Header Only - DO NOT REMOVE - Extreme Networks

802.1x with VOIP

  • 7 January 2014
  • 1 reply

Userlevel 4
Create Date: Apr 9 2013 7:36PM

Hello All,

This relates to a problem that we are having in our environment. We currently use 802.1x in ISP mode wherein machines connecting to the switch will be RADIUS authenticated (integrated with AD). However we are now rolling out VOIP wherein we will piggyback data over voice. Although we have everything working without the 802.1x we are trying to see how to get this working with it in place. With Extremeware, you could specify 802.1x on a per vlan basis which is no longer available. Basically all traffic will need to be authenticated if you will. These are modern Mitel phones that will support dot1x but setting this up on the phones is a pain and will not work. In terms of options, I know that mac based authentication is possible but i have more than a 1000 phones. What I am looking for is the following:

1. Is there someway to exclude or exempt a vlan from authentication (the voice vlan in this case). can we setup either guest vlans or possibly authentication failure vlans. would that help.
2. Also from a performance perspective, i am already having issues reported with 802.1x due to periodic reauthentication which i recently disabled. now, since data will be authenticated (and dhcp) after voice, is there anything to be worried about. any suggestions pls. (from Anush_Santhanam)

1 reply

Userlevel 4
Create Date: May 12 2013 5:53PM

Hello All,

I finally managed to sort this out myself and wanted to share my findings with you. Although our Mitel phones support 802.1x authentication and can be setup accordingly, it is a pain when you need to change passwords etc. Instead here is what I have done:

1. Setup 802.1x in campus mode. VLAN assignment will be done through VSA returned by RADIUS. This is for the data vlan.
2. I have mac based authentication for the phones.

Since we have piggybacking of voice/data, all ports are setup for both mac and dot1x concurrently. I ran into problems for dhcp leasing for the voice. this is probably related to the dhcp scope options on the server. to make life easier, I have used mac based vlans as a result of which both data and voice will be untagged concurrently on the same port. while data is 802.1x authenticated, voice is mac authenticated. this is now working. (from Anush_Santhanam)