https://community.cisco.com/t5/network-access-control/multi-auth-data-device-on-voice-domain/m-p/3882737#M471816 <P>Hello,</P><P>&nbsp;</P><P>I have a handful of HP printers in the voice domain even their IP from data VLAN and their authorization is correct, they are directly connected to the switch(no phone in between) and we are using multi-auth, below the config and the details, any idea why not in data domain?</P><P>hardware cat 4510 with sup 8, running version 3.8.5&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>4510#show authentication sessions int gig 1/36 det<BR />Interface: GigabitEthernet1/36<BR />MAC Address: ace2.d3xx.xxxx<BR />IPv6 Address: Unknown<BR />IPv4 Address: 10.100.x.x<BR />User-Name: AC-E2-D3-xx-xx-xx<BR />Status: Authorized<BR /><U><STRONG>Domain: VOICE</STRONG></U><BR />Oper host mode: multi-auth<BR />Oper control dir: both<BR />Session timeout: N/A<BR />Restart timeout: N/A<BR />Periodic Acct timeout: N/A<BR />Common Session ID: 0A640B0400004D707A17E108<BR />Acct Session ID: 0x000063FD<BR />Handle: 0xFB00007D<BR />Current Policy: POLICY_Gi1/36</P><P>Local Policies:<BR />Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)<BR />Security Policy: Should Secure<BR />Security Status: Link Unsecure</P><P>Server Policies:</P><P>ACS ACL: xACSACLx-IP-PRINTERS-5cf86881</P><P>Method status list:<BR />Method State</P><P>dot1x Stopped<BR />mab Authc Success</P><P>4510#show run int gig 1/36<BR />Building configuration...</P><P>Current configuration : 937 bytes<BR />!<BR />interface GigabitEthernet1/36<BR />description USER DATA and VOIP PHONES<BR />switchport access vlan 105<BR />switchport mode access<BR />switchport block multicast<BR />switchport voice vlan 115<BR />ip device tracking maximum 10<BR />no logging event link-status<BR />authentication event fail action next-method<BR />authentication event server dead action reinitialize vlan 105<BR />authentication event server dead action authorize voice<BR />authentication event server alive action reinitialize<BR />authentication host-mode multi-auth<BR />authentication open<BR />authentication order dot1x mab<BR />authentication priority dot1x mab<BR />authentication port-control auto<BR />authentication periodic<BR />authentication timer reauthenticate server<BR />authentication violation restrict<BR />mab<BR />dot1x pae authenticator<BR />dot1x timeout tx-period 10<BR />storm-control broadcast level 0.50<BR />storm-control action trap<BR />spanning-tree portfast edge<BR />spanning-tree bpduguard enable<BR />spanning-tree guard root<BR />end</P><P>4510#</P> Mon, 01 Jul 2019 17:36:56 GMT mustafa83 2019-07-01T17:36:56Z https://community.cisco.com/t5/network-access-control/multi-auth-data-device-on-voice-domain/m-p/3882737#M471816 <P>Hello,</P><P>&nbsp;</P><P>I have a handful of HP printers in the voice domain even their IP from data VLAN and their authorization is correct, they are directly connected to the switch(no phone in between) and we are using multi-auth, below the config and the details, any idea why not in data domain?</P><P>hardware cat 4510 with sup 8, running version 3.8.5&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>4510#show authentication sessions int gig 1/36 det<BR />Interface: GigabitEthernet1/36<BR />MAC Address: ace2.d3xx.xxxx<BR />IPv6 Address: Unknown<BR />IPv4 Address: 10.100.x.x<BR />User-Name: AC-E2-D3-xx-xx-xx<BR />Status: Authorized<BR /><U><STRONG>Domain: VOICE</STRONG></U><BR />Oper host mode: multi-auth<BR />Oper control dir: both<BR />Session timeout: N/A<BR />Restart timeout: N/A<BR />Periodic Acct timeout: N/A<BR />Common Session ID: 0A640B0400004D707A17E108<BR />Acct Session ID: 0x000063FD<BR />Handle: 0xFB00007D<BR />Current Policy: POLICY_Gi1/36</P><P>Local Policies:<BR />Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)<BR />Security Policy: Should Secure<BR />Security Status: Link Unsecure</P><P>Server Policies:</P><P>ACS ACL: xACSACLx-IP-PRINTERS-5cf86881</P><P>Method status list:<BR />Method State</P><P>dot1x Stopped<BR />mab Authc Success</P><P>4510#show run int gig 1/36<BR />Building configuration...</P><P>Current configuration : 937 bytes<BR />!<BR />interface GigabitEthernet1/36<BR />description USER DATA and VOIP PHONES<BR />switchport access vlan 105<BR />switchport mode access<BR />switchport block multicast<BR />switchport voice vlan 115<BR />ip device tracking maximum 10<BR />no logging event link-status<BR />authentication event fail action next-method<BR />authentication event server dead action reinitialize vlan 105<BR />authentication event server dead action authorize voice<BR />authentication event server alive action reinitialize<BR />authentication host-mode multi-auth<BR />authentication open<BR />authentication order dot1x mab<BR />authentication priority dot1x mab<BR />authentication port-control auto<BR />authentication periodic<BR />authentication timer reauthenticate server<BR />authentication violation restrict<BR />mab<BR />dot1x pae authenticator<BR />dot1x timeout tx-period 10<BR />storm-control broadcast level 0.50<BR />storm-control action trap<BR />spanning-tree portfast edge<BR />spanning-tree bpduguard enable<BR />spanning-tree guard root<BR />end</P><P>4510#</P> Mon, 01 Jul 2019 17:36:56 GMT https://community.cisco.com/t5/network-access-control/multi-auth-data-device-on-voice-domain/m-p/3882737#M471816 mustafa83 2019-07-01T17:36:56Z https://community.cisco.com/t5/network-access-control/multi-auth-data-device-on-voice-domain/m-p/3882759#M471817 The first step would be to look at the mac in the context visibility database, are they being profiled as phones? If yes, then you need to correct the profiling issue.<BR /><BR />If they are not being profiled as phones, you will have to check the authorization rule they are hitting, then from there confirm the authorization profile result doesn't include the check box for "Voice Domain Permission", aka cisco-av-pair = device-traffic-class=voice. Mon, 01 Jul 2019 18:15:42 GMT https://community.cisco.com/t5/network-access-control/multi-auth-data-device-on-voice-domain/m-p/3882759#M471817 Damien Miller 2019-07-01T18:15:42Z