How to connect an IP phone to an 802.1x authentication-enabled interface of an S series switch

13

You can connect an IP phone to an 802.1x authentication-enabled interface of an S series switch (a non-S1700 switch). 802.1x authentication is not mandatory for IP phone access.
For details about how to implement 802.1x authentication for IP phone access, see Example for Connecting IP Phones to Switches Through the PVID of the Voice VLAN ID. The following describes IP phone access without 802.1x authentication in NAC common mode. For switches running V200R009C00, the configuration model of NAC unified mode changes. Query the appropriate product manual based on the switch model and version.
- Bind an IP phone's MAC address to the access interface.
If a device's MAC address is statically bound to an 802.1x authentication-enabled interface, the device's traffic is directly passed. You can statically bind an IP phone's MAC address to an 802.1x authentication-enabled interface, so that the IP phone can access the network without 802.1x authentication. However, this solution requires that you statically bind the MAC address of each IP phone to the interface, causing heavy configuration workload and inconvenient maintenance.
[HUAWEI] vlan batch 10 20 //Create the data service VLAN 10 and the voice service VLAN 20.
[HUAWEI] dot1x enable
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] port link-type hybrid
[HUAWEI-GigabitEthernet1/0/1] port hybrid pvid vlan 10
[HUAWEI-GigabitEthernet1/0/1] port hybrid tagged vlan 20 //Configure the interface to allow tagged packets from IP phones in VLAN 20 to pass through.
[HUAWEI-GigabitEthernet1/0/1] port hybrid untagged vlan 10
[HUAWEI-GigabitEthernet1/0/1] dot1x enable
[HUAWEI-GigabitEthernet1/0/1] quit
[HUAWEI] mac-address static 0003-0003-0003 gigabitethernet 1/0/1 vlan 20 //Bind the IP phone's MAC address to the 802.1x authentication-enabled interface.

- Use MAC address bypass authentication.
[HUAWEI] vlan batch 10 20 //Create the data service VLAN 10 and the voice service VLAN 20.
[HUAWEI] dot1x enable
[HUAWEI] voice-vlan mac-address 0003-0000-0000 mask ffff-0000-0000 description phone1 //Configure the device to automatically identify the MAC address range of the IP phone.
[HUAWEI] mac-authen domain noauth_phone mac-address 0003-0000-0000 mask ffff-0000-0000 //Configure the authentication domain noauth_phone for the IP phone's MAC address range.
[HUAWEI] aaa
[HUAWEI-aaa] authentication-scheme noauth+M271
[HUAWEI-aaa-authen-noauth] authentication-mode none
[HUAWEI-aaa-authen-noauth] quit
[HUAWEI-aaa] domain noauth_phone //Configure the authenticatio+M271n domain noauth_phone and set the authentication scheme of this domain to none authentication.
[HUAWEI-aaa-domain-noauth_phone] authentication-scheme noauth
[HUAWEI-aaa-domain-noauth_phone] quit
[HUAWEI-aaa] quit
[HUAWEI] interface gigabitethernet1/0/1 //Enter the view of the interface to which the IP phone connects.
[HUAWEI-GigabitEthernet1/0/1] port link-type hybrid
[HUAWEI-GigabitEthernet1/0/1] port hybrid pvid vlan 10
[HUAWEI-GigabitEthernet1/0/1] port hybrid tagged vlan 20 //Configure the interface to allow tagged packets from IP phones in VLAN 20 to pass through.
[HUAWEI-GigabitEthernet1/0/1] port hybrid untagged vlan 10
[HUAWEI-GigabitEthernet1/0/1] voice-vlan 20 enable
[HUAWEI-GigabitEthernet1/0/1] voice-vlan legacy enable
[HUAWEI-GigabitEthernet1/0/1] dot1x enable
[HUAWEI-GigabitEthernet1/0/1] dot1x mac-bypass //Configure the switch to perform MAC address bypass authentication for the IP phone if it fails 802.1x authentication.

