Hello, I have an ip phone that DOES NOT SUPPORT DOT1X I have a radius server using freeradius on Linux machine I am able to authenticate the ip phone via mab Here are my configuration on the fastEthernet port on Cisco Catalyst 2960 switch and users file in freeradius respectively
switchport access vlan 6 switchport mode access switchport voice vlan 200 authentication host-mode multi-auth authentication port-control auto authentication violation protect mab eap dot1x pae both spanning-tree portfast nicholas User-Password := "xxxxxx" 000e10005336 User-Password := "000e10005336" 000e100045da User-Password := "000e100045da" IP phone is able to authenticate succesfully via mac address by-pass. PC on the other hand is not able to authenticate via dot1x. Because I have authentication host-mode set to multi-auth, I was expecting that when I connect a PC to the LAN port of the IP Phone, the PC will authenticate using dot1x. The PC prompts me for login Username and Password alright, but does not authenticate when i enter these details. The user account is a valid user on the radius server. When I run radius in debug mode on the radius server, I realise it tries to use the MAC address of the PC to authenticate but fails because it has no entry in the users file on my radius server. Also, when I debug authentication on the Cisco Catalyst 2960, the PC starts a dot1x process first, then fails, then starts a mab process which also fails because I do not want to do MAC address by-pass for the PC. I want to be able to authenticate the IP Phone via MAC address by-pass and authenticate the PC that connects to the LAN port of the IP Phone via dot1x using authentication host-mode multi-auth. How can I achieve that. When I connect an unmanaged switch to an authenticated configured port on the cisco 2960 switch i am able to authenticate PC and phone independently, not when a PC connects to the LAN port of the phone. If an unmanaged switch connecting to a cisco catalyst 2960 authentication host mode multi-auth enabled port can do multi authentication i.e. mab and dot1x, why cant I get the IP phone to do same(i.e. authenticate phone via mac address bypass and PC connecting to the LAN port of the IP Phone)? _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
