keep the protocol the same with radius server .
mac-authen                                                             //Here Enable the MAC authentication for IP PHONE.                           
mac-authen username macaddress format with-hyphen
mac-authen domain CNT
radius-server template test
radius-server shared-key simple test123               //Here the password should be the same with radius server.
radius-server authentication 1812
radius-server retransmit 2

domain CNT
authentication-scheme test
radius-server  radius

2.voice-vlan mac-address ****-**00-0000 mask ffff-ff00-0000      //Here we use voice vlan to separate voice service and data service.

3.Configure interface :

interface Ethernet0/0/1
description Authentication MAC Bypass
voice-vlan 1010 enable                                // Vlan 1010 is for voice service.
port hybrid pvid vlan 19                                 //Vlan 19 is for data .
port hybrid untagged vlan 19
dot1x mac-bypass                                        //This means the user use dot1x authentication first ,if fail, turn to MAC authentication.
dot1x reauthenticate
dot1x max-user 2                
dot1x enable                                                 //enable the dot1x in this interface.


   Configure the password and user name for PC on  radius server ,for IP PHONE,
   the username and password is Mac address, and the format should be with hyphen.

After test , PC and IP PHONE can connect to this network successfully.

Root Cause