Firstly thank you for responding

With regards to your statement about following Step 4 in the hyperlink, assuming it is described as "Define the Internet Engineering Task Force (IETF) attributes             64, 65 and 81 and then click             Submit + Restart.", then I have a concern.  The very first line above it in the doc says: "Note: For IP Phones group configuration alone, skip                 the next step, step 4, and go to step 5."   Step 5 is where the, cisco-avpair="device-traffic-class=voice" , is defined which I have already done.

My belief is the dynamic VLAN assignment is incorrect for Voice devices, the RADIUS server just informs the switch that the device is a voice type, and the switch places it in the voice vlan which the switch already knows about.  Do you have a different understanding?

For information, the debugs you request are:

Jan 29 10:58:46.317: %ILPOWER-7-DETECT: Interface Gi1/0/16: Power Device detected: IEEE PD
Jan 29 10:58:46.770: %ILPOWER-5-POWER_GRANTED: Interface Gi1/0/16: Power granted
Jan 29 10:58:50.377: AAA/BIND(0000001D): Bind i/f
Jan 29 10:58:52.373: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/16, changed state to up
Jan 29 10:58:53.380: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/16, changed state to up
Jan 29 10:58:54.789: %AUTHMGR-5-START: Starting 'dot1x' for client (001d.452d.53e0) on Interface Gi1/0/16 AuditSessionID C0A                                                     8FE2500000018002FB1D0
Jan 29 10:58:56.920: AAA/AUTHEN/8021X (0000001D): Pick method list 'default'
Jan 29 10:58:56.920: RADIUS/ENCODE(0000001D):Orig. component type = DOT1X
Jan 29 10:58:56.920: RADIUS(0000001D): Config NAS IP: 192.168.254.37
Jan 29 10:58:56.920: RADIUS/ENCODE(0000001D): acct_session_id: 54
Jan 29 10:58:56.920: RADIUS(0000001D): sending
Jan 29 10:58:56.920: RADIUS(0000001D): Send Access-Request to 192.168.254.51:1645 id 1645/52, len 237
Jan 29 10:58:56.920: RADIUS:  authenticator 89 81 92 2C AA 6B E6 E6 - CA 2C 3A 0D E1 C5 28 ED
Jan 29 10:58:56.928: RADIUS:  User-Name           [1]   26  "CP-7942G-SEP001D452D53E0"
Jan 29 10:58:56.928: RADIUS:  Service-Type        [6]   6   Framed                    [2]
Jan 29 10:58:56.928: RADIUS:  Framed-MTU          [12]  6   1500
Jan 29 10:58:56.928: RADIUS:  Called-Station-Id   [30]  19  "30-37-A6-AB-8E-90"
Jan 29 10:58:56.928: RADIUS:  Calling-Station-Id  [31]  19  "00-1D-45-2D-53-E0"
Jan 29 10:58:56.928: RADIUS:  EAP-Message         [79]  31
Jan 29 10:58:56.928: RADIUS:   02 01 00 1D 01 43 50 2D 37 39 34 32 47 2D 53 45 50 30 30 31 44  [CP-7942G-SEP001D]
Jan 29 10:58:56.928: RADIUS:   34 35 32 44 35 33 45 30          [ 452D53E0]
Jan 29 10:58:56.928: RADIUS:  Message-Authenticato[80]  18
Jan 29 10:58:56.928: RADIUS:   83 AF F8 DB 44 0D 0A 46 70 2F 1E 8D 67 CE BC DD             [ DFp/g]
Jan 29 10:58:56.928: RADIUS:  EAP-Key-Name        [102] 2   *
Jan 29 10:58:56.928: RADIUS:  Vendor, Cisco       [26]  49
Jan 29 10:58:56.928: RADIUS:   Cisco AVpair       [1]   43  "audit-session-id=C0A8FE2500000018002FB1D0"
Jan 29 10:58:56.928: RADIUS:  NAS-Port-Type       [61]  6   Ethernet                  [15]
Jan 29 10:58:56.928: RADIUS:  NAS-Port            [5]   6   50116
Jan 29 10:58:56.928: RADIUS:  NAS-Port-Id         [87]  23  "GigabitEthernet1/0/16"
Jan 29 10:58:56.928: RADIUS:  NAS-IP-Address      [4]   6   192.168.254.37
Jan 29 10:58:56.928: RADIUS(0000001D): Started 4 sec timeout
Jan 29 10:58:56.928: RADIUS: Received from id 1645/52 192.168.254.51:1645, Access-Challenge, len 76
Jan 29 10:58:56.928: RADIUS:  authenticator DA 45 B9 F8 80 48 A0 4B - F7 99 9B 1F DE 4F B2 9E
Jan 29 10:58:56.928: RADIUS:  State               [24]  30
Jan 29 10:58:56.937: RADIUS:   32 35 53 65 73 73 69 6F 6E 49 44 3D 41 43 53 2F  [25SessionID=ACS/]
Jan 29 10:58:56.937: RADIUS:   38 35 36 37 30 35 31 38 2F 33 33 3B      [ 85670518/33;]
