MAC+802.1x EAP authentication and Dynamic VLAN assignment with PC connected to IP Phones

MatC_AVA6 Posts: 1
edited August 2022 in Switch

We currently have Zyxel switches models GS3700-24HP, XGS3700-48HP and GS3700-48HP.

We need to implement MAC + 802.1x authentication & Dynamic VLAN Assignment for IP Phones connected to the switches and computers connected through the phones.

The scenario is as follows:

- All IP Phones are connected to the Zyxel switches
- All computers are connected to the IP Phones
- IP Phones need to use MAC Authentication and be assigned VLAN10-ToIP
- PCs need to be dynamically assigned a VLAN based on their certificate (802.1x EAP)
- User having no certificate are assigned Guest VLAN

Is this scenario feasible regarding our current switch models?
If so, what are the steps to achieve this?

Many thanks for your answers


All Replies

  • Zyxel_JonasTan
    Zyxel_JonasTan Posts: 94  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @MatC_AVA6,

    Welcome to Zyxel Community!
    To achieve the goal, please refer to this link on how to configure MAC + 802.1x authentication.
    But according to your topology, there will be some circumstances if the computer is connected to IP phones. The IP phone will be allocated to guest VLAN only due to IP phone doesn't have credentials as PC have. So it will fail to authenticate 802.1x and will be put on guest VLAN.

    For the physical connection, we suggest separating the PC & IP phone connectivity to switch.
    Example: PC1 to port 1 and IP phone1 to port 2. 

    In this condition, you may configure 802.1x authentication for PCs and MAC-authentication with correct PVID for IP phones. 

    Hope it helps!
  • CrazyTacos
    CrazyTacos Posts: 53  Ally Member
    First Anniversary Friend Collector First Answer First Comment
    What not use Voice VLAN for IP phones and 802.1x port authentication for PCs?