Utkarsh,

That option should work, but you should be investigating why the phones are doing EAP proxy logoff correctly.  Most likely the phone has a setting to do proxy logoff, but is not currently configured to do it.  I have run into this many times with Avaya phones and worked with the customer to get the option enabled on the phones.

Hi Paul,

EAP Proxy Logoff is working fine as expected for endpoints connected via dot1x behind the IP Phone.

The issue is with headless devices like printers if connected behind IP Phone or a machine authenticating via MAB.

In this case the session on switch is a MAB session.

I think the IP Phone will not send a Proxy EAPoL for a MAB session.

Ahh yes. I missed the non-8021x part. I am so used to running into this issue with EAP proxy logoff.

I haven’t tested phone settings to see if you can make it release a MAB session on the switch. I have used inactivity timers in the past. Make sure you have “authentication timer inactivity server” set on the switch interfaces to allow ISE to set this value.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

The preferred option is 2nd Port disconnect which will proactively notify switch when connected device disconnects: IP Telephony for 802.1X Design Guide - Cisco

Craig

Craig,

Its a non-Cisco IP Phone using LLDP.

Do you think LLDP might have any port-disconnect mechanism and Cisco switch would understand it ?

CDP Enhancement for 2nd Port Disconnect is a specific Cisco Phone feature.

EAP Proxy Logoff is specific to 802.1X and again, is a Cisco IP Phone feature.  2nd Port Disconnect works with any auth options from connected device to Cisco Phone.