Locking down wired security often means preventing unauthorized users from plugging devices directly into wall jacks or VoIP phones to gain access to internal resources. To prevent this intrusion, network admins using Cisco Meraki MS switches can apply port access policies that prompt for authentication once traffic is detected on a switch port.
But what if you’re deploying legacy VoIP phones on your network, phones that can’t respond to authentication requests? Leaving these phones connected through open ports poses a security risk since it’s possible that clients will plug directly into the network through the phone’s Ethernet jack. A typical setup would look like this:
Meraki MS switches neatly solve this problem with the ability to allow voice VLAN clients (i.e. VoIP phones) to bypass authentication, while requiring any devices connected through the phone to authenticate.
To enable this feature, navigate to Configure > Access policies in the Meraki dashboard for your switches. This page is where you define authentication server credentials and the type of authentication required for connecting clients (i.e. 802.1x for username credentials or MAC-based RADIUS for authorized client devices).
The relevant section here is the “Voice VLAN clients” section, where you can decide whether clients connecting to a voice VLAN (typically VoIP phones) can bypass authentication themselves, or whether they will need to authenticate like any other client.
Simply allow legacy VoIP phones to bypass authentication, but know that clients connected to the LAN through the phone will still be prompted for credentials. This prevents a malicious device from gaining unauthorized access to your LAN via a non-authenticating VoIP phone.