PC connects to IP phone and they connect to the switch.
For PC there is the need to use order of authentication. Need firstly to check mac-authen if fail then dot1x.
For IP phone No auth at all.
Phone must work even without PC. No mac of phones added to Radius.
Firstly we used recommended software version for S5700 --- V200R003C00SPC300.
This version suggests mac-bypass function. But if we made authentication by mac, and after it 802.1x become available process of re-authentication will begin. It was not suitable for customer.
From Huawei product documentation
Comparing with Cxx manufacturer switches: Cxx manufacturer may act as both Case 1 and Case 2. Huawei can act only like Case 2, when using V200R003C00SPC300 version.
We tested S5700-52P-PWR-LI-AC. At V200R006C00SPC500 release we can config like Case 1. Following commands appear. Unified Mode has been realesed.
[interface view] authentication mac-authen dot1x
At V200R007C00SPC500 version command authentication device-type voice authorize appeared. It helps not to use authentication for VoIP phones at all.
So for desired auth scheme we advised customer to use V200R007C00SPC500 with Unified Mode NAC.