Phone and Data 802.1x Ports don't have an Auth Fail option

  • 1
  • Question
  • Updated 2 years ago
  • (Edited)
I'm working on a 802.1x solution for our network and have run into a problem I'm hoping the community can help me figure out.

The 802.1x Access ports have an Auth Fail option to handle devices that don't/can't authenticate using 802.1x. My plan was to use the Auth Fail in combination with reclassification based on MAC addresses to handle corporate owned devices, IoT, and guests on a single port type.

Successful Authentication ==> Corporate Network
Fail w/ MAC reclassification ==> Devices Network (printers, IoT, etc..)
Fail ==> Guest Access

This flow takes care of everything except my VOIP phones that have computers connected to them (using the phone's pass-through network port). So naturally I move on to the 802.1x Phone&Data port type...

While working through this, I noticed the Phone&Data port type does not offer an Auth Fail state. Without this option I'm back to having multiple port types and several different switch templates. I will need to issue certificates to the phones as well. We use Avaya 9600 series phones in case it matters.

What's the best way to deal with this situation? Is there anyway to setup a single port type that handles all of my use cases?

Devices that support 802.1x
Devices that do not support 802.1x
Phones with 802.1x devices connected to them
Guests (no authentication, just connect and go)

Photo of Will Rhodes

Will Rhodes

  • 45 Posts
  • 9 Reply Likes

Posted 2 years ago

  • 1
Photo of Will Rhodes

Will Rhodes

  • 45 Posts
  • 9 Reply Likes
Bumping this up, does anyone have thoughts on this? Is Nick Lowe around?
Photo of dreamer


  • 10 Posts
  • 1 Reply Like
Hi Will,

I'm hoping you've found a workaround in the mean time and if so, please share it, but if not, would an idea be MAB for all devices not supporting 802.1x?

At least with FreeRADIUS, you can do a regexp OUI lookup for each such device (printer, VoIP phone etc.) and assign the appropriate VLAN. Even if someone spoofed an IoT device MAC address, they would end up in a pretty restricted VLAN anyhow.

Then you could set a catch-all entry which would assign a user to a guest VLAN.