802.1x MDA with Cisco 3750, ACS and Avaya phones

JAN DEVOS · ‎11-08-2012

Hello,

What is the minimum software level on the C3750 to support the 'device type class=voice' AV-pair returned by ACS? I found 12.2(35) introduced MDA, but also I found 12.2(40) required for dynamic voice VLAN on MDA ports.

What i observe is :

- phone connects

- phone is dot1x authenticated in data VLAN and gets its DHCP address there

- DHCP advertises (option 242) the voice vlan id

- phone reauthenticates in voice vlan

- phone reacquires a new DHCP address, now in voice VLAN

so far so good ... and we start using the phone

- pc behind phone starts and enters credentials

- pc authenticates ok (in data vlan)

but 3750 shuts the port down per security violation ("new mac-address found").

The mac-address of the phone stays in the data vlan's mac table, despite the phone moved correctly to the voice vlan. This macaddress excludes the 'new' pc mac-address, causing a shutdown of the port.

NB : "setting port-security max mac-addresses" to say 5 does not change anything to this behavior.

Can anybody give some hints?

Tx.

JAN DEVOS · ‎11-08-2012

Searching further, I found that 12.2(40) requirement for dynamic voice VLAN on MDA ports only applies to dynamically provisioning the voice vlan ID by radius, applying the (65)tunnel (medium) type and (81) tunnel private groupid attributes. So, obviously, MDA support with 'static' voice vlan assignment by switchport configuration *should work* with our 12.2(35), *

So, the question remains : why does the data VLAN keep an entry with the phone's MAC address in its MAC table?

Tx.