Jan 29 10:58:56.937: RADIUS:  EAP-Message         [79]  8
Jan 29 10:58:56.937: RADIUS:   01 51 00 06 0D 20                [ Q ]
Jan 29 10:58:56.937: RADIUS:  Message-Authenticato[80]  18
Jan 29 10:58:56.937: RADIUS:   3C F4 D9 93 82 EA FB 25 A7 9D C4 8F 14 3F 33 4F             [ Jan 29 10:58:56.937: RADIUS(0000001D): Received from id 1645/52
Jan 29 10:58:56.937: RADIUS/DECODE: EAP-Message fragments, 6, total 6 bytes
Jan 29 10:58:57.046: AAA/AUTHEN/8021X (0000001D): Pick method list 'default'
Jan 29 10:58:57.046: RADIUS/ENCODE(0000001D):Orig. component type = DOT1X
Jan 29 10:58:57.046: RADIUS(0000001D): Config NAS IP: 192.168.254.37
Jan 29 10:58:57.046: RADIUS/ENCODE(0000001D): acct_session_id: 54
Jan 29 10:58:57.046: RADIUS(0000001D): sending
Jan 29 10:58:57.046: RADIUS(0000001D): Send Access-Request to 192.168.254.51:1645 id 1645/53, len 244
Jan 29 10:58:57.046: RADIUS:  authenticator BE 9B 32 59 45 BF 15 45 - E4 43 02 B5 B5 D7 ED 83
Jan 29 10:58:57.046: RADIUS:  User-Name           [1]   26  "CP-7942G-SEP001D452D53E0"
Jan 29 10:58:57.046: RADIUS:  Service-Type        [6]   6   Framed                    [2]
Jan 29 10:58:57.046: RADIUS:  Framed-MTU          [12]  6   1500
Jan 29 10:58:57.054: RADIUS:  Called-Station-Id   [30]  19  "30-37-A6-AB-8E-90"
Jan 29 10:58:57.054: RADIUS:  Calling-Station-Id  [31]  19  "00-1D-45-2D-53-E0"
Jan 29 10:58:57.054: RADIUS:  EAP-Message         [79]  8
Jan 29 10:58:57.054: RADIUS:   02 51 00 06 03 04                 [ Q]
Jan 29 10:58:57.054: RADIUS:  Message-Authenticato[80]  18
Jan 29 10:58:57.054: RADIUS:   E0 B5 99 82 7E 9E 35 0F 78 D9 BD 4B 96 97 34 47            [ ~5xK4G]
Jan 29 10:58:57.054: RADIUS:  EAP-Key-Name        [102] 2   *
Jan 29 10:58:57.054: RADIUS:  Vendor, Cisco       [26]  49
Jan 29 10:58:57.054: RADIUS:   Cisco AVpair       [1]   43  "audit-session-id=C0A8FE2500000018002FB1D0"
Jan 29 10:58:57.054: RADIUS:  NAS-Port-Type       [61]  6   Ethernet                  [15]
Jan 29 10:58:57.054: RADIUS:  NAS-Port            [5]   6   50116
Jan 29 10:58:57.054: RADIUS:  NAS-Port-Id         [87]  23  "GigabitEthernet1/0/16"
Jan 29 10:58:57.054: RADIUS:  State               [24]  30
Jan 29 10:58:57.054: RADIUS:   32 35 53 65 73 73 69 6F 6E 49 44 3D 41 43 53 2F  [25SessionID=ACS/]
Jan 29 10:58:57.054: RADIUS:   38 35 36 37 30 35 31 38 2F 33 33 3B      [ 85670518/33;]
Jan 29 10:58:57.054: RADIUS:  NAS-IP-Address      [4]   6   192.168.254.37
Jan 29 10:58:57.054: RADIUS(0000001D): Started 4 sec timeout
Jan 29 10:58:57.054: RADIUS: Received from id 1645/53 192.168.254.51:1645, Access-Challenge, len 95
Jan 29 10:58:57.054: RADIUS:  authenticator D9 62 B7 27 8F 55 E9 88 - 41 01 D0 83 52 DF 36 29
Jan 29 10:58:57.054: RADIUS:  State               [24]  30
Jan 29 10:58:57.054: RADIUS:   32 35 53 65 73 73 69 6F 6E 49 44 3D 41 43 53 2F  [25SessionID=ACS/]
Jan 29 10:58:57.063: RADIUS:   38 35 36 37 30 35 31 38 2F 33 33 3B      [ 85670518/33;]
Jan 29 10:58:57.063: RADIUS:  EAP-Message         [79]  27
Jan 29 10:58:57.063: RADIUS:   01 52 00 19 04 10 AA 6A A2 BC 63 1A C0 93 B8 58 67 F7 1A A5 FD 45 41 43 53         [ RjcXgEAC                                                     S]
Jan 29 10:58:57.063: RADIUS:  Message-Authenticato[80]  18
Jan 29 10:58:57.063: RADIUS:   29 D2 66 87 4A 2F B3 9E B5 EC F9 4E 9F 62 82 5E           [ )fJ/Nb^]
Jan 29 10:58:57.063: RADIUS(0000001D): Received from id 1645/53
Jan 29 10:58:57.063: RADIUS/DECODE: EAP-Message fragments, 25, total 25 bytes
Jan 29 10:58:57.079: AAA/AUTHEN/8021X (0000001D): Pick method list 'default'
Jan 29 10:58:57.079: RADIUS/ENCODE(0000001D):Orig. component type = DOT1X
Jan 29 10:58:57.079: RADIUS(0000001D): Config NAS IP: 192.168.254.37
Jan 29 10:58:57.079: RADIUS/ENCODE(0000001D): acct_session_id: 54
Jan 29 10:58:57.079: RADIUS(0000001D): sending
