Solved: Voice VLAN not authorized when radius server not available

roland.theisen · ‎08-25-2022

Dear all,

I'm having some issues with our einterface configuration for NAC. I want to have a configuration where, if the radius server is dead, the interface authorized a data and a voice vlan. The configuratio for the data domain works fine but the phones are not put into the correct vlan

The following is the interface configuration

switchport access vlan <vlan id>
switchport mode access
switchport voice vlan <voice vlan id>
authentication event fail action authorize vlan <guest vlan id>
authentication event server dead action authorize
authentication event server dead action authorize voice
authentication event no-response action authorize <guest vlan id>
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate 10800
authentication timer restart 5
authentication violation replace
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout quiet-period 2
dot1x timeout tx-period 3
spanning-tree portfast

This is the radius configuration

aaa group server radius <radius group name>
server name <radius name 1>
server name <radius name 2>

radius server <radius name 1>
address ipv4 <radius 1 ip> auth-port 1812 acct-port 1813
timeout 2
key 7 <key>

radius server <radius name 2>
address ipv4 <radius 2 ip> auth-port 1812 acct-port 1813
timeout 2
key 7 <key>

aaa authentication dot1x default group <radius group name>
aaa authorization network default group <radius group name>

aaa server radius dynamic-author
client <radius 1 ip> server-key <key>
client <radius 2 ip> server-key <key>

The phone itself has authenticatio disabled so it gets authenticated via MAB

Is there anything I am not seeing? Something missing in the configuration?

Something odd I see in the logs is the following:

Aug 25 09:01:28.766: %RADIUS-4-RADIUS_DEAD: RADIUS server <radius 1 ip>:1812,1813 is not responding.
Aug 25 09:01:28.766: %RADIUS-4-RADIUS_ALIVE: RADIUS server <radius 1 ip>:1812,1813 is being marked alive.
Aug 25 09:01:36.938: %RADIUS-4-RADIUS_DEAD: RADIUS server <radius 2 ip>:1812,1813 is not responding.
Aug 25 09:01:36.941: %RADIUS-4-RADIUS_ALIVE: RADIUS server <radius 2 ip>:1812,1813 is being marked alive.

However for testing purpose I blocked any and all traffic from the switch to the radius server

Rob Ingram · ‎08-25-2022

@roland.theisen are you reliant on RADIUS sending the voice domain to tell the phone to use the Voice VLAN? If so when RADIUS is offline the phone won't know to use the Voice VLAN.

You've got Critical Voice VLAN you can look at https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ibns/configuration/15-e/ibns-15-e-book/ibns-crit-vce-vlan-supp.html

Or you could use autoconf templates to automatically move phones to the correct VLAN. https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ibns/configuration/15-e/ibns-15-e-book/ibns-autoconf.html

View solution in original post

Rob Ingram · ‎08-25-2022

@roland.theisen are you reliant on RADIUS sending the voice domain to tell the phone to use the Voice VLAN? If so when RADIUS is offline the phone won't know to use the Voice VLAN.

You've got Critical Voice VLAN you can look at https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ibns/configuration/15-e/ibns-15-e-book/ibns-crit-vce-vlan-supp.html

Or you could use autoconf templates to automatically move phones to the correct VLAN. https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ibns/configuration/15-e/ibns-15-e-book/ibns-autoconf.html