The IP Phone + PC Topology: Why It Complicates 802.1X
Every campus access layer deployment with unified communications runs into the same physical constraint: there are more endpoints than switchports. The industry standard solution is to daisy-chain IP phones — the phone connects to the wall jack (the switch), and the PC connects to the phone's downstream access port. The phone acts as a pass-through switch for the PC.
From a Layer 2 perspective, the switchport now has two MAC addresses: the phone's MAC and the PC's MAC. Both endpoints need network access, both are on the same physical port, and they need to be in different VLANs — VLAN 20 for voice traffic, VLAN 10 for data.
Standard 802.1X single-host mode can only handle one MAC address. Multi-host mode authenticates one MAC and opens the port for all others — adequate for getting the PC connected but abandoning any authentication for the phone. Neither mode is correct for this topology.
Multi-Domain Authentication (MDA) exists specifically for this problem. The switch divides the port into two authentication domains — VOICE and DATA — and authenticates each independently. The phone authenticates in the VOICE domain (via MAB or 802.1X), the PC authenticates in the DATA domain (via 802.1X), and each receives its appropriate VLAN assignment. The two domains share one physical cable but are completely independent at the authentication and authorization level.
How MDA Works: The Role of CDP
The switch cannot distinguish between a phone and a PC by observing raw Ethernet traffic. A MAC address alone does not indicate whether the device is a voice or data endpoint. MDA uses CDP (Cisco Discovery Protocol) to make this determination.
When a Cisco IP Phone connects to a switchport, it sends CDP advertisements identifying itself as a voice endpoint with device capabilities Phone. The switch reads these CDP frames and classifies any traffic from the phone's MAC address as VOICE domain traffic. Any other MAC address on the port — including the PC connected through the phone — is classified as DATA domain traffic.
Without CDP, the switch cannot classify the phone correctly. If CDP is disabled on either the switch port or the phone, MDA may still work if the phone's MAC address triggers the voice VLAN configuration, but the authentication domain classification will be unreliable.
LLDP-MED can perform a similar function, but for Cisco 8800 series phones in a Cisco campus environment, CDP is the standard and more reliable mechanism.
Switch Configuration
Global Requirements
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
radius server ISE-Primary
address ipv4 10.0.0.10 auth-port 1812 acct-port 1813
key ISEsecret123
aaa server radius dynamic-author
client 10.0.0.10 server-key ISEsecret123
auth-type any
dot1x system-auth-control
device-tracking tracking
cdp run
cdp run must be configured globally for CDP to operate. It is enabled by default on Cisco IOS XE switches but verify it has not been disabled as part of a security hardening template.
Interface Configuration
interface GigabitEthernet1/0/1
description IP Phone 8861 + Workstation
switchport mode access
switchport access vlan 10
switchport voice vlan 20
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication event no-response action authorize vlan 30
authentication event fail action authorize vlan 40
authentication event server dead action authorize vlan 50
authentication event server dead action reinitialize vlan 50
authentication event server alive action reinitialize
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x max-reauth-req 2
mab
cdp enable
spanning-tree portfast
Line-by-line explanation:
switchport access vlan 10— default data VLAN. Active for the PC (DATA domain) when no ISE VLAN assignment is returned, and as fallback before authentication.switchport voice vlan 20— voice VLAN. The switch sends CDP advertisements to the phone indicating it should tag voice traffic with VLAN 20. The phone moves its own traffic to VLAN 20 upon receiving this CDP TLV.authentication host-mode multi-domain— enables MDA mode, creating independent VOICE and DATA authentication domains on this port.authentication order dot1x mab— both domains try 802.1X first, then MAB. For the phone specifically, 802.1X will time out (most Cisco IP Phones 8800 series support 802.1X but are often deployed with MAB for operational simplicity) and MAB will send the phone's MAC address to ISE.authentication priority dot1x mab— if both methods are running simultaneously and 802.1X succeeds, it takes priority over MAB.authentication periodicandauthentication timer reauthenticate server— enable server-driven reauthentication using the Session-Timeout returned by ISE.authentication event no-response action authorize vlan 30— Guest VLAN for DATA domain if no 802.1X supplicant. Note: in MDA mode, the VOICE domain also uses this fallback if the phone sends no EAPOL and MAB fails.mab— enables MAC Authentication Bypass. Required for the phone to authenticate via its MAC address.cdp enable— enables CDP on this interface. Required for voice domain classification.spanning-tree portfast— enables PortFast for faster link-up convergence. Do not configurespanning-tree portfast trunkon access ports.
