802.1x, Shoretel 13 and Cisco 3750 switch.

Hi all,

I'm deploying 802.1x in my company. We are using VM Win 2998 R2 Server as our Radius Server. Cisco 3750 layer3 switch running IOS 15.0(2) and Shoretel phone system running Build 13.

So far, all the printers, wired and wireless PC are able authenticated and obtain IP address for the corporate network. However, we are having problem with the Shoretel phones.

we do not want to authenticate the phones so we disabled 802.1x feature and enabled LLDP for our Shoretel phone and On the cisco 3750 switch, we enabled LLDP.

The port is configured as follow

 switchport access vlan 10
 switchport mode access
 switchport voice vlan 110
 authentication event fail action authorize vlan 99
 authentication event no-response action authorize vlan 99
 authentication host-mode multi-host
 authentication violation protect
 dot1x pae authenticator
 dot1x timeout tx-period 5
 dot1x max-reauth-req 3

When we do debug dot1x all, we can see that the phone is forced to authenticate even with 802.1x is set to off on the phone. The phone fails the authentication eventually

This is the same configuration that we have for the first office we implemented and everything works fine.  The phone is working as it should. The only different is that in this first office, the shoretel phone system is running Build 12 and Cisco access-layer switch is 2975 running IOS 12.2.

I'm working with Cisco but it seems like they don't know the cause of it.

Do you guys experience the same problem?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Craig BeckCommented:
This won't work as you want it to. If you use 802.1x on the port you HAVE to authenticate all devices, either via 802.1x or MAB.

Also if you use voice and data VLANs you must use multi-domain instead of multi-host.
tmatty102Author Commented:
Craigbeck, It works. At least this same setting is working in the the first office we did.

According to Cisco, there is a possible bug for IOS 15.0(2) SE2 that causes the problem. I'm waiting for them to confirm with me.
Craig BeckCommented:
Multi-host only allows one VLAN to pass traffic though so I'd be interested to see it!
IT Degree with Certifications Included

Aspire to become a network administrator, network security analyst, or computer and information systems manager? Make the most of your experience as an IT professional by earning your B.S. in Network Operations and Security.

tmatty102Author Commented:
That's what I know about using Multi-host too but when i use it in implementation for the first office, it didn't work. That's why I tried to use Multi-host.

It's very interesting.
tmatty102Author Commented:
Apparently, Cisco either changes the way they handle 802.1x after IOS version 12.2.46 or there was a bug on that version.

IOS Version 12.2.46 ignores the IP phone and button box. They never get authenticated and have Cisco does not force these devices to authenticated.

IOS Version 12.2.55 with the new commands for 802.1x  forces all the devices that are connected to an 802.1x enabled port to authenticate. It does not matter 802.1x or mab. you need some sort of authentication.

I still find the way 12.2.46 handle 802.1x very weird.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
tmatty102Author Commented:
The way Cisco handles 802.1x changed. Authentication is a must now

For those who need to work with IP Phone or vlan assignment,

the command: aaa authorization network default group radius is needed if not the phone/ button box will not get assign to the appropriate Vlan.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.