How to connect an IP phone to an 802.1x authentication-enabled interface of an S series switch

You can connect an IP phone to an 802.1x authentication-enabled interface of an S series switch (a non-S1700 switch). 802.1x authentication is not mandatory for IP phone access.
For details about how to implement 802.1x authentication for IP phone access, see Example for Connecting IP Phones to Switches Through the PVID of the Voice VLAN ID. The following describes IP phone access without 802.1x authentication in NAC common mode. For switches running V200R009C00, the configuration model of NAC unified mode changes. Query the appropriate product manual based on the switch model and version.
- Bind an IP phone's MAC address to the access interface.
If a device's MAC address is statically bound to an 802.1x authentication-enabled interface, the device's traffic is directly passed. You can statically bind an IP phone's MAC address to an 802.1x authentication-enabled interface, so that the IP phone can access the network without 802.1x authentication. However, this solution requires that you statically bind the MAC address of each IP phone to the interface, causing heavy configuration workload and inconvenient maintenance.
[HUAWEI] vlan batch 10 20 //Create the data service VLAN 10 and the voice service VLAN 20.
[HUAWEI] dot1x enable
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] port link-type hybrid
[HUAWEI-GigabitEthernet1/0/1] port hybrid pvid vlan 10
[HUAWEI-GigabitEthernet1/0/1] port hybrid tagged vlan 20 //Configure the interface to allow tagged packets from IP phones in VLAN 20 to pass through.
[HUAWEI-GigabitEthernet1/0/1] port hybrid untagged vlan 10
[HUAWEI-GigabitEthernet1/0/1] dot1x enable
[HUAWEI-GigabitEthernet1/0/1] quit
[HUAWEI] mac-address static 0003-0003-0003 gigabitethernet 1/0/1 vlan 20 //Bind the IP phone's MAC address to the 802.1x authentication-enabled interface.

- Use MAC address bypass authentication.
[HUAWEI] vlan batch 10 20 //Create the data service VLAN 10 and the voice service VLAN 20.
[HUAWEI] dot1x enable
[HUAWEI] voice-vlan mac-address 0003-0000-0000 mask ffff-0000-0000 description phone1 //Configure the device to automatically identify the MAC address range of the IP phone.
[HUAWEI] mac-authen domain noauth_phone mac-address 0003-0000-0000 mask ffff-0000-0000 //Configure the authentication domain noauth_phone for the IP phone's MAC address range.
[HUAWEI] aaa
[HUAWEI-aaa] authentication-scheme noauth+M271
[HUAWEI-aaa-authen-noauth] authentication-mode none
[HUAWEI-aaa-authen-noauth] quit
[HUAWEI-aaa] domain noauth_phone //Configure the authenticatio+M271n domain noauth_phone and set the authentication scheme of this domain to none authentication.
[HUAWEI-aaa-domain-noauth_phone] authentication-scheme noauth
[HUAWEI-aaa-domain-noauth_phone] quit
[HUAWEI-aaa] quit
[HUAWEI] interface gigabitethernet1/0/1 //Enter the view of the interface to which the IP phone connects.
[HUAWEI-GigabitEthernet1/0/1] port link-type hybrid
[HUAWEI-GigabitEthernet1/0/1] port hybrid pvid vlan 10
[HUAWEI-GigabitEthernet1/0/1] port hybrid tagged vlan 20 //Configure the interface to allow tagged packets from IP phones in VLAN 20 to pass through.
[HUAWEI-GigabitEthernet1/0/1] port hybrid untagged vlan 10
[HUAWEI-GigabitEthernet1/0/1] voice-vlan 20 enable
[HUAWEI-GigabitEthernet1/0/1] voice-vlan legacy enable
[HUAWEI-GigabitEthernet1/0/1] dot1x enable
[HUAWEI-GigabitEthernet1/0/1] dot1x mac-bypass //Configure the switch to perform MAC address bypass authentication for the IP phone if it fails 802.1x authentication.

Scroll to top