Jan 29 10:58:57.079: RADIUS(0000001D): Send Access-Request to 192.168.254.51:1645 id 1645/54, len 284
Jan 29 10:58:57.079: RADIUS:  authenticator 91 F4 7C C1 4E 79 27 AB - 2F 36 20 A8 9C 3F A9 76
Jan 29 10:58:57.079: RADIUS:  User-Name           [1]   26  "CP-7942G-SEP001D452D53E0"
Jan 29 10:58:57.088: RADIUS:  Service-Type        [6]   6   Framed                    [2]
Jan 29 10:58:57.088: RADIUS:  Framed-MTU          [12]  6   1500
Jan 29 10:58:57.088: RADIUS:  Called-Station-Id   [30]  19  "30-37-A6-AB-8E-90"
Jan 29 10:58:57.088: RADIUS:  Calling-Station-Id  [31]  19  "00-1D-45-2D-53-E0"
Jan 29 10:58:57.088: RADIUS:  EAP-Message         [79]  48
Jan 29 10:58:57.088: RADIUS:   02 52 00 2E 04 10 45 2F B1 FC 60 CF 09 08 7B C4 F9 56 74 AF 44 E9 43 50 2D 37 39 34 32  [R.E/                                                     `{VtDCP-7942]
Jan 29 10:58:57.088: RADIUS:   47 2D 53 45 50 30 30 31 44 34 35 32 44 35 33 45  [G-SEP001D452D53E]
Jan 29 10:58:57.088: RADIUS:   30                 [ 0]
Jan 29 10:58:57.088: RADIUS:  Message-Authenticato[80]  18
Jan 29 10:58:57.088: RADIUS:   45 42 58 9F 75 14 09 A1 FC DD CD 26 B4 88 42 CF            [ EBXu&B]
Jan 29 10:58:57.088: RADIUS:  EAP-Key-Name        [102] 2   *
Jan 29 10:58:57.088: RADIUS:  Vendor, Cisco       [26]  49
Jan 29 10:58:57.088: RADIUS:   Cisco AVpair       [1]   43  "audit-session-id=C0A8FE2500000018002FB1D0"
Jan 29 10:58:57.088: RADIUS:  NAS-Port-Type       [61]  6   Ethernet                  [15]
Jan 29 10:58:57.088: RADIUS:  NAS-Port            [5]   6   50116
Jan 29 10:58:57.088: RADIUS:  NAS-Port-Id         [87]  23  "GigabitEthernet1/0/16"
Jan 29 10:58:57.088: RADIUS:  State               [24]  30
Jan 29 10:58:57.088: RADIUS:   32 35 53 65 73 73 69 6F 6E 49 44 3D 41 43 53 2F  [25SessionID=ACS/]
Jan 29 10:58:57.088: RADIUS:   38 35 36 37 30 35 31 38 2F 33 33 3B      [ 85670518/33;]
Jan 29 10:58:57.088: RADIUS:  NAS-IP-Address      [4]   6   192.168.254.37
Jan 29 10:58:57.088: RADIUS(0000001D): Started 4 sec timeout
Jan 29 10:58:57.222: RADIUS: Received from id 1645/54 192.168.254.51:1645, Access-Accept, len 126
Jan 29 10:58:57.222: RADIUS:  authenticator 7B A5 E0 B2 D6 15 90 26 - 8F 8F 64 B0 E6 94 D8 C7
Jan 29 10:58:57.222: RADIUS:  User-Name           [1]   26  "CP-7942G-SEP001D452D53E0"
Jan 29 10:58:57.222: RADIUS:  Class               [25]  22
Jan 29 10:58:57.222: RADIUS:   43 41 43 53 3A 41 43 53 2F 38 35 36 37 30 35 31  [CACS:ACS/8567051]
Jan 29 10:58:57.222: RADIUS:   38 2F 33 33              [ 8/33]
Jan 29 10:58:57.222: RADIUS:  EAP-Message         [79]  6
Jan 29 10:58:57.222: RADIUS:   03 52 00 04                 [ R]
Jan 29 10:58:57.222: RADIUS:  Message-Authenticato[80]  18
Jan 29 10:58:57.222: RADIUS:   E8 2E 9B FD C2 A8 D7 5E 86 DD 3C 67 FF 37 75 02            [ .^Jan 29 10:58:57.222: RADIUS:  Vendor, Cisco       [26]  34
Jan 29 10:58:57.222: RADIUS:   Cisco AVpair       [1]   28  "device-traffic-class=voice"
Jan 29 10:58:57.222: RADIUS(0000001D): Received from id 1645/54
Jan 29 10:58:57.222: RADIUS/DECODE: EAP-Message fragments, 4, total 4 bytes
Jan 29 10:58:57.222: AAA/AUTHOR (0000001D): Method list id=0 not configured. Skip author
Jan 29 10:58:57.222: %DOT1X-5-SUCCESS: Authentication successful for client (001d.452d.53e0) on Interface Gi1/0/16 AuditSess                                                     ionID
Jan 29 10:58:57.222: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (001d.452d.53e0) on Interfac                                                     e Gi1/0/16 AuditSessionID C0A8FE2500000018002FB1D0
Jan 29 10:58:57.239: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan10, changed state to up
Jan 29 10:58:58.262: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (001d.452d.53e0) on Interface Gi1/0/16 AuditSess                                                     ionID C0A8FE2500000018002FB1D0

