I'm trying to combine auto smartports and 802.1x multi-domain authentication on a Catalyst 3560X in the lab. I have some Cisco 7900 series IP phones and some Mitel 5300's. Device classification works out of the box for the Cisco phones and I have successfully created the shell triggers for the Mitel OUI. At the moment I'm just applying the 'CISCO_PHONE_AUTO_SMARTPORT' macro; I'll change this later to be more specific for the Mitel phones.
I want to use multi-domain authentication and use MAB to authentication the phones. The RADIUS server has a list of MAC addresses for the phones and sends the Cisco-AV-Pair 'device-traffic-class=voice' as well as Tunnel-Pvt-Group-ID of the Voice VLAN name so it is dynamically assigned.
This all works fine when the interfaces are manually configured directly or using an interface template. However, I am trying to avoid applying the command 'switchport voice vlan xx' to any of the access interfaces as it causes problems with IPv6 connectivity if a PC is connected direct to the switch rather than piggy-backed behind an IP phone. Therefore I want to use auto smartports to get the 'switchport voice vlan xx' added to the interface dynamically. I can use dummy VLAN IDs for the access and voice VLANs that don't have Layer-3 interfaces and rely on RADIUS sending the VLAN. However if there is a RADIUS failure it doesn't work for the Voice VLAN - I can use a service-template in the IBNS 2.0 policy to set the critical-access VLAN, however you can't do this with the Voice VLAN.
If the interface (or template) command 'access-session host-mode multi-domain' is applied then auto smartports stops working on the interface. If I remove the command, then I see the log message ' %AUTOSMARTPORT-5-INSERT: Device with mac-address' when the port is bounced.
Is this by design? Is there any other way to achieve this?
Andy