we have cisco C3560X-48P Switches in our branches and use Avaya IP-Phones for our call agents. All switchports are protected by 802.1x and our Avaya IP-Phones use EAP-MD5 with username and password to authenticat the phone in the voice subnet.
this is our port config:
description Avaya IP-Phone
switchport access vlan 10
switchport mode access
switchport voice vlan 2000
ip arp inspection limit rate 130 burst interval 2
no logging event link-status
authentication control-direction in
authentication event fail action authorize vlan 10
authentication event server dead action authorize vlan 10
authentication event no-response action authorize vlan 10
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x
authentication priority dot1x
authentication port-control auto
authentication timer reauthenticate server
authentication violation restrict
dot1x pae authenticator
dot1x timeout tx-period 1
no cdp enable
everything works well so far....
now we want to replace your c3560x switches with the new C9300-48UXM (IOS: 16.09.05) without change our IP-Phone Settings.
we use the same port config as we had on c3560x but the IP-Phones couldn't authenticate.
LLDP Neighbour Table is also empty and the c9300 switch send an error
Aug 25 15:33:00: %DOT1X-5-FAIL: Switch 1 R0/0: sessmgrd: Authentication failed for client (001b.4f30.97e3) with reason (No Response from Client) on Interface Tw1/0/1 AuditSessionID 1410D10A0000001C25C446DF
Aug 25 15:33:00: %SESSION_MGR-5-FAIL: Switch 1 R0/0: sessmgrd: Authorization failed or unapplied for client (001b.4f30.97e3) on Interface TwoGigabitEthernet1/0/1 AuditSessionID 1410D10A0000001C25C446DF. Failure Reason: VLAN Failure.
Switch-C9300-001#sh authentication sessions
Interface MAC Address Method Domain Status Fg Session ID
Tw1/0/1 001b.4xxx.9xxx dot1x DATA Unauth 1410D10A0000001C25C446DF
if I made a span session and capture the traffic during the authentication, I can see a "EAP" Failure in Wireshark.
if I do not use 802.1x config on a switchport my phone working well.
could it be that the new c9300 does not support EAP-MD5 challenges or does anyone has an idea what i can try or what my problem is ?
many many thanks for your support
i try it with photo upload. I hope you can read the details on this picture.
left is my NPS policie for c3560x swiches and on the right side I add the "tunnel-pvt-group-id" with the voice-vlan.
right looks like it workt's for booth switche types. I have to do some tests in our lab... after vacation :-)
thanks a lot for your support.
This is a solution to push the voice vlan.
You can also push the domain voice with following attribute:
cisco-av-pair = device-traffic-class=voice
hi, if you can see in my last post on the printscreen, we already send the domain in in "cisco-av-pair"
for my the only one solution is, if I add the "tunnel-pvt-group-id" with the voice-vlan name.
Yes i saw it.
I'm not doing dot1x with NPS but I'm gonna try with 9300 switches and do some debugs when I'll get a 9300 available.
Thank you for posting this screen shot. This is very helpful as to what settings I should configure for the Network Policy in Windows Network Policy Server. Similar to your setup, I am the network/server administrator of an organization that uses Avaya 9600 phones deployed in a Cisco Catalyst 9300 environment. I have been struggling to get my phones to authenticate via 802.1x. The PC that I connected to the phone authenticate successfully; however, the phones go into an unauthorized state.
Do you mind providing a quick run down as to how you have your phones configured in your Active Directory Server, as well as the network connection request policy and network policy itself. I am running into a brick wall and would appreciate any feedback on this.
Could you provide me with more details as far as what you did with the tunnel-pvt-group-id config you mentioned? I might be running into this problem as well. Do you have a print screen you can share? Thanks, -Matt