01-13-2014 04:19 AM - edited 03-10-2019 09:16 PM
Hi everyone,
I try to configure voice vlan dynamic assignment with multi-domain
Without "switchport voice vlan XXX" I've got AUTHMGR-5-FAIL
Which additional command need to be apply for interface?
In all examples I see the switchport voice vlan XXX
But this is static in my understanding. Am I wrong?
(WS-X45-SUP8-E. cat4500es8-UNIVERSALK9-M. ver 03.03.00.XO)
show run int ...
--------------
switchport mode access
switchport voice vlan 200 -- is this a necessary line?
load-interval 30
authentication host-mode multi-domain
authentication order mab dot1x
authentication port-control auto
authentication periodic
authentication timer reauthenticate 21600
mab
dot1x pae authenticator
spanning-tree portfast
In all cases (with or without switchport voice vlan 200) I've got from radius equal reply
with switchport voice voice
-------------------------------
RADIUS: Cisco AVpair [1] 12 "method=mab"
RADIUS: Received from id 1645/14 172.20.xx.xx:1812, Access-Accept, len 78
RADIUS: authenticator 03 BF 97 A3 5C 2D 69 08 - 88 73 52 A7 2E 99 27 F5
RADIUS: Framed-IP-Address [8] 6 172.20.xx.xx
RADIUS: Vendor, Cisco [26] 34
RADIUS: Cisco AVpair [1] 28 "device-traffic-class=voice"
RADIUS: Tunnel-Private-Group[81] 6 00:"200"
RADIUS: Tunnel-Medium-Type [65] 6 00:ALL_802 [6]
RADIUS: Tunnel-Type [64] 6 00:VLAN [13]
RADIUS(00000000): Received from id 1645/14
%MAB-5-SUCCESS: Authentication successful for client (0015.62f8.252b) on Interface .......
%AUTHMGR-5-SUCCESS: Authorization succeeded for client (0015.62f8.252b)
without switchport voice voice
--------------------------
RADIUS: Cisco AVpair [1] 12 "method=mab"
RADIUS: Received from id 1645/13 172.20.xx.xx:1812, Access-Accept, len 78
RADIUS: authenticator E5 08 7E 88 51 DA D0 22 - 41 6E B2 32 E1 56 83 5B
RADIUS: Framed-IP-Address [8] 6 172.20.xx.xx
RADIUS: Vendor, Cisco [26] 34
RADIUS: Cisco AVpair [1] 28 "device-traffic-class=voice"
RADIUS: Tunnel-Private-Group[81] 6 00:"200"
RADIUS: Tunnel-Medium-Type [65] 6 00:ALL_802 [6]
RADIUS: Tunnel-Type [64] 6 00:VLAN [13]
RADIUS(00000000): Received from id 1645/13
%MAB-5-SUCCESS: Authentication successful for client (0015.62f8.252b) on Interface ....
------%AUTHMGR-5-FAIL------------
%AUTHMGR-5-FAIL: Authorization failed or unapplied for client (0015.62f8.252b) on Interface ...
%AUTHMGR-5-FAIL: Authorization failed or unapplied for client (0015.62f8.252b) on Interface ...
01-14-2014 03:11 AM
Hi Eugene
Use this commands under the physical interface config:
dot1x mac-auth-bypass
let the RADIUS server sends the followng cisco-av-pair attribute value back to the phone when it authenticates via MAB:
device-traffic-class=voice
for more information:
https://supportforums.cisco.com/docs/DOC-22478
it does not matter if you set the voice vlan or not under the interface. (I remember I tested when it is set and it worked. I did not check when it is not set).
HTH
Amjad
Rating useful replies is more useful than saying "Thank you"
01-20-2016 05:23 AM
By the way. For notes.
You must configure static voice vlan for voice. It is describe in this document:
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.html
Dynamic VLAN Assignment
"In the current release of code, a static voice VLAN must be configured on the port via the switchport access voice vlan command before a new VLAN can be assigned via RADIUS"
All other is true :)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: