Re: Problem when configuring 802.1x on cisco C9200L

licensing · ‎09-11-2022

Dear Community!
I have a problem configuring 802.1x on cisco C9200L device. IP phone AASTRA 4422 is assigned the Guest VLAN IP but not the Voice VLAN IP as expected. Can you help me fix this error? Thank you !

My configure as below :

interface GigabitEthernet1/0/4
switchport mode access
switchport voice vlan 320
authentication event no-response action authorize vlan 301
authentication host-mode multi-domain
authentication port-control auto
authentication periodic
authentication timer reauthenticate 7200
authentication violation protect
dot1x pae authenticator
dot1x max-reauth-req 5
spanning-tree portfast
end

Log of device as below :

- Vlan 301 for Guest VLan
_ VLan 320 for Voice vlan

Rob Ingram · ‎09-11-2022

@licensing the device is placed in VLAN 301 because there is no response from your RADIUS server.

Have a look at your RADIUS server logs to determine why authentication/authorisation failed and check the switch configuration. Refer to the Cisco guide for more information on the switch configuration - https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

You should also ensure the voice domain permission is returned in order for the phone to be dynamically placed in the Voice VLAN, this is pre-defined if using ISE or you can use - "cisco-av-pair = device-traffic-class=voice"

licensing · ‎09-11-2022

Hi @Rob Ingram !
I know what you mean, account login of IP Phone AASTRA is IP phone number so it's failed authentication with RADIUS server while it still authenticates correctly with the account username which is on the active directory (AD).I have tried many ways to fix the error but still not working.Do you have the correct configuration to fix this error? Thank you !