jump to navigation

If Microsoft can get it right…. August 2, 2006

Posted by jpayne in : 802.1X, Security , trackback

Why can’t Cisco?  3560, small stackable switch:

interface GigabitEthernet0/11
 switchport access vlan 803
 switchport mode access
 switchport voice vlan 801
 load-interval 30
 dot1x port-control auto
 dot1x timeout tx-period 10
 dot1x timeout reauth-period 60
 dot1x guest-vlan 1
 dot1x reauthentication
 spanning-tree portfast
end

6500 wiring closet switch:

switch(config)#int faste 1/22 
switch(config-if)#dot1x port-control auto 
Command rejected: One or more ports configured with voice vlan.
Dot1x can't be enabled on voice vlan configured ports.

So how is one supposed to enable 802.1X and use Cisco’s phones?  Double up on switchports and wall jacks.

Cisco claims IOS support on the 6500 for 802.1X and voice VLANs is coming early 2007.  CatOS is supposed to support it, but that’s a backwards step I’m not sure we want to take…

Comments»

1. Rob Gorman - December 11, 2006

Hey, I am trying to get our VOIP/Dot1x solution going using the Cisco 3560 switches and Microsoft’s IAS service. I have been having some problems though and was wondering if you ever tested yours out?

According to the event logs on the IAS server, both the phone and the PC are authenticating properly, but the phone never successfully gets a DHCP address on the voice vlan. When I ran debug on the dot1x stuff, it appears that the phone is getting authenticated and put on to the data vlan (vlan1).

If you have any insight into this I would very much appreciate it. Cisco supprt has washed their hands with it saying the problem is with the IAS policies and they have no info on how to set it up. I suspect I need to push out the vlan info for the phone through the policy so the switch know’s what vlan to put the phone on, but I can’t seem to figure that one out.

2. jpayne - December 11, 2006

No promises, but if you send me or post a config snippet, I’ll take a look.