After adding the 3 additional RADIUS-IETF parameters...

the phone still doesnt work in the voice domain:

Jan 29 11:11:53.742: RADIUS(0000001E): Received from id 1645/55
Jan 29 11:11:53.742: RADIUS/DECODE: EAP-Message fragments, 6, total 6 bytes
Jan 29 11:11:53.842: AAA/AUTHEN/8021X (0000001E): Pick method list 'default'
Jan 29 11:11:53.842: RADIUS/ENCODE(0000001E):Orig. component type = DOT1X
Jan 29 11:11:53.842: RADIUS(0000001E): Config NAS IP: 192.168.254.37
Jan 29 11:11:53.842: RADIUS/ENCODE(0000001E): acct_session_id: 55
Jan 29 11:11:53.842: RADIUS(0000001E): sending
Jan 29 11:11:53.842: RADIUS(0000001E): Send Access-Request to 192.168.254.51:1645 id 1645/56, len 244
Jan 29 11:11:53.842: RADIUS:  authenticator 1C 63 91 D5 AD A3 D2 BC - 7D C5 5F 8C FC 10 22 1B
Jan 29 11:11:53.842: RADIUS:  User-Name           [1]   26  "CP-7942G-SEP001D452D53E0"
Jan 29 11:11:53.842: RADIUS:  Service-Type        [6]   6   Framed                    [2]
Jan 29 11:11:53.842: RADIUS:  Framed-MTU          [12]  6   1500
Jan 29 11:11:53.842: RADIUS:  Called-Station-Id   [30]  19  "30-37-A6-AB-8E-90"
Jan 29 11:11:53.842: RADIUS:  Calling-Station-Id  [31]  19  "00-1D-45-2D-53-E0"
Jan 29 11:11:53.842: RADIUS:  EAP-Message         [79]  8
Jan 29 11:11:53.842: RADIUS:   02 9F 00 06 03 04
Jan 29 11:11:53.842: RADIUS:  Message-Authenticato[80]  18
Jan 29 11:11:53.842: RADIUS:   24 BE F1 70 15 16 AE 2C E3 AC 56 5A E2 BE FC 92             [ $p,VZ]
Jan 29 11:11:53.842: RADIUS:  EAP-Key-Name        [102] 2   *
Jan 29 11:11:53.842: RADIUS:  Vendor, Cisco       [26]  49
Jan 29 11:11:53.842: RADIUS:   Cisco AVpair       [1]   43  "audit-session-id=C0A8FE2500000019003B8C5C"
Jan 29 11:11:53.842: RADIUS:  NAS-Port-Type       [61]  6   Ethernet                  [15]
Jan 29 11:11:53.851: RADIUS:  NAS-Port            [5]   6   50116
Jan 29 11:11:53.851: RADIUS:  NAS-Port-Id         [87]  23  "GigabitEthernet1/0/16"
Jan 29 11:11:53.851: RADIUS:  State               [24]  30
Jan 29 11:11:53.851: RADIUS:   32 35 53 65 73 73 69 6F 6E 49 44 3D 41 43 53 2F  [25SessionID=ACS/]
Jan 29 11:11:53.851: RADIUS:   38 35 36 37 30 35 31 38 2F 33 34 3B      [ 85670518/34;]
Jan 29 11:11:53.851: RADIUS:  NAS-IP-Address      [4]   6   192.168.254.37
Jan 29 11:11:53.851: RADIUS(0000001E): Started 4 sec timeout
Jan 29 11:11:53.868: RADIUS: Received from id 1645/56 192.168.254.51:1645, Access-Challenge, len 95
Jan 29 11:11:53.868: RADIUS:  authenticator C7 B8 85 BD 56 89 AD 04 - FF 8D B0 FF 96 BF C2 7F
Jan 29 11:11:53.868: RADIUS:  State               [24]  30
Jan 29 11:11:53.868: RADIUS:   32 35 53 65 73 73 69 6F 6E 49 44 3D 41 43 53 2F  [25SessionID=ACS/]
Jan 29 11:11:53.868: RADIUS:   38 35 36 37 30 35 31 38 2F 33 34 3B      [ 85670518/34;]
Jan 29 11:11:53.868: RADIUS:  EAP-Message         [79]  27
Jan 29 11:11:53.868: RADIUS:   01 A0 00 19 04 10 D6 98 65 25 2C 02 06 89 20 25 9A E7 2B 24 6D 95 41 43 53       [ e?, ?+$mACS]
Jan 29 11:11:53.868: RADIUS:  Message-Authenticato[80]  18
Jan 29 11:11:53.868: RADIUS:   44 D0 63 BA DA E9 1F E5 7D 40 97 1F 1E 7E B8 B2             [ Dc}@~]
Jan 29 11:11:53.868: RADIUS(0000001E): Received from id 1645/56
Jan 29 11:11:53.868: RADIUS/DECODE: EAP-Message fragments, 25, total 25 bytes
Jan 29 11:11:53.884: AAA/AUTHEN/8021X (0000001E): Pick method list 'default'
Jan 29 11:11:53.884: RADIUS/ENCODE(0000001E):Orig. component type = DOT1X
Jan 29 11:11:53.884: RADIUS(0000001E): Config NAS IP: 192.168.254.37
Jan 29 11:11:53.884: RADIUS/ENCODE(0000001E): acct_session_id: 55
Jan 29 11:11:53.884: RADIUS(0000001E): sending
Jan 29 11:11:53.884: RADIUS(0000001E): Send Access-Request to 192.168.254.51:1645 id 1645/57, len 284
Jan 29 11:11:53.884: RADIUS:  authenticator 3A 52 7C D1 89 1F AF AE - 85 8F E6 2D 7E AE 90 D7
Jan 29 11:11:53.884: RADIUS:  User-Name           [1]   26  "CP-7942G-SEP001D452D53E0"
Jan 29 11:11:53.884: RADIUS:  Service-Type        [6]   6   Framed                    [2]
Jan 29 11:11:53.884: RADIUS:  Framed-MTU          [12]  6   1500
