The Cisco IP
Phones support 802.1X Authentication.
Phones and Cisco Catalyst switches traditionally use Cisco Discovery Protocol
(CDP) to identify each other and determine parameters such as VLAN allocation
and inline power requirements. CDP does not identify locally attached
workstations. Cisco IP Phones provide an EAPOL pass-through mechanism. This
mechanism allows a workstation attached to the Cisco IP Phone to pass EAPOL
messages to the 802.1X authenticator at the LAN switch. The pass-through
mechanism ensures that the IP phone does not act as the LAN switch to
authenticate a data endpoint before accessing the network.
Phones also provide a proxy EAPOL Logoff mechanism. In the event that the
locally attached PC disconnects from the IP phone, the LAN switch does not see
the physical link fail, because the link between the LAN switch and the IP
phone is maintained. To avoid compromising network integrity, the IP phone
sends an EAPOL-Logoff message to the switch on behalf of the downstream PC,
which triggers the LAN switch to clear the authentication entry for the
for 802.1X authentication requires several components:
Phone: The phone initiates the request to access the network. Cisco IP Phones
contain an 802.1X supplicant. This supplicant allows network administrators to
control the connectivity of IP phones to the LAN switch ports. The current
release of the phone 802.1X supplicant uses the EAP-FAST and EAP-TLS options
for network authentication.
Access Control Server (ACS) (or other third-party authentication server): The
authentication server and the phone must both be configured with a shared
secret that authenticates the phone.
Switch (or other third-party switch): The switch must support 802.1X, so it can
act as the authenticator and pass the messages between the phone and the
authentication server. After the exchange completes, the switch grants or
denies the phone access to the network.
You must perform
the following actions to configure 802.1X.
other components before you enable 802.1X Authentication on the phone.
Port: The 802.1X standard does not consider VLANs and thus recommends that only
a single device should be authenticated to a specific switch port. However,
some switches (including Cisco Catalyst switches) support multidomain
authentication. The switch configuration determines whether you can connect a
PC to the PC port of the phone.
If you are using a switch that supports multidomain authentication, you can
enable the PC port and connect a PC to it. In this case, Cisco IP Phones
support proxy EAPOL-Logoff to monitor the authentication exchanges between the
switch and the attached PC. For more information about IEEE 802.1X support on
the Cisco Catalyst switches, see the Cisco Catalyst switch configuration guides
If the switch does not support multiple 802.1X-compliant devices on the same
port, you should disable the PC Port when 802.1X authentication is enabled. If
you do not disable this port and subsequently attempt to attach a PC to it, the
switch denies network access to both the phone and the PC.
- Configure Voice VLAN:
Because the 802.1X standard does not account for VLANs, you should configure
this setting based on the switch support.
- Enabled: If you are using a
switch that supports multidomain authentication, you can continue to use the
- Disabled: If the switch
does not support multidomain authentication, disable the Voice VLAN and
consider assigning the port to the native VLAN.