How to Authenticate a Voice Over IP (VOIP) Phone and a Windows Workstation on a Shared Switch Port on a Cisco Switch While Using the Enforcer 6100 Series Appliance and Microsoft Internet Authentication Service (IAS).
Configuring IAS to allow a VOIP phone that has an Ethernet port built into it to work with the Enforcer Appliance and Cisco Switch.
Symptoms A VOIP phone is being used that has a built-in Ethernet port that a workstation is using for network connectivity, so both devices are being authenticated on one switchport.
The Cisco "multi-domain" feature is being used on the switch.
Switch IOS is version 12.2.52 (SE) 3 or above.
VOIP phone authenticates into the incorrect VLAN or the Client Computer attached to the VOIP phone authenticates into the incorrect VLAN.
This occurs when the attribute "device-traffic-class=voice" is not sent to the Cisco switch from the RADIUS (IAS) server. This can also be caused by selecting an encrypted authentication method that the VOIP device cannot negotiate.
In IAS, set up a remote access policy that will pass the attribute "device-traffic-class=voice" to the switch when a MAC Address wildcard is found. The authentication method may also need to be set to "unencrypted" for compatability with VOIP devices that cannot negotiate encrypted authentication.
Open the IAS MMC Console, select Remote Access Policies, right-click in the right hand pane and select "New Remote Access Policy".
At the next window, hit "Next".
Select "Setup up a custom policy" and name the policy something you will recognize. Hit Next.
At the next window, select "Add" to add a condition.
Select Calling-Station-Id. This refers to the MAC address of the client that is attempting to connect. Hit Add.
Add the first several common characters that all of the VOIP phones share. The first six usually represent the Manufacturer ID. Add a wildcard (*) after the common characters. Click OK.
Hit Next at the next window.
Next, make sure "Grant remote access permission" is selected. Hit Next.
At the next screen, click "Edit Profile".
Select the "Advanced" tab. Then hit "Add".
Choose the "Cisco-AV-Pair", and hit "Add".
At the next screen, hit "Add".
Add the attribute "device-traffic-class=voice". This will be passed back to the switch when the conditions are met.
Click "Close" at the next window.
Select the "Authentication Tab" on the Edit Dial-In Profile. Uncheck all boxes except those shown below. This is necessary because some VOIP phones do not have the capability to negotiate encrypted authentication.
At the next window, hit "OK".
Hit "Next" at the next window.
Hit finishat the next window.
Verify that the rule you just created is at the top of the list.
Imported Document ID: TECH97536
Subscribing will provide email updates when this Article is updated. Login is required.