VoIP device authenticating via MAB and PC authenticating via dot1x

fat cat
fat cat used Ask the Experts™
I would like to understand this process a bit more and the authentication flow.  Using ClearPass (similar to ISE) as a RADIUS server.

PC authenticates successfully via dot1x (EAP-TLS) when plugged into jack.  However, when plugged in via VoIP, it fails.   Discovered that the pC is not able to auth via MAB because the MAC is not in the MAC Address table.   Once added MAC to MAC Address table, PC successfully authenticates via dot1x and MAB.

What is the relation to VoIP here?  If the PC can auth successfully via dot1x(EAP-TLS) on its own, what triggers the PC to roll over to MAB and fail?
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
nociSoftware Engineer
Distinguished Expert 2018

If a VOIP phone is inserted into the switch then there is dot1x between Phone & Switch.
When the PC is inserted into the Phone there is dot1x between the phone and the PC...
(IF the phone does do dot1x and is configured for it at all....).

One cannot use dot1x enabled on a device upstream of the edge switch to do the dot1x.
(When dot1x is communicated between edge device and connected endpoint, the endpoint is actualy NOT connected to the network at all.
It is the edge-switch that handles all network communication between itself and the RADIUS server, and it receives the intended configuration for the network setup from the RADIUS server, after authentication is successful.
During the authentication phase the connected endpoint device and the edge switch are talking in private.
(i.e. there is NOT communication between RADIUS and the connected (here PC) device directly).
kevinhsiehNetwork Engineer

The switch needs to be configured to allow multiple 802.1x authentications  on the physical port. That is not the default Cisco configuration. Some Cisco switches only allow a single 802.1x on the data access VLAN, and one more on the voice VLAN. Other switches all multiple 802.1x devices on the data VLAN, which would come into play if there was an unmanaged switch or VM host, for example.

In addition to correct switch configuration, the IP phone also needs proper configuration to allow 802.1x passthrough to the upstream switch, and behavior on how to tell the switch that the connected device is no longer connected and should be deauthenticated.


Thank you for the comments @noci and @kevinhsieh.  Really appreciate it....

@kevinhsieh @noci

So i guess i was looking for more what happens with the authentication flow.

-Switch is configured for mulit Auth
-PC is configured to do dot1x EAP-TLS . (machine/user certs)
-Phone is configured to do MAB (Phone attempt dot1x but will failover to mab - that is the setup we want)

So, noticed that the PC MAC was not in the MAC Auth dB so it would fail MAB.
--So basically, when PC was connected to the port/jack, it was successfully authenticating via EAP-TLS . (what we want it to do),
--but when we plugged it into the phone, it would try MAB and fail.   So when i added the PC MAC to the MAC Auth dB, it would successfully auth via phone.

So my question was to understand what happens with the flow here.  
-e.g, if the PC is able to do EAP-TLS directly connected to the port, why does it fail when it is behind the phone.
--does the phone re-trigger a auth ?
--the phone is meant to fail dot1x and failover to MAB, does this also make the PC do the same?
--it it is multi-auth domain, shouldn't each device act independatly when trying to authenticate ?  
--How does VoIP affect the PC's authentication?

Thanks guys, really appreciate the response.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Software Engineer
Distinguished Expert 2018
--does the phone re-trigger a auth ?
--the phone is meant to fail dot1x and failover to MAB, does this also make the PC do the same?
On the Switch Yes.... unless the phone will do the dot1x.
--it it is multi-auth domain, shouldn't each device act independatly when trying to authenticate ?  
Yep the phone is one switch further...
--How does VoIP affect the PC's authentication?
It isn;t VOIP, it is the switch inside the Phone.

before dot1x:
[Radiusserver] <--------------->[Switch-Core].
Switch port is disconnected from the switch core.

PC sends Auth request to switch port  (it's certificate etc.).
Switch port notifies Switch Core (on the same switch), switch core starts talking to the radius server, radius server answers OK or FAIL.
On FAIL the is the end.
On OK, the answer also contains the port config needed so it is setup. And the switch port is connected to the Switch-Core.
 and then PC can start communication on the network.
If the phone already is connected the Switch-port will not notice the auth request as it isn't in a disconnected state.

The Phone is now the edge device that would need to do the dot1x.... (if it can).
kevinhsiehNetwork Engineer
FYI, my phones do 802.1x. Devices connected through the phone do 802.1x or MAB properly.


Thank you both for your help.  Still a bit unclear but def helped me understand it better.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial