I'm working on implementing 802.1x on my access-layer switches. (Cisco 2960X for the most part) I've gotten a port that I'm testing with working with a Windows laptop so that it successfully authenticates, and if a computer without valid credentials or the Wired Autoconfig service turned off is plugged in, it gets dumped into a guest vlan. However, when I attempt to plug a VoIP phone into that port, it doesn't connect and gets dumped in the guest network.
The phone is a Polycom VVX410. When I manually assign the voice vlan on a port, when the phone is plugged in, it gets dumped in the correct voice vlan and works. From what I'm reading, if a phone successfully identifies itself as being a phone and supports CDP, it gets dumped on the voice vlan with no further authentication required. The VVX410 does both. I would have to coordinate with my voice service provider to try to setup 802.1x on the phones, so I'm trying to avoid that at all costs.
The relevant points in my config are below. I very much appreciate any help that can be offered to point me in the correct direction.
VLAN 10-protected internal
VLAN 50-voice
VLAN 64-guest/restricted network
aaa new-model
aaa authentication dot1x default group nps-group
aaa group server radius nps-group
server name nps
radius server nps
address ipv4 10.0.0.121 auth-port 1645 acct-port 1646
key 7 therealkey
interface GigabitEthernet4/0/9
switchport access vlan 10
switchport mode access
switchport voice vlan 50
authentication event fail action authorize vlan 64
authentication event server dead action authorize vlan 64
authentication event no-response action authorize vlan 64
authentication event server alive action reinitialize
authentication port-control auto
authentication periodic
authentication violation replace
dot1x pae authenticator
dot1x timeout quiet-period 15
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable
No comments:
Post a Comment