802.1x, Shoretel 13 and Cisco 3750 switch.

Hi all,

I'm deploying 802.1x in my company. We are using VM Win 2998 R2 Server as our Radius Server. Cisco 3750 layer3 switch running IOS 15.0(2) and Shoretel phone system running Build 13.

So far, all the printers, wired and wireless PC are able authenticated and obtain IP address for the corporate network. However, we are having problem with the Shoretel phones.

we do not want to authenticate the phones so we disabled 802.1x feature and enabled LLDP for our Shoretel phone and On the cisco 3750 switch, we enabled LLDP.

The port is configured as follow

 switchport access vlan 10
 switchport mode access
 switchport voice vlan 110
 authentication event fail action authorize vlan 99
 authentication event no-response action authorize vlan 99
 authentication host-mode multi-host
 authentication violation protect
 dot1x pae authenticator
 dot1x timeout tx-period 5
 dot1x max-reauth-req 3

When we do debug dot1x all, we can see that the phone is forced to authenticate even with 802.1x is set to off on the phone. The phone fails the authentication eventually

This is the same configuration that we have for the first office we implemented and everything works fine.  The phone is working as it should. The only different is that in this first office, the shoretel phone system is running Build 12 and Cisco access-layer switch is 2975 running IOS 12.2.

I'm working with Cisco but it seems like they don't know the cause of it.

Do you guys experience the same problem?

Who is Participating?
tmatty102Connect With a Mentor Author Commented:
Apparently, Cisco either changes the way they handle 802.1x after IOS version 12.2.46 or there was a bug on that version.

IOS Version 12.2.46 ignores the IP phone and button box. They never get authenticated and have Cisco does not force these devices to authenticated.

IOS Version 12.2.55 with the new commands for 802.1x  forces all the devices that are connected to an 802.1x enabled port to authenticate. It does not matter 802.1x or mab. you need some sort of authentication.

I still find the way 12.2.46 handle 802.1x very weird.
Craig BeckConnect With a Mentor Commented:
This won't work as you want it to. If you use 802.1x on the port you HAVE to authenticate all devices, either via 802.1x or MAB.

Also if you use voice and data VLANs you must use multi-domain instead of multi-host.
tmatty102Author Commented:
Craigbeck, It works. At least this same setting is working in the the first office we did.

According to Cisco, there is a possible bug for IOS 15.0(2) SE2 that causes the problem. I'm waiting for them to confirm with me.
We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

Craig BeckCommented:
Multi-host only allows one VLAN to pass traffic though so I'd be interested to see it!
tmatty102Author Commented:
That's what I know about using Multi-host too but when i use it in implementation for the first office, it didn't work. That's why I tried to use Multi-host.

It's very interesting.
tmatty102Author Commented:
The way Cisco handles 802.1x changed. Authentication is a must now

For those who need to work with IP Phone or vlan assignment,

the command: aaa authorization network default group radius is needed if not the phone/ button box will not get assign to the appropriate Vlan.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.