Jan 29 11:11:53.884: RADIUS:  Called-Station-Id   [30]  19  "30-37-A6-AB-8E-90"
Jan 29 11:11:53.884: RADIUS:  Calling-Station-Id  [31]  19  "00-1D-45-2D-53-E0"
Jan 29 11:11:53.884: RADIUS:  EAP-Message         [79]  48
Jan 29 11:11:53.884: RADIUS:   02 A0 00 2E 04 10 AE 65 BA 3A 6F 09 06 69 45 65 19 A2 76 95 12 AF 43 50 2D 37 39 34 32 47  [.e:oiEevCP-7942G]
Jan 29 11:11:53.884: RADIUS:   2D 53 45 50 30 30 31 44 34 35 32 44 35 33 45 30  [ -SEP001D452D53E0]
Jan 29 11:11:53.884: RADIUS:  Message-Authenticato[80]  18
Jan 29 11:11:53.893: RADIUS:   99 CA 36 60 3E 1A 13 7F 7E 0F 39 7D B7 AD 75 FF           [ 6`>~9}u]
Jan 29 11:11:53.893: RADIUS:  EAP-Key-Name        [102] 2   *
Jan 29 11:11:53.893: RADIUS:  Vendor, Cisco       [26]  49
Jan 29 11:11:53.893: RADIUS:   Cisco AVpair       [1]   43  "audit-session-id=C0A8FE2500000019003B8C5C"
Jan 29 11:11:53.893: RADIUS:  NAS-Port-Type       [61]  6   Ethernet                  [15]
Jan 29 11:11:53.893: RADIUS:  NAS-Port            [5]   6   50116
Jan 29 11:11:53.893: RADIUS:  NAS-Port-Id         [87]  23  "GigabitEthernet1/0/16"
Jan 29 11:11:53.893: RADIUS:  State               [24]  30
Jan 29 11:11:53.893: RADIUS:   32 35 53 65 73 73 69 6F 6E 49 44 3D 41 43 53 2F  [25SessionID=ACS/]
Jan 29 11:11:53.893: RADIUS:   38 35 36 37 30 35 31 38 2F 33 34 3B      [ 85670518/34;]
Jan 29 11:11:53.893: RADIUS:  NAS-IP-Address      [4]   6   192.168.254.37
Jan 29 11:11:53.893: RADIUS(0000001E): Started 4 sec timeout
Jan 29 11:11:54.019: RADIUS: Received from id 1645/57 192.168.254.51:1645, Access-Accept, len 150
Jan 29 11:11:54.019: RADIUS:  authenticator D5 AD 4C 67 3C FB 88 75 - 0C D3 AF 11 16 CD 29 B9
Jan 29 11:11:54.019: RADIUS:  User-Name           [1]   26  "CP-7942G-SEP001D452D53E0"
Jan 29 11:11:54.019: RADIUS:  Class               [25]  22
Jan 29 11:11:54.019: RADIUS:   43 41 43 53 3A 41 43 53 2F 38 35 36 37 30 35 31  [CACS:ACS/8567051]
Jan 29 11:11:54.019: RADIUS:   38 2F 33 34              [ 8/34]
Jan 29 11:11:54.019: RADIUS:  Tunnel-Type         [64]  6   01:VLAN                   [13]
Jan 29 11:11:54.019: RADIUS:  Tunnel-Medium-Type  [65]  6   01:ALL_802                [6]
Jan 29 11:11:54.019: RADIUS:  EAP-Message         [79]  6
Jan 29 11:11:54.019: RADIUS:   03 A0 00 04
Jan 29 11:11:54.019: RADIUS:  Message-Authenticato[80]  18
Jan 29 11:11:54.019: RADIUS:   A7 1D B5 E3 44 DE 70 3C 5B 46 57 C0 A6 DB 56 EC           [ Dp<[FWV]
Jan 29 11:11:54.019: RADIUS:  Tunnel-Private-Group[81]  12  01:"VOICE-LAN"
Jan 29 11:11:54.019: RADIUS:  Vendor, Cisco       [26]  34
Jan 29 11:11:54.019: RADIUS:   Cisco AVpair       [1]   28  "device-traffic-class=voice"
Jan 29 11:11:54.019: RADIUS(0000001E): Received from id 1645/57
Jan 29 11:11:54.019: RADIUS/DECODE: EAP-Message fragments, 4, total 4 bytes
Jan 29 11:11:54.027: AAA/AUTHOR (0000001E): Method list id=0 not configured. Skip author
Jan 29 11:11:54.027: %DOT1X-5-SUCCESS: Authentication successful for client (001d.452d.53e0) on Interface Gi1/0/16 AuditSessionID
Jan 29 11:11:54.027: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (001d.452d.53e0) on Interface Gi1/0/16 AuditSessionID C0A8FE2500000019003B8C5C
Jan 29 11:11:54.035: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan10, changed state to up
Jan 29 11:11:55.050: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (001d.452d.53e0) on Interface Gi1/0/16 AuditSessionID C0A8FE2500000019003B8C5C
C3750G#
C3750G#sh auth sess int gi 1/0/16
            Interface:  GigabitEthernet1/0/16
          MAC Address:  001d.452d.53e0
           IP Address:  Unknown
            User-Name:  CP-7942G-SEP001D452D53E0
               Status:  Authz Success
               Domain:  DATA
      Security Policy:  Should Secure
      Security Status:  Unsecure
       Oper host mode:  multi-domain
     Oper control dir:  both
        Authorized By:  Authentication Server
           Vlan Group:  N/A
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  C0A8FE2500000019003B8C5C
      Acct Session ID:  0x00000037
               Handle:  0xDC000019

