We are trying to get our cisco  switches (2960) to handle 802.1x with MAB on or network.  We are wanting  our cisco phones to authenticate by MAB on our Microsoft NPS server and  return a AV pair with a smartport trigger.  We can only get the phones  to come up correctly if we pass the vlan VSA's back to the switch,  without the AV pair.  When only pass back the AV pair the switch sees  the trigger, but the macro ( we just map it to the builtin

CISCO_PHONE_AUTO_SMARTPORT ) doesn't run (or it fails during the run).

Switch Info:

Cisco IOS Software, C2960S Software (C2960S-UNIVERSALK9-M), Version 15.0(1)SE2

Below is an example of the config from an interface:

interface GigabitEthernet1/0/6

switchport mode access

authentication host-mode multi-domain

authentication order mab dot1x

authentication port-control auto

mab

dot1x pae authenticator

Below is: show shell triggers

User defined triggers

---------------------

Trigger Id: CRCSD_PHONE_MACRO

Trigger namespace: DEFAULT

Trigger description: CRCSD_PHONE_MACRO

Trigger mapping function:

Parameters: VOICE_VLAN=61

Current version: 1

Negotiated version: 1

Mapped Function: CISCO_PHONE_AUTO_SMARTPORT

Like  I said the NPS server is authenticating everything correctly.  I've  enabled debugging macro auto all to see if it's knowing what to  process.  I can see the trigger name in the debug output so it's  authenticating correctly and passing back the vendor specifc attribute,  just not running the macro.

Now  I did see that when you do enable auto smartports globally you get a  whole bunch of log/debug messages.  I'm assuming that it's CDP/MAC/LLDP  all seeing the device and trying to determine what kind of a device it  is.  Is there anyway to not have those protocols run or block them from  trying to run macros?

Any help or ideas would be greatly appreciated!

Thanks,

-B