Other related questions:
How to connect an IP phone to an 802.1x authentication-enabled interface of an S series switch
You can connect an IP phone to an 802.1x authentication-enabled interface of an S series switch (a non-S1700 switch). 802.1x authentication is not mandatory for IP phone access. For details about how to implement 802.1x authentication for IP phone access, see Example for Connecting IP Phones to Switches Through the PVID of the Voice VLAN ID. The following describes IP phone access without 802.1x authentication in NAC common mode. For switches running V200R009C00, the configuration model of NAC unified mode changes. Query the appropriate product manual based on the switch model and version. - Bind an IP phone's MAC address to the access interface. If a device's MAC address is statically bound to an 802.1x authentication-enabled interface, the device's traffic is directly passed. You can statically bind an IP phone's MAC address to an 802.1x authentication-enabled interface, so that the IP phone can access the network without 802.1x authentication. However, this solution requires that you statically bind the MAC address of each IP phone to the interface, causing heavy configuration workload and inconvenient maintenance. [HUAWEI] vlan batch 10 20 //Create the data service VLAN 10 and the voice service VLAN 20. [HUAWEI] dot1x enable [HUAWEI] interface gigabitethernet 1/0/1 [HUAWEI-GigabitEthernet1/0/1] port link-type hybrid [HUAWEI-GigabitEthernet1/0/1] port hybrid pvid vlan 10 [HUAWEI-GigabitEthernet1/0/1] port hybrid tagged vlan 20 //Configure the interface to allow tagged packets from IP phones in VLAN 20 to pass through. [HUAWEI-GigabitEthernet1/0/1] port hybrid untagged vlan 10 [HUAWEI-GigabitEthernet1/0/1] dot1x enable [HUAWEI-GigabitEthernet1/0/1] quit [HUAWEI] mac-address static 0003-0003-0003 gigabitethernet 1/0/1 vlan 20 //Bind the IP phone's MAC address to the 802.1x authentication-enabled interface. - Use MAC address bypass authentication. [HUAWEI] vlan batch 10 20 //Create the data service VLAN 10 and the voice service VLAN 20. [HUAWEI] dot1x enable [HUAWEI] voice-vlan mac-address 0003-0000-0000 mask ffff-0000-0000 description phone1 //Configure the device to automatically identify the MAC address range of the IP phone. [HUAWEI] mac-authen domain noauth_phone mac-address 0003-0000-0000 mask ffff-0000-0000 //Configure the authentication domain noauth_phone for the IP phone's MAC address range. [HUAWEI] aaa [HUAWEI-aaa] authentication-scheme noauth+M271 [HUAWEI-aaa-authen-noauth] authentication-mode none [HUAWEI-aaa-authen-noauth] quit [HUAWEI-aaa] domain noauth_phone //Configure the authenticatio+M271n domain noauth_phone and set the authentication scheme of this domain to none authentication. [HUAWEI-aaa-domain-noauth_phone] authentication-scheme noauth [HUAWEI-aaa-domain-noauth_phone] quit [HUAWEI-aaa] quit [HUAWEI] interface gigabitethernet1/0/1 //Enter the view of the interface to which the IP phone connects. [HUAWEI-GigabitEthernet1/0/1] port link-type hybrid [HUAWEI-GigabitEthernet1/0/1] port hybrid pvid vlan 10 [HUAWEI-GigabitEthernet1/0/1] port hybrid tagged vlan 20 //Configure the interface to allow tagged packets from IP phones in VLAN 20 to pass through. [HUAWEI-GigabitEthernet1/0/1] port hybrid untagged vlan 10 [HUAWEI-GigabitEthernet1/0/1] voice-vlan 20 enable [HUAWEI-GigabitEthernet1/0/1] voice-vlan legacy enable [HUAWEI-GigabitEthernet1/0/1] dot1x enable [HUAWEI-GigabitEthernet1/0/1] dot1x mac-bypass //Configure the switch to perform MAC address bypass authentication for the IP phone if it fails 802.1x authentication.

Enable and disable PoE on an S series switch
Enable or disable the PoE function on S series switches:

1. By default, the PoE function is enabled on an interface
2. Enable or disable PoE power supply.
<HUAWEI>system-view
[HUAWEI]interface gigabitethernet 1/0/0
[HUAWEI-GigabitEthernet1/0/0]undo poe enable  //Disable PoE power supply.
[HUAWEI-GigabitEthernet1/0/0]poe enable       //Enable PoE power supply.

The downlink electrical interfaces of PoE switches support PoE power supply, with up to 30 W power on each interface. The maximum power supply distance is 100 m.
Only ES0D0G48VA00 (S7700)/LE0DG48VEA00 (S9300) cards of modular switches (S7700/S9700/S9300/S12700) support PoE power supply.

If the switch connects to 48 V standard PoE powered devices but cannot negotiate power supply capabilities with the devices, you can run poe force-power on the interfaces to forcibly power on the devices.


802.1x remote authentication on S series switch
In 802.1x remote authentication and authorization, user information (including the user name, password and attributes) is configured on the remote AAA server. 802.1x remote authentication and authorization feature high network security. S series switches (except S1700 switches) running V200R003C10 or an earlier version supports only traditional NAC configuration. Switches running V200R005C00 or a later version support both traditional and unified NAC configuration. By default, unified NAC configuration is used. 802.1x remote authentication also supports traditional and unified modes. 802.1x remote authentication configuration is the same on all switch models: - For the traditional 802.1x remote authentication configuration, see "Example for Configuring 802.1x Authentication to Control Internal User Access" in "Configuring NAC (Common Mode)" of Typical Configuration Examples. - For the unified 802.1x remote authentication configuration, see "Example for Configuring 802.1x Authentication to Control Internal User Access" in "Configuring NAC (Unified Mode)" of Typical Configuration Examples.

Can an interface of an S series switch be used for communication after 802.1x authentication is enabled on the interface
After 802.1x authentication is enabled on an interface of an S series switch, a user must pass 802.1 authentication before using the interface for communication.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top