Reset Search



D2 User + IP Phone Authentication

« Go Back


TitleD2 User + IP Phone Authentication
  • D2 User + IP Phone Authentication
  • Cannot authenticate both user + IP phone on same port on D2
  • Cannot authenticate PC + phone on same port on D2
  • D2
  • All firmware
Product limitation
This is Functioning As Designed. From the D2 CLI guide:

Configuring User + IP Phone Authentication

User + IP phone authentication is a legacy feature that allows a user and their IP phone to both use a single port on the switch but to have separate policy roles. The user’s PC and their IP phone are daisy‐chained together with a single connection to the network.

Note: The only multi-user authentication supported on the D2 is User + IP Phone. The IP phone and the user may authenticate using 802.1x or MAC authentication.

With ʺUser + IP Phoneʺ authentication, the policy role for the IP phone is statically mapped using a policy admin rule which assigns any packets received with a VLAN tag set to a specific VID (for example, Voice VLAN) to an specified policy role (for example, IP Phone policy role). Therefore, it is required that the IP phone be configured to send VLAN‐tagged packets tagged for the “Voice” VLAN. Refer to the Usage section for the command “set policy rule” on page 12‐10 for additional information about configuring a policy admin rule that maps a VLAN tag to a policy role.

Note that if the IP phone authenticates to the network, the RADIUS accept message must return null values for RFC 3580 tunnel attributes and the Filter‐ID.

The second policy role, for the user, can either be statically configured with the default policy role on the port or dynamically assigned through authentication to the network (using a RADIUS Filter‐ID). When the default policy role is assigned on a port, the VLAN set as the portʹs PVID is mapped to the default policy role. When a policy role is dynamically applied to a user as the result of a successfully authenticated session, the “authenticated VLAN” is mapped to the policy role set in the Filter‐ID returned from the RADIUS server. The “authenticated VLAN” may either be the PVID of the port, if the PVID Override for the policy profile is disabled, or the VLAN specified in the PVID Override if the PVID Override is enabled.
Additional notes



Was this article helpful?



Please tell us how we can make this article more useful.

Characters Remaining: 255