cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
525
Views
0
Helpful
0
Replies

Catalyst auto smartports and 802.1x multi-domain authentication

I'm trying to combine auto smartports and 802.1x multi-domain authentication on a Catalyst 3560X in the lab.  I have some Cisco 7900 series IP phones and some Mitel 5300's.  Device classification works out of the box for the Cisco phones and I have successfully created the shell triggers for the Mitel OUI.  At the moment I'm just applying the 'CISCO_PHONE_AUTO_SMARTPORT' macro; I'll change this later to be more specific for the Mitel phones.

I want to use multi-domain authentication and use MAB to authentication the phones.  The RADIUS server has a list of MAC addresses for the phones and sends the Cisco-AV-Pair 'device-traffic-class=voice' as well as Tunnel-Pvt-Group-ID of the Voice VLAN name so it is dynamically assigned.

This all works fine when the interfaces are manually configured directly or using an interface template.  However, I am trying to avoid applying the command 'switchport voice vlan xx' to any of the access interfaces as it causes problems with IPv6 connectivity if a PC is connected direct to the switch rather than piggy-backed behind an IP phone.  Therefore I want to use auto smartports to get the 'switchport voice vlan xx' added to the interface dynamically.  I can use dummy VLAN IDs for the access and voice VLANs that don't have Layer-3 interfaces and rely on RADIUS sending the VLAN.  However if there is a RADIUS failure it doesn't work for the Voice VLAN - I can use a service-template in the IBNS 2.0 policy to set the critical-access VLAN, however you can't do this with the Voice VLAN.

If the interface (or template) command 'access-session host-mode multi-domain' is applied then auto smartports stops working on the interface.  If I remove the command, then I see the log message ' %AUTOSMARTPORT-5-INSERT: Device with mac-address' when the port is bounced.

 

Is this by design?  Is there any other way to achieve this?

 

Andy

0 Replies 0