Configuration commands to authenticate PCs connected to VoIP devices.

One of the authentication bypass scenarios is PC behind VoIP phone where CDP based VoIP phones are bypassed but the PCs behind the phones need to be authenticated.

  1. CDP configuration on Preshared mode: Following is the prerequisite command to detect VoIP phone using CDP on Aruba switches.

    switch(config)#cdp mode pre-standard-voice
  2. Voice VLAN configuration:
    switch(config)#vlan 20 voice
    Above configuration sets voice VLAN as 20.
  3. device-identity configuration: Policy must be defined to identify a specific device based on incoming packet signatures. voip-vlan-query value is set as 512 to detect CDP VoIP phones. MAC OUI and subtype are configured to match LLDP packets.
    switch(config)#device-identity name < voip > cdp type voip-vlan-query value <512>
    switch(config)#device-identity name <voip> lldp oui <MAC-OUI> sub-type <integer>

    device-identity configurations must be followed by interface enable or interface disable commands to help voip-vlan-query to detect device identity.

  4. Authenticate PC connected to the VoIP device.

    switch(config)#aaa port-access mac-based A7
    switch(config)#aaa port-access mac-based A7 addr-limit 2
    switch(config)#aaa port-access authenticator A7
    switch(config)#aaa port-access authenticator A7 client-limit 2
    switch(config)#aaa authentication port-access eap-radius
    switch(config)#aaa port-access authenticator active
  5. Device profile configuration: Associate profile named legacy_phone to device policy type voip

    switch(config)#device-profile name legacy_phone
    switch(device-profile)#tagged-vlan 20
    switch(device-profile)#mode client-mode
    switch(config)#device-profile device-type voip
    switch(device-viop)#associate legacy_phone
  6. Enable bypass on authenticating ports based on certain policies.

    switch(config)#aaa port-access device-identity voip bypass A7