Applying to Multiple Ports with a Template
In a production campus deployment, you will configure hundreds of ports identically. Use an interface template to apply the standard MDA configuration:
template VOICE-DATA-PORT
switchport mode access
switchport access vlan 10
switchport voice vlan 20
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication event no-response action authorize vlan 30
authentication event fail action authorize vlan 40
authentication event server dead action authorize vlan 50
authentication event server dead action reinitialize vlan 50
authentication event server alive action reinitialize
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x max-reauth-req 2
mab
cdp enable
spanning-tree portfast
Apply to interfaces:
interface range GigabitEthernet1/0/1 - 24
source template VOICE-DATA-PORT
Templates in IOS XE 17.9.x provide a single point of change — update the template and all bound interfaces inherit the change without per-interface reconfiguration.
Cisco IP Phone 8800 Series: 802.1X Supplicant Behavior
The Cisco 8800 series phones (8811, 8841, 8851, 8861, 8865) support 802.1X authentication as a supplicant. The phone can authenticate using:
- EAP-MD5 — supported but deprecated; does not provide mutual authentication
- EAP-TLS — supported with certificates installed via Cisco Unified Communications Manager (CUCM) or Cisco Certificate Authority Proxy Function (CAPF)
- EAP-FAST — supported on some 8800 models
In most enterprise deployments, IP phones authenticate via MAB rather than 802.1X for operational reasons:
- Certificate provisioning to hundreds of phones adds operational complexity
- Phones must be active on the network before they can receive their configuration from CUCM — creating a chicken-and-egg problem with strict 802.1X
- MAB with ISE profiling provides adequate identity for voice endpoints without credential infrastructure per device
If your organization requires phone 802.1X authentication (for example, in a high-security environment), configure the phone's 802.1X settings in CUCM under Device > Phone > [phone] > Security Profile and ensure the phone's certificate is issued by a CA trusted by ISE.
For MAB-based phone authentication (the more common approach), the phone MAC address must be known to ISE — either as a manually added endpoint, discovered via DHCP/CDP profiling, or imported from CUCM's AXL API.
ISE Configuration for Voice and Data Domains
Endpoint Profiling for Phones
ISE must be able to identify the phone as a voice endpoint to apply the correct authorization policy. Enable profiling:
Administration > System > Deployment > [PSN node] > Profiling
Enable the following probes:
- CDP — ISE reads CDP data from RADIUS accounting packets (the switch sends CDP information in accounting requests when configured correctly)
- DHCP — ISE reads DHCP options including Option 12 (hostname), which phones typically set to their MAC-based hostname
- HTTP — ISE reads the HTTP User-Agent from phones accessing CUCM web services
The Cisco-IP-Phone endpoint profile in ISE matches devices with:
- MAC OUI belonging to Cisco's voice device ranges
- DHCP hostname containing "SEP" (Cisco IP Phones use SEP+MAC as their hostname)
- CDP Device-Info showing phone capabilities
In ISE 3.2, navigate to Policy > Profiling > Profiling Policies to view the Cisco-IP-Phone profiling policy and its conditions. Verify the policy is enabled and has a high certainty factor threshold.
Authorization Profiles for Voice and Data
Profile for IP Phones (Voice Domain):
Navigate to Policy > Policy Elements > Results > Authorization > Authorization Profiles.
Name: Voice-VLAN20-Profile
- Access Type: ACCESS_ACCEPT
- Common Tasks:
- VLAN: 20
- Advanced Attributes Settings:
- Cisco:cisco-av-pair =
device-traffic-class=voice
- Cisco:cisco-av-pair =
The device-traffic-class=voice Cisco AVPair is optional but recommended. It signals to the switch that this session is a voice device and can influence QoS markings and CDP behavior on the switch.
Profile for Corporate PC (Data Domain):
Name: Corp-Data-VLAN10-Profile
- Access Type: ACCESS_ACCEPT
- Common Tasks:
- VLAN: 10
- Downloadable ACL: Corp-Employees-Full-Access (see Article 16 for dACL configuration)
Authorization Policy Rules
Navigate to Policy > Policy Sets > [your 802.1X policy set] > Authorization Policy.