Runnable methods list:
       Method   State
       dot1x    Authc Success

C3750G#

Are you able to provide any more things to check?  Thanks again.

One specific point that I am worried about is the Cisco AV pair string itself.  In ACS 5.1 when you select Voice VLAN, Permission to Join: [Static] it automatically adds a common RADIUS attribute of

Attribute: cisco-av-pair

Type: String

Value: device-traffic-class=voice

None of these are editable fields.  As I have been doing a lot of searches on this subject I have seen the attribute spelt as listed above, "cisco-av-pair" but also as "cisco-avpair" (such as in docs: http://www.cisco.com/en/US/products/sw/netmgtsw/ps411/products_tech_note09186a0080094e9a.shtml  and  http://www.avaya.com/master-usa/en-us/resource/assets/applicationnotes/802_1x_ciscomda.pdf).   Does this actually matter, or is the Cat switch looking out for only one of these attribute string?  Or is the switch looking for any combination of that text in an attribute to define it as a valid Cisco AV pair?

C3750G#show run | in aaa
aaa new-model
aaa authentication login My-AAA group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authentication dot1x default group radius
aaa authorization exec My-AAA group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default stop-only group tacacs+
aaa accounting connection default stop-only group tacacs+
aaa accounting system default start-stop group tacacs+
aaa session-id common

Finally fixed it after i spotted this in a config guide:

Cat−3560(config)#aaa authorization network default group radius
!−−− You need authorization for dynamic VLAN assignment to work with RADIUS

I didnt have this command, but i do now it works fine.  Although admittedly i wasnt aware i was doing VLAN assignment, as in dynamic VLAN assignment which required the extra RADIUS-IETF attributes.

Glad to know its working. Couldn't reply back due to weekend.

Yes, that was the reason, I asked you the output of show run | in aaa.

Little more detail on it;

The VLAN assignment feature is automatically enabled when we configure 802.1x authentication on an access port. For VLAN assignment to work, we must ensure that network authorization is configured on switch to allow interface configuration from the RADIUS server,

Cisco IOS:
Switch(config)# aaa authorization network default method1 [method2…]

Catalyst OS: No equivalent command exists, and none is required to turn this feature on.

I'd appreciate if you mark this query resolved so that other can take benefit out of it.

Regards,

Jatin

Do rate helpful posts~

Hello Dear,

We have a same problem. after I issued device-traffic-class=voice on radius  server(microsoft radius 2008) My phone was in voice domain  ( I can show with "show authorization session) but no trafik no ip access to phone   why could be ?

Config;

