Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

Port Security Exclusions?

Jason Scott
Regular Advisor

Port Security Exclusions?

I'm looking into and testing 802.1x security on the LAN in conjunction with IDM. I want to authorise all domain computers and domain users and have this working.

Next I want to exclude Mitel IP phones from authentication - or grant any devices beginning with 08-00-0f (mitel vendor code) access to our voice vlan. I also need to be able to add exclusions for any devices which don't support 802.1x but that we are aware of. Is this possible? I presume this would be configured on the switch or radius server and not touch any part of IDM?

Thanks,
5 REPLIES
Matt Hobbs
Honored Contributor

Re: Port Security Exclusions?

Can't you configure the Mitel phones to also use 802.1X? That would be nicest solution.

For other devices that don't support 802.1X, you can use the unauth-vid feature which will put those users into a different (more restricted?) VLAN.

You could also use mac-auth and web-auth for those devices.
eng.Zohair
Esteemed Contributor

Re: Port Security Exclusions?

Jason Scott
Regular Advisor

Re: Port Security Exclusions?

Matt - we have over 2000 phones deployed and reconfiguring them manually isn't an option. I haven't looked to see if they can be done centrally yet. Although in testing my own phone detected 802.1x but asked for a username and password. We cannot ask our users to log in to the phone. They have enough trouble with standard PCs as it is :)

Jan - thanks. That looks like a good document and covers the configuration of radius that is missing from the IDM manual.
Matt Hobbs
Honored Contributor

Re: Port Security Exclusions?

Let us know if you do find out that you can centrally set the handsets for 802.1X somehow. I'd like to know what the best practice is too, i.e. configure all phones with the same 802.1X credentials?
Jason Scott
Regular Advisor

Re: Port Security Exclusions?

I've received some information from Mitel, however it appears you need to configure a username and password on each phone.

This means our only option is some sort of exclusion or mac based authentication. When I initially started looking at IDM I was under the impression that it might play a more active role in authenticating users and devices. I was hoping we could setup lists of devices, or mac vendor wildcards which would be placed into certain vlans. For example, all our digital xray viewers would be placed into our PACS vlan. All our heart rate monitors would be placed into their vlan. Because we use multiple vlans for different classes of non-windows devices we're unable to make use of the unauth vlan.

I thought about perhaps just deploying 802.1x to switches and ports where we know standard windows workstations are connected, but this somewhat defeats the objective we are trying to achieve, which was to lock down the network as much as possible but maintain easy management and not increase support overheads.