Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

how do you use NAC Enforcer on network with ip phones

Created: 08 Oct 2012 | 5 comments
awmhove's picture

how do you use a NAC in lan enforcer mode on a network with ip phones?

thus user pc connects to phone then phone to switch port

Comments 5 CommentsJump to latest comment

Ashish-Sharma's picture

LAN enforcement uses the 802.1x protocol to authenticate between the switch and the client systems that connect to the network. To use this method of enforcement, the switch software must support the 802.1x protocol and its configuration must be correct. 802.1x supplicant software is also required if the administrator wants to verify user identity as well has host NAC status. The switch configuration must handle the exceptions for systems without clients, rather than any Symantec configuration.

You have several ways to set up this switch configuration. Methods vary depending on the type of switch and software version it runs. A typical method implements the concept of a guest VLAN. Systems without clients are assigned to a network that has a lower level of network connectivity. Another method involves basing the exceptions on MAC addresses.

You can disable 802.1x on selected ports. However, to disable by selected ports allows anyone to connect by using the port, so it is not recommended. Many vendors have special provisions for the VoIP phones that can automatically move these devices to special voice VLANs.

Reference:

http://www.symantec.com/business/support/index?page=content&id=TECH91230

LAN Enforcer: understanding Basic and Transparent mode

http://www.symantec.com/business/support/index?page=content&id=TECH91193&locale=en_US

    Thanks In Advance

    Ashish Sharma

     

     

    Ashish-Sharma's picture

    HI awmhove,

    Have you received solution please provide latest update ?

    Thanks In Advance

    Ashish Sharma

     

     

    John Santana's picture

    Yes please, let us know how did you end up with ?

    Kind regards,

    John Santana
    IT Professional

    --------------------------------------------------

    Please be nice to me as I'm newbie in this forum.

    SMLatCST's picture

    There is an article that addresses this scenario as below, but it does focus upon the use of a Cisco switch (if not necessarily Cisco phones):

    http://www.symantec.com/docs/TECH97536

    Also note that this suggests using IAS for authentication.  I've not been able to find any similar articles updated for Win2k8R2.

    Chuck Edson's picture

    In Cisco, you can use Multi-Domain in the switch config.

    Multi-Domain will authenticate multiple hosts using the EAP protocol.

    Check out this Cisco article for details:

    http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a00808abf2d.shtml

    Let me know if this helps.

    If a post helps you, please mark it as the solution to your issue.