Configuring Authentication
Fixed Switch Configuration Guide 10-23
With “User + IP Phone” authentication, the policy role for the IP phone is statically mapped using
a policy admin rule which assigns any frames received with a VLAN tag set to a specific VID (for
example, Voice VLAN) to a specified policy role (for example, IP Phone policy role). Therefore, it
is required that the IP phone be configured to send VLAN-tagged frames tagged for the “Voice”
VLAN. Refer to the command set policy rule for additional information about configuring a
policy admin rule that maps a VLAN to a policy role.
Note that if the IP phone authenticates to the network, the RADIUS Access-Accept message must
return null values for RFC 3580 tunnel attributes and the Filter-ID.
The second policy role, for the user, can either be statically configured with the default policy role
on the port or dynamically assigned through authentication to the network (using a RADIUS
Filter-ID). When the default policy role is assigned on a port, the VLAN set as the port's PVID is
mapped to the default policy role unless the default policy has a defined VLAN, which will
override the port’s PVID. When a policy role is dynamically applied to a user as the result of a
successfully authenticated session and the resulting policy has a configured VLAN, that VLAN
will override the port PVID or the default policy’s defined VLAN.
Example
The following procedure and code example show the basic steps to configure User + IP phone
authentication on several user ports.
Note: User + IP Phone authentication is not supported on the I-Series
Procedure 10-11 User + IP Phone Configuration
Step Task Command(s)
1. Configure the IP phones to send VLAN-tagged
voice traffic frames, tagged for the phone VLAN.
N/A
2. On the switch, create phone VLAN and user
VLAN.
Optionally, give names to the VLANs.
set vlan create vlan-list
set vlan name vid name
3. Create a CoS setting for the phone VLAN. set cos settings cos-index priority
priority [tos-value tos]
[irl-reference irl-ref]
4. Set the number of users per port to 2 on the user
ports
set multiauth port numusers 2
port-string
5. Create a policy profile for the users that uses the
user VLAN.
set policy profile index pvid-status
enable pvid pvid
6. Create a policy profile for the phones that
typically will have an associated CoS.
set policy profile index cos-status
enable cos cos
7. Statically map the phone policy profile to frames
received tagged with the phone VLAN and
specify ports to egress the phone VLAN frames
as tagged.
set policy rule admin-profile
vlantag vlanid admin-pid index
port-string port-string
8. Configure RADIUS See “Configuring RADIUS” on page 10-21
9. Configure authentication, either IEEE 802.1x or
MAC-based authentication.
See “Configuring IEEE 802.1x” on page 10-14
See “Configuring MAC-based Authentication” on
page 10-15
To Next Page
Loading...
Need help?
General