01-02-2018 10:00 PM
Has anyone implemented 802.1X with a phone on the Voice VLAN (through LLDP)? I currently have 802.1X implmented through NPS Radius. Works great; however, we are adding phones to the network shortly. These phones support LLDP Voice VLAN; however, how will they authenticate or bypass 802.1X connections?
01-12-2018 07:14 PM
It depends on whether you're going to hook the phone up to the same switch port as a PC. I discovered that LLDP works great when you only have the phone connected to the port, but I also found out that LLDP does not work when you have multiple 802.1X supplicants on the same switch port. In order to support multiple 802.1X supplicants, you need to use mac-based authentication. Set up the network policy on your NPS server to assign the voice VLAN for phones. Create an AD user account for each phone--username and password are the mac address of the phone, with all caps and no punctuation, that is for example, 8017234D599F, not 8017234d599f or 80:17:23:4D:59:9F. Create an AD security group that contains the phone user accounts. Restrict the network policy that sets the voice VLAN using that security group. In order for mac-auth-bypass to work correctly, you also need to enable MD5-Challenge as an EAP type.
Hope this helps.