Re: The issues of data and voice vlan being the same.

glaahmet0 · ‎05-06-2024

The user computer switches to voice vlan but the port configuration has both access vlan and voice vlan.

Avaya ip phone switches to voice vlan.
The user computer also switches to voice vlan.

What could be the cause of this problem?

Port configuration

switchport access vlan 3
switchport mode access
switchport voice vlan 2
authentication event fail action next-method
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate 43200
authentication violation restrict
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast edge
end

marce1000 · ‎05-06-2024

- You need to debug the authenticating process on the background authenticators (ISE ?)

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

glaahmet0 · ‎05-07-2024

We use a different nac solution.

Freeradius based.

I will try what you said.

Thank you

Rob Ingram · ‎05-07-2024

@glaahmet0 when the endpoint is authorised are you pushing any settings that may move this device into the Voice VLAN?

You can also check "show authentication session interface <actual interface> detail" and confirm what settings have been sent from the RADIUS server. Provide the output here for review.

tomsankey1996 · ‎05-07-2024

I think we also had the same problem not so long ago, it was the way in which ISE was classifying the Avaya handsets. I'm sure we profiled the Avaya handsets using the MAC address and this temporarily fixed the issue whilst we looked for a more permanent/scalable solution.

Arne Bier · ‎05-07-2024

Hello @glaahmet0

In a situation like this, I tend to start by normalising the switch interface config to eliminate the possibility that the phone is misbehaving. I strip away the NAC config from the switch interface, and then observe whether the phone lands in the voice VLAN, and the attached PC lands in the access VLAN. Assuming that the behaviour is normal and as expected, I put the NAC config back.

Instead of only showing us the "show mac address" output, please also provide the output of

show access-session int  Gi1/0/18 detail

We're looking at which domains the MAC addresses are landing in. I assume in this case they both land in the DATA domain, because your config shows you have multi-auth configured. An Avaya phone can happily operate in the DATA domain, but this is not the desired state. When authenticating/authorizing the Avaya phone, the RADIUS server should be returning a Cisco AVPair to tell the switch to put the Avaya's MAC address in the VOICE domain. This will then assign VLAN 2 to the phone, and via LLDP, the phone will learn to tag its traffic with VLAN 2. When authenticating/authorizing the attached PC, the RADIUS server must not return the Cisco AVPair - it must just return the Access-Accept and other things like dACL, Session-Timeout etc. There is no reason why the PC MAC address would land in the VOICE domain if this is done.