MAC+802.1x EAP authentication and Dynamic VLAN assignment with PC connected to IP Phones

MatC_AVA6

Hello,

We currently have Zyxel switches models GS3700-24HP, XGS3700-48HP and GS3700-48HP.

We need to implement MAC + 802.1x authentication & Dynamic VLAN Assignment for IP Phones connected to the switches and computers connected through the phones.

The scenario is as follows:



- All IP Phones are connected to the Zyxel switches
- All computers are connected to the IP Phones
- IP Phones need to use MAC Authentication and be assigned VLAN10-ToIP
- PCs need to be dynamically assigned a VLAN based on their certificate (802.1x EAP)
- User having no certificate are assigned Guest VLAN

Is this scenario feasible regarding our current switch models?
If so, what are the steps to achieve this?

Many thanks for your answers

Cheers

Zyxel_JonasTan

Hi @MatC_AVA6,

Welcome to Zyxel Community!
To achieve the goal, please refer to this link on how to configure MAC + 802.1x authentication.
But according to your topology, there will be some circumstances if the computer is connected to IP phones. The IP phone will be allocated to guest VLAN only due to IP phone doesn't have credentials as PC have. So it will fail to authenticate 802.1x and will be put on guest VLAN.

For the physical connection, we suggest separating the PC & IP phone connectivity to switch.
Example: PC1 to port 1 and IP phone1 to port 2. 

In this condition, you may configure 802.1x authentication for PCs and MAC-authentication with correct PVID for IP phones. 

Hope it helps!

CrazyTacos

What not use Voice VLAN for IP phones and 802.1x port authentication for PCs?