07-15-2013 12:43 AM - edited 03-10-2019 08:38 PM
We have dot1x enabled with MDA. Consider this scenario:
Only one Cisco IP phone is connected to the switchport (no PC). And phone fails both dot1x and MAB. Switch will place it in DATA vlan by default. This works as expected....Why doesn't IP phone work while in DATA vlan? It keeps showing "registering", "configuring IP" etc. IP helpers are same for both data and voice vlan.
07-15-2013 08:32 AM
If the phone has passed authentication and authorization succesfully then it's a connectivity issue. The ip phone keeps saying "registering" because it can't reach the Call Manager. Could you please check connectivity ?
07-15-2013 09:30 AM
Phone has not passed authentication. I am letting it fail intentionally to understand the behavior. It lands in DATA domain and can be seen on switch. But phone shows "registering".
07-15-2013 12:13 PM
Hello Kashish
If hte phone has failed authentication then the behavior depends on both the switch configuration and the radius configuration.
For example if the switch has "authentication open" in the switchport configuration, then all traffic will be allowed.
If the radius configuration says that a failed authentication is OK then all traffic will be allowed, if the radius configuration says that a failed authentication is not OK it can deny all traffic.
what radius server are you using ? what is your switch configuration ?
07-16-2013 05:05 PM
Kashish,
Pretty sure you meant MDA puts it on either on DATA or VOICE "domain."
You have to create a RULE in your RADIUS server that places VOIP phones into VOICE domain.
If you look at topics I responded to, you will see what I have gone through.
Sent from Cisco Technical Support iPhone App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide