How to Authenticate a Voice Over IP (VOIP) Phone and a Windows Workstation on a Shared Switch Port on a Cisco Switch While Using the Enforcer 6100 Series Appliance and Microsoft Internet Authentication Service (IAS).


Article ID: 178080


Updated On:


Endpoint Protection Network Access Control


Configuring IAS to allow a VOIP phone that has an Ethernet port built into it to work with the Enforcer Appliance and Cisco Switch.

A VOIP phone is being used that has a built-in Ethernet port that a workstation is using for network connectivity, so both devices are being authenticated on one switchport.
  • The Cisco "multi-domain" feature is being used on the switch.
  • Switch IOS is version 12.2.52 (SE) 3 or above.
  • VOIP phone authenticates into the incorrect VLAN or the Client Computer attached to the VOIP phone authenticates into the incorrect VLAN.


This occurs when the attribute "device-traffic-class=voice" is not sent to the Cisco switch from the RADIUS (IAS) server. This can also be caused by selecting an encrypted authentication method that the VOIP device cannot negotiate.


In IAS, set up a remote access policy that will pass the attribute "device-traffic-class=voice" to the switch when a MAC Address wildcard is found. The authentication method may also need to be set to "unencrypted" for compatability with VOIP devices that cannot negotiate encrypted authentication.

Open the IAS MMC Console, select Remote Access Policies, right-click in the right hand pane
and select "New Remote Access Policy".

At the next window, hit "Next".

Select "Setup up a custom policy" and name the policy something you will
recognize. Hit Next.

At the next window, select "Add" to add a condition.

Select Calling-Station-Id. This refers to the MAC address
of the client that is attempting to connect. Hit Add.

Add the first several common characters that all of the VOIP
phones share. The first six usually represent the
Manufacturer ID. Add a wildcard (*) after the common
characters. Click OK.

Hit Next at the next window.

Next, make sure "Grant remote access permission" is selected. Hit Next.

At the next screen, click "Edit Profile".

Select the "Advanced" tab. Then hit "Add".

Choose the "Cisco-AV-Pair", and hit "Add".

At the next screen, hit "Add".

Add the attribute "device-traffic-class=voice". This
will be passed back to the switch when the conditions
are met.

Click "Close" at the next window.

Select the "Authentication Tab" on the Edit Dial-In Profile.
Uncheck all boxes except those shown below. This is
necessary because some VOIP phones do not have the
capability to negotiate encrypted authentication.

At the next window, hit "OK".

Hit "Next" at the next window.

Hit finish at the next window.

Verify that the rule you just created is at the top of the list.