From: Sadiq Yakasai (sadiqtanko@gmail.com)
Date: Tue Sep 02 2008 - 13:26:46 ART
Austin,
Cisco has a good and robust solution for 802.1x deployment in a Voice
capable network. Whether your phones support 802.1x or not, whether the PCs
behind the phones support 802.1x or not, this is not a problem at all.
You can deploy 802.1x on with network with IP phones with either MDA
(multi-domain authentication): where there will be 2 domains - data and
voice domains and each device (the phone on the voice domain and the PC on
the data domain) will authenticate or MAB (MAC authentication bypass) when
the phones or the PC doesn't support 802.1x but the MAC address of the each
device is authenticated with ACS and placed in the right domain (voice or
data).
On some of the platforms (switches), there is no support for MDA and thats
when you have CDP bypass where the phone learns its voice VLAN and bypasses
authentication altogether. The PC behind it authenticates 802.1x or MAC
(havent checked this).
You can also deploy this solution well with 3rd party IP phones that dont do
CDP (which is a major dependency for the dolution). But all is possible.
In a nut shell, thats where it all stands at the moment.
More here and on CCO:
http://www.cisco.com/en/US/prod/collateral/routers/ps5853/prod_white_paper0900aecd806c6d65.html
HTH
Sadiq
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Sat Oct 04 2008 - 09:26:17 ART