Add rules in priority order:
| Priority | Rule Name | Conditions | Authorization Profile |
|---|---|---|---|
| 1 | IP-Phones | Endpoints:EndpointProfile EQUALS Cisco-IP-Phone | Voice-VLAN20-Profile |
| 2 | Corp-Employees | AD1:ExternalGroups EQUALS Corp-Employees AND NetworkAccess:EapAuthentication EQUALS EAP-MSCHAPv2 | Corp-Data-VLAN10-Profile |
| 3 | Contractors | AD1:ExternalGroups EQUALS Contractors | Contractors-VLAN30-Profile |
| 4 | Default-MAB | NetworkAccess:AuthenticationMethod EQUALS MAB | Guest-VLAN30-Profile |
| 5 | Default | — | DenyAccess |
Rule 1 matches phones profiled as Cisco-IP-Phone. Rule 2 matches corporate AD users authenticating via PEAP/EAP-MSCHAPv2. The EAP-MSCHAPv2 condition ensures this rule only matches 802.1X authentications, not MAB sessions from unknown MACs.
Verification
Authentication Session Summary
SW1# show authentication sessions
Interface MAC Address Method Domain Status Fg Session ID
Gi1/0/1 0025.b501.aabb mab VOICE Auth 0A00630A0000000C
Gi1/0/1 c8d9.d2e1.ccdd dot1x DATA Auth 0A00630A0000000D
Both MAC addresses appear on GigabitEthernet1/0/1. One is in the VOICE domain (authenticated via MAB — the IP phone), the other is in the DATA domain (authenticated via 802.1X — the PC). This is MDA operating correctly.
Detailed Session Output
SW1# show authentication sessions interface GigabitEthernet1/0/1 detail
Interface: GigabitEthernet1/0/1
MAC Address: 0025.b501.aabb
IPv6 Address: Unknown
IPv4 Address: 10.0.20.45
User-Name: 00-25-B5-01-AA-BB
Status: Authorized
Domain: VOICE
Oper host mode: multi-domain
Oper control dir: both
Session timeout: N/A
Common Session ID: 0A00630A0000000C
Acct Session ID: 0x0000000C
Handle: 0x1C000006
Current Policy: POLICY_Gi1/0/1
Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Server Policies:
Vlan Group: Vlan: 20
Method status list:
Method State
mab Authc Success
Interface: GigabitEthernet1/0/1
MAC Address: c8d9.d2e1.ccdd
IPv6 Address: Unknown
IPv4 Address: 10.0.10.112
User-Name: DOMAIN\jsmith
Status: Authorized
Domain: DATA
Oper host mode: multi-domain
Oper control dir: both
Session timeout: 3600s (server), Remaining: 3209s
Common Session ID: 0A00630A0000000D
Acct Session ID: 0x0000000D
Handle: 0x1C000007
Current Policy: POLICY_Gi1/0/1
Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Server Policies:
Vlan Group: Vlan: 10
ACS ACL: xGENIEx0a00630a0000000d-1-xGENIEx
Method status list:
Method State
dot1x Authc Success
Key items to verify:
- VOICE domain:
Vlan Group: Vlan: 20andmab Authc Success - DATA domain:
Vlan Group: Vlan: 10,ACS ACLpresent (dACL applied), anddot1x Authc Success - Both sessions reference the same physical interface but are completely independent authorization sessions
Verify Voice VLAN
SW1# show interfaces GigabitEthernet1/0/1 trunk
Port Mode Encapsulation Status Native vlan
Gi1/0/1 off 802.1q not-trunking 1
Port Vlans allowed on trunk
Gi1/0/1 10
Port Vlans allowed and active in management domain
Gi1/0/1 10
Port Vlans in spanning tree forwarding state and not pruned
Gi1/0/1 10
SW1# show voice vlan interface GigabitEthernet1/0/1
Voice Data
Port Status Vlan Cos Mode Vlan
------- -------- ------ ---- -------- ------
Gi1/0/1 Enabled 20 5 Untagged 10
The voice VLAN shows as 20 and the data VLAN as 10. Status "Enabled" confirms the voice VLAN is active on this port.
Verify CDP Neighbor (Phone)
SW1# show cdp neighbors GigabitEthernet1/0/1 detail
Device ID: SEP0025B501AABB
Entry address(es):
IP address: 10.0.20.45
Platform: Cisco IP Phone 8861, Capabilities: Host Phone IGMP
Interface: GigabitEthernet1/0/1, Port ID (outgoing port): Port 1
Holdtime : 140 sec
Version :
SCCP41.9-4-2SR3-1
advertisement version: 2
Duplex: full
Power drawn: 15.400 Watts
Power request id: 14757, Power management id: 3
Power request levels are:15400 9600 7900 6300 5000
Management address(es):
IP address: 10.0.20.45
The CDP neighbor output confirms the connected device is a Cisco IP Phone 8861. The Capabilities: Host Phone field is what the switch uses to classify traffic from this device into the VOICE domain in MDA mode. If the phone does not appear in CDP neighbors, the VOICE domain classification may fail.
