Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
693
Views
1
Helpful
5
Replies

Cisco C9300 802.1x with voice vlan

Go to solution
chris-doro
Level 1
Level 1

‎11-26-2024 05:50 AM

Hi,
we've setup 802.1x with voice vlan on Cisco C9200 (17.09.04a). 
This worked, telephones uses voice vlan 99 and client is authenticated over ISE (radius).
But now we are trying exact same switchport configuration on C9300 (17.09.04a), but here it does not work.
Cisco telephone never gets network connection, client authentication behind telephone works.
We do not want the telephones to authenticate via 802.1x, just use the voice vlan. 

interface GigabitEthernet1/0/11
description VOIP-TEST
switchport mode access
switchport nonegotiate
switchport voice vlan 99
authentication control-direction in
authentication event fail action authorize vlan 111
authentication event no-response action authorize vlan 111
authentication port-control auto
dot1x pae authenticator
dot1x timeout quiet-period 2
dot1x timeout tx-period 2
spanning-tree portfast
spanning-tree bpduguard enable

Any suggestions?
Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
chris-doro
Level 1
Level 1
In response to MHM Cisco World

‎11-28-2024 10:50 PM

Cisco TAC told me to configure device-tracking on the access-ports with 802.1x.
Seems to work...

View solution in original post

5 Replies 5

Go to solution
MHM Cisco World
VIP
VIP

‎11-26-2024 05:58 AM

authentication event no-response action authorize vlan xx <<- in 9200 I think you use voice vlan in this step can you confirm 

MHM

0 Helpful

Go to solution
chris-doro
Level 1
Level 1
In response to MHM Cisco World

‎11-26-2024 10:21 AM - edited ‎11-26-2024 10:23 AM

No, VLAN 111 is our guest-vlan.
clients in VLAN 111 are only allowed to connect to internet.
VLAN 99 = voice, VLAN 10 = client vlan
We first tried it on C9200 and it worked.
Then i copied and pasted the switchport config to C9300 and the telephones gets no ip address, but the client connected to telephone is authenticated and gets ip address in correct VLAN.
Tried on different C9300, exact same issue.
Tried on other C9200 -> works!
It's the exact same config on both switch-types (copy -> paste).

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to chris-doro

‎11-26-2024 10:27 AM

Friend' you mention phone not support 802.1x so either it 

1- use mab 

2- use no-response 

Guest is same as phone' no response and hence I think phone is add to vlan111 which is not voice vlan.

MHM

0 Helpful

Go to solution
chris-doro
Level 1
Level 1
In response to MHM Cisco World

‎11-28-2024 10:50 PM

Cisco TAC told me to configure device-tracking on the access-ports with 802.1x.
Seems to work...

Go to solution
MHM Cisco World
VIP
VIP
In response to chris-doro

‎11-28-2024 10:51 PM - edited ‎11-28-2024 10:55 PM

please can you update me if it not work 

also can you share last config of 802.1x under port 

thanks a lot 

MHM

0 Helpful
Customers Also Viewed These Support Documents