802.1x+dynamic voice vid - Cisco Community

1203

Views

5

Helpful

2

Replies

Hi everyone,

I try to configure voice vlan dynamic assignment with multi-domain

Without "switchport voice vlan XXX" I've got AUTHMGR-5-FAIL

Which additional command need to be apply for interface?

In all examples I see the switchport voice vlan XXX

But this is static in my understanding. Am I wrong?

(WS-X45-SUP8-E. cat4500es8-UNIVERSALK9-M. ver 03.03.00.XO)

show run int ...

--------------

switchport mode access

switchport voice vlan 200 -- is this a necessary line?

load-interval 30

authentication host-mode multi-domain

authentication order mab dot1x

authentication port-control auto

authentication periodic

authentication timer reauthenticate 21600

mab

dot1x pae authenticator

spanning-tree portfast

In all cases (with or without switchport voice vlan 200) I've got from radius equal reply

with switchport voice voice

-------------------------------

RADIUS: Cisco AVpair [1] 12 "method=mab"

RADIUS: Received from id 1645/14 172.20.xx.xx:1812, Access-Accept, len 78

RADIUS: authenticator 03 BF 97 A3 5C 2D 69 08 - 88 73 52 A7 2E 99 27 F5

RADIUS: Framed-IP-Address [8] 6 172.20.xx.xx

RADIUS: Vendor, Cisco [26] 34

RADIUS: Cisco AVpair [1] 28 "device-traffic-class=voice"

RADIUS: Tunnel-Private-Group[81] 6 00:"200"

RADIUS: Tunnel-Medium-Type [65] 6 00:ALL_802 [6]

RADIUS: Tunnel-Type [64] 6 00:VLAN [13]

RADIUS(00000000): Received from id 1645/14

%MAB-5-SUCCESS: Authentication successful for client (0015.62f8.252b) on Interface .......

%AUTHMGR-5-SUCCESS: Authorization succeeded for client (0015.62f8.252b)

without switchport voice voice

--------------------------

RADIUS: Cisco AVpair [1] 12 "method=mab"

RADIUS: Received from id 1645/13 172.20.xx.xx:1812, Access-Accept, len 78

RADIUS: authenticator E5 08 7E 88 51 DA D0 22 - 41 6E B2 32 E1 56 83 5B

RADIUS: Framed-IP-Address [8] 6 172.20.xx.xx

RADIUS: Vendor, Cisco [26] 34

RADIUS: Cisco AVpair [1] 28 "device-traffic-class=voice"

RADIUS: Tunnel-Private-Group[81] 6 00:"200"

RADIUS: Tunnel-Medium-Type [65] 6 00:ALL_802 [6]

RADIUS: Tunnel-Type [64] 6 00:VLAN [13]

RADIUS(00000000): Received from id 1645/13

%MAB-5-SUCCESS: Authentication successful for client (0015.62f8.252b) on Interface ....

------%AUTHMGR-5-FAIL------------

%AUTHMGR-5-FAIL: Authorization failed or unapplied for client (0015.62f8.252b) on Interface ...

%AUTHMGR-5-FAIL: Authorization failed or unapplied for client (0015.62f8.252b) on Interface ...

2 Replies 2

Hi Eugene

Use this commands under the physical interface config:

dot1x mac-auth-bypass

let the RADIUS server sends the followng cisco-av-pair attribute value back to the phone when it authenticates via MAB:

device-traffic-class=voice

for more information:

https://supportforums.cisco.com/docs/DOC-22478

it does not matter if you set the voice vlan or not under the interface. (I remember I tested when it is set and it worked. I did not check when it is not set).

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"

By the way. For notes.

You must configure static voice vlan for voice. It is describe in this document:
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.html

Dynamic VLAN Assignment
"In the current release of code, a static voice VLAN must be configured on the port via the switchport access voice vlan command before a new VLAN can be assigned via RADIUS"

All other is true :)