Current configuration : 13526 bytes
!
! Last configuration change at 18:45:37 GMT Tue Nov 4 2014 by swadmin
! NVRAM config last updated at 18:45:41 GMT Tue Nov 4 2014 by swadmin
!
version 15.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname lbtistsw2960-k2-3
!
boot-start-marker
boot-end-marker
!
logging buffered 256000
enable secret 5 $1$oSAC$h/RwvVLa4T70DQ91dJFro0
!
username swadmin privilege 15 secret 5 $1$H3M5$sx0LYbTsuvRprU3WBdua61
aaa new-model
!
!
aaa authentication login default local
aaa authentication dot1x default group radius
aaa authorization network default group radius 
!
!
!
!
!
!
aaa session-id common
clock timezone GMT 2 0
clock summer-time GMT recurring last Sun Mar 1:00 last Sun Oct 0:00
switch 1 provision ws-c2960s-48fps-l
no ip source-route
!
!
no ip domain-lookup
ip domain-name capitalturkey.com
ip name-server 172.22.35.61
ip name-server 172.22.35.62
ip device tracking
!
!
crypto pki trustpoint TP-self-signed-623397632
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-623397632
 revocation-check none
 rsakeypair TP-self-signed-623397632
!
!
crypto pki certificate chain TP-self-signed-623397632
dot1x system-auth-control
!
spanning-tree mode mst
spanning-tree loopguard default
spanning-tree portfast default
spanning-tree portfast bpduguard default
spanning-tree extend system-id
!
spanning-tree mst configuration
 name mstp-vrrp
 revision 1
 instance 2 vlan 20
 instance 3 vlan 30
 instance 4 vlan 40
 instance 5 vlan 50
!
!
!
!
!
!
errdisable recovery cause bpduguard
errdisable recovery cause security-violation
!
!
!
!
vlan internal allocation policy ascending
!
ip ssh version 2
lldp run
!
! 
!
!
!
!
!
!
!
!
interface Port-channel1
 description Uplink Backbone Switches Network Load Balancing and Failure
 switchport trunk native vlan 40
 switchport mode trunk
 spanning-tree bpdufilter enable
 spanning-tree bpduguard disable
!
interface Port-channel2
 description Uplink Backbone Switches Network Load Balancing and Failure
 switchport trunk native vlan 40
 switchport mode trunk
 shutdown
 spanning-tree bpdufilter enable
 spanning-tree bpduguard disable
!
interface FastEthernet0
 no ip address
 shutdown
!
interface GigabitEthernet1/0/1
 switchport access vlan 40
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/2
 switchport access vlan 20
 switchport mode access
 switchport voice vlan 30
 switchport priority extend trust
 mls qos trust dscp
 spanning-tree portfast
!
i
!
interface GigabitEthernet1/0/36
 switchport access vlan 20
 switchport mode access
 switchport nonegotiate
 switchport voice vlan 30
 authentication control-direction in
 authentication host-mode multi-domain
 authentication port-control auto
 authentication periodic
 authentication timer restart 900
 authentication timer reauthenticate 5400
 mab
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/37
 switchport access vlan 20
 switchport mode access
 switchport voice vlan 30
 switchport priority extend trust
 mls qos trust dscp
 spanning-tree portfast
!
interface GigabitEthernet1/0/38
 switchport access vlan 20
 switchport mode access
 switchport voice vlan 30
 switchport priority extend trust
 mls qos trust dscp
 spanning-tree portfast
!
interface GigabitEthernet1/0/39
 switchport access vlan 20
 switchport mode access
 switchport voice vlan 30
 switchport priority extend trust
 mls qos trust dscp
 spanning-tree portfast
!
interface GigabitEthernet1/0/40
 switchport access vlan 20
 switchport mode access
 switchport voice vlan 30
 switchport priority extend trust
 mls qos trust dscp
 spanning-tree portfast
!
interface GigabitEthernet1/0/41
 switchport access vlan 20
 switchport mode access
 switchport voice vlan 30
 switchport priority extend trust
 mls qos trust dscp
 spanning-tree portfast
!
interface GigabitEthernet1/0/42
 switchport access vlan 20
 switchport mode access
 switchport voice vlan 30
 switchport priority extend trust
 mls qos trust dscp
 spanning-tree portfast
!
interface GigabitEthernet1/0/43
 switchport access vlan 20
 switchport mode access
 switchport voice vlan 30
 switchport priority extend trust
 mls qos trust dscp
 spanning-tree portfast
!
interface GigabitEthernet1/0/44
 switchport access vlan 20
 switchport mode access
 switchport voice vlan 30
 switchport priority extend trust
 mls qos trust dscp
 spanning-tree portfast
!
interface GigabitEthernet1/0/45
 switchport access vlan 20
 switchport mode access
 switchport voice vlan 30
 switchport priority extend trust
 mls qos trust dscp
 spanning-tree portfast
!
interface GigabitEthernet1/0/46
 switchport access vlan 20
 switchport mode access
 switchport voice vlan 30
 switchport priority extend trust
 mls qos trust dscp
 spanning-tree portfast
!
interface GigabitEthernet1/0/47
 switchport access vlan 20
 switchport mode access
 switchport voice vlan 30
 switchport priority extend trust
 mls qos trust dscp
 spanning-tree portfast
!
interface GigabitEthernet1/0/48
 switchport access vlan 20
 switchport mode access
 switchport voice vlan 30
 switchport priority extend trust
 mls qos trust dscp
 spanning-tree portfast
!
interface GigabitEthernet1/0/49
 description Uplink Backbone Switch-1 Interface 1
 switchport trunk native vlan 40
 switchport mode trunk
 spanning-tree bpdufilter enable
 spanning-tree bpduguard disable
 channel-group 1 mode on
!
interface GigabitEthernet1/0/50
 description Uplink Backbone Switch-1 Interface 2
 switchport trunk native vlan 40
 switchport mode trunk
 spanning-tree bpdufilter enable
 spanning-tree bpduguard disable
 channel-group 1 mode on
!
interface GigabitEthernet1/0/51
 description Uplink Backbone Switch-2 Interface 1
 switchport trunk native vlan 40
 switchport mode trunk
 spanning-tree bpdufilter enable
 spanning-tree bpduguard disable
 channel-group 1 mode on
!
interface GigabitEthernet1/0/52
 description Uplink Backbone Switch-2 Interface 2
 switchport trunk native vlan 40
 switchport mode trunk
 spanning-tree bpdufilter enable
 spanning-tree bpduguard disable
 channel-group 1 mode on
!
interface Vlan1
 no ip address
!
interface Vlan20
 description Vlan Interface for Desktop
 ip address 172.22.32.11 255.255.255.0 secondary
 ip address 172.22.28.11 255.255.252.0
 ip helper-address 172.22.35.10
 ip route-cache same-interface
!
interface Vlan30
 description Vlan Interface for Voice
 ip address 172.22.33.11 255.255.255.0
 ip helper-address 172.22.35.10
 ip route-cache same-interface
!
interface Vlan40
 description Vlan Interface for Management
 ip address 172.22.34.11 255.255.255.0
!
interface Vlan50
 description Vlan Interface for Servers
 ip address 172.22.35.111 255.255.255.0
!
ip default-gateway 172.22.34.1
ip http server
ip http authentication local
no ip http secure-server
!
!
ip sla enable reaction-alerts
logging trap debugging
logging source-interface Vlan40
logging host 172.22.35.85
logging host 172.22.30.140
!
snmp-server community public RO
!
radius-server host 172.22.35.61 key 7 075E731F1A5C4F524F
!
!
!
line con 0
 session-timeout 10 
line vty 0 4
 session-timeout 60 
 transport input ssh
line vty 5 15
 session-timeout 60 
 transport input ssh
!
ntp source Vlan40
ntp server 172.22.35.10
end

Hello. Big thanks to @Nicholas Poole for this command:

aaa authorization network default group radius

In our environment there's freeradius as radius server, cisco 2960 as authenticator.

We tested 802.1x with non-domain PCs. The criteria was local accounts which exists in freeradius.

Problem was in the Voice Domain. After writing the command it worked. Thanks.