Common Deployment Variations
Phone with 802.1X (EAP-TLS) Instead of MAB
In high-security deployments where phones must authenticate with certificates:
interface GigabitEthernet1/0/1
authentication order dot1x
authentication priority dot1x
Remove MAB from the interface and rely solely on 802.1X for the phone. The phone certificate must be issued by a CA imported into ISE under Administration > System > Certificates > Certificate Authority Certificates.
Phones Without 802.1X Supplicant (Legacy)
For legacy phones with no 802.1X capability and no MAB enrollment in ISE, configure the port to authorize the VOICE domain without any authentication:
authentication event no-response action authorize vlan 20
This places any device that sends no EAPOL and has no MAB entry into VLAN 20. Use this only temporarily during phone replacement cycles. Any device connected in the VOICE domain position will get VLAN 20 access, which is a security risk if the port is exposed in a lobby or common area.
Open Office Areas Without Phones
On ports that serve only PCs (no IP phones), use single-host or multi-auth mode instead of multi-domain. Configuring multi-domain on a PC-only port wastes the VOICE domain and can cause confusion when troubleshooting — a PC might be classified as VOICE domain if CDP is misread.
Troubleshooting
Symptom: Phone authenticates (MAB success in ISE) but appears in DATA domain instead of VOICE domain
Cause: CDP is not running on the interface, or the phone has not sent CDP advertisements yet. Without CDP, the switch has no mechanism to classify the phone's MAC address as a VOICE domain device.
Fix: Confirm CDP is enabled on the interface:
SW1# show cdp interface GigabitEthernet1/0/1
GigabitEthernet1/0/1 is up, line protocol is up
Encapsulation ARPA
Sending CDP packets every 60 seconds
Holdtime is 180 seconds
If CDP is not shown, add cdp enable to the interface. Wait 60 seconds for the phone to send its next CDP advertisement, then verify with show cdp neighbors GigabitEthernet1/0/1. Also confirm cdp run is in the global configuration.
Alternatively, force the phone to resend CDP by bouncing the phone's upstream port:
SW1# shutdown interface GigabitEthernet1/0/1
SW1# no shutdown interface GigabitEthernet1/0/1
Wait 30-60 seconds after the port comes up for CDP to re-establish and the phone to be classified correctly.
Symptom: PC behind the phone fails authentication — ISE shows no authentication attempt from the PC's MAC
Cause: The phone's downstream access port is not passing traffic from the PC to the switch with the correct VLAN tagging. Some phone models (particularly when misconfigured) can drop PC traffic if the voice VLAN or PC port VLAN settings are incorrect in the phone's configuration.
Fix: On the Cisco 8861, verify the phone's PC port VLAN setting. In the phone's web interface (accessible at its IP address), navigate to Admin Login > Network Configuration > PC VLAN. This should show the untagged (native/access) VLAN for the PC port. The phone should be passing untagged PC traffic through to the switch, where it lands on the data VLAN (VLAN 10 in this lab).
From the switch, verify the PC's MAC appears in the MAC address table:
SW1# show mac address-table interface GigabitEthernet1/0/1
If only the phone's MAC appears and not the PC's MAC, the phone is blocking or not forwarding PC traffic. This is often a phone configuration issue, not a switch configuration issue.
Symptom: Both VOICE and DATA domains authenticate successfully but PC cannot reach data network — gets phone's VLAN instead
Cause: The phone is tagging the PC's traffic with the voice VLAN tag (VLAN 20) instead of sending it untagged. The switch receives VLAN 20-tagged frames from the PC's MAC and places it in the VOICE domain.
Fix: On the Cisco 8861, confirm the phone is configured with PC Port VLAN set to the untagged mode (or VLAN 0). The phone should never tag PC traffic — it should pass PC frames through as untagged, and the switch assigns them to the data VLAN (VLAN 10) via switchport access vlan 10.
Verify from the switch by checking which VLAN the PC's MAC address appears in:
SW1# show mac address-table address c8d9.d2e1.ccdd
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
20 c8d9.d2e1.ccdd DYNAMIC Gi1/0/1
If the PC's MAC appears in VLAN 20, the phone is incorrectly tagging the PC's traffic. Correct the phone configuration and reauthenticate.
What's Next
Article 18 — Web Authentication as a Fallback in 802.1X: Configuration and Use Cases: When endpoints have no 802.1X supplicant and MAB does not return an ISE match, web authentication provides a browser-based fallback that allows users to present credentials through a captive portal. Article 18 covers the configuration of Web Authentication (WebAuth) on Cisco IOS XE and ISE, including integration with the Central Web Authentication (CWA) redirect model.
