Hi,

Yes the phone has succesfully authenticated and it is authorised.

The switch is currently in closed mode, this is the port config:

interface GigabitEthernet1/0/23
description 'PHONE'
switchport access vlan xx
switchport mode access
switchport voice vlan xx
device-tracking attach-policy IPDT_POLICY
authentication control-direction in
authentication event fail action next-method
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate 65535
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast

@alliasneo1

What about the voice-domain permission pushed down to the NAD?

Your dot1x tx-period is not excessively long, so I would not expect the endpoint to time out waiting for a DHCP request. I've a customer with also with mitel phones and tx-period of 10 seconds, they work fine.

FYI the recommended dot1x timer values are:

c9300-Sw(config-if)#dot1x timeout tx-period 7
c9300-Sw(config-if)#dot1x max-reauth-req 3

https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

Enable RADIUS/AAA debugs, test and provide the output for review.

When you say, What about the voice-domain permission pushed down to the NAD?

I have the 'Authorisation Profile' with 'Voice Domain Permission' ticked under common tasks. - Is that all I need?

I just pasted the config back onto the port and removed authentication open and the phone is working now. I can see the ip address in ISE. How strange.

Hi,

Low impact mode would completly change the port config though wouldn't it?

At the moment I have this as the config:

interface GigabitEthernet1/0/23
description 'PHONE'
switchport access vlan xx
switchport mode access
switchport voice vlan xx
device-tracking attach-policy IPDT_POLICY
authentication control-direction in
authentication event fail action next-method
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate 65535
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast

But as I understand Low impact mode it would change it to be more like this:

interface gx/x/x 

authentication host-mode multi-auth 

authentication open 

authentication port-control auto 

mab 

dot1x ape authenticator 

ip access-group default-ACL in 

exit 

ip access-list extended default-ACL 

permit udp any any log

deny ip any any log

Yes, but if you move the 802.1x and it work then there is issue in order, let me check it 
update you tonight 

MHM

authentication event fail action next-method <- only remove this and keep your port config as it

MHM

Hi,

Thank you for your response, I tried reversing the order but keeping the priority the same but this didn't work.

You're welcome. I would suggest you try to remove dot1x from a switch port config leaving only MAB and test, if that works, then the issue would most likely be the timer of falling back from dot1x to MAB. In that case you can try to reduce the timers gradually until you find the right value that allows the phone to get their IP address.

Hi,

I'm not sure if I've done this correctly but I stripped back the config to this:

interface GigabitEthernet1/0/23
description 'PHONE'
switchport access vlan xx
switchport mode access
switchport voice vlan xx
device-tracking attach-policy IPDT_POLICY
authentication control-direction in
authentication event fail action next-method
authentication host-mode multi-auth
authentication port-control auto
authentication periodic
authentication violation restrict
mab
spanning-tree portfast

But it still fails. As soon as I add authentication open to this, it works.

Yeah you got it right. Could you please share the output of the command "show authentication sessions interface < the interface where a phone is connected > details" for review? the command should be issued while the port is configured in closed mode please.