Configuration commands to authenticate PCs connected to VoIP devices.

One of the authentication bypass scenarios is PC behind VoIP phone where CDP based VoIP phones are bypassed but the PCs behind the phones need to be authenticated.

1. CDP configuration on Preshared mode: Following is the prerequisite command to detect VoIP phone using CDP on Aruba switches.

   switch(config)#cdp mode pre-standard-voice

2. Voice VLAN configuration:

   switch(config)#vlan 20 voice

   Above configuration sets voice VLAN as 20.
3. device-identity configuration: Policy must be defined to identify a specific device based on incoming packet signatures. voip-vlan-query value is set as 512 to detect CDP VoIP phones. MAC OUI and subtype are configured to match LLDP packets.

   switch(config)#device-identity name < voip > cdp type voip-vlan-query value <512>
   switch(config)#device-identity name <voip> lldp oui <MAC-OUI> sub-type <integer>

   device-identity configurations must be followed by interface enable or interface disable commands to help voip-vlan-query to detect device identity.

4. Authenticate PC connected to the VoIP device.

   Examples

   switch(config)#aaa port-access mac-based A7
   switch(config)#aaa port-access mac-based A7 addr-limit 2
   

   switch(config)#aaa port-access authenticator A7
   switch(config)#aaa port-access authenticator A7 client-limit 2
   switch(config)#aaa authentication port-access eap-radius
   switch(config)#aaa port-access authenticator active
   

5. Device profile configuration: Associate profile named legacy_phone to device policy type voip

   Examples

   switch(config)#device-profile name legacy_phone
   switch(device-profile)#tagged-vlan 20
   switch(device-profile)#mode client-mode

   switch(config)#device-profile device-type voip
   switch(device-viop)#associate legacy_phone
   switch(device-viop)#enable
   

6. Enable bypass on authenticating ports based on certain policies.

   Example

   switch(config)#aaa port-access device-identity voip bypass A7