voice vlan and 802.1x authentication , wrong ip

SandrienA · ‎04-11-2018

Hi,

For our setup we are using 802.1x to authenticate users, this works fine. But now we want to add a voice vlan. The phone always has to be in vlan 20, while the client is in vlan 99 unless he can authenticate himself, then he's in vlan 50.
So the setup would be

[ switch ] - [ VoIP phone ] - [ client ]

VLAN 20 - voice

VLAN 50 - authenticated

VLAN 99 - guest

The phone doesn't have to authenticate itself, so we're using host-mode multi-host. I should also add that we're using Alcatel phones, not cisco.

The problem is that the phone doesn't get an ip from the voice vlan, it's getting a vlan 99 ip.

This is our configuration for the interface on the switch:

switchport mode access
switchport voice vlan 20
authentication event fail action authorize vlan 99
authentication event no-response action authorize vlan 99
authentication host-mode multi-host
authentication port-control auto
authentication violation protect
dot1x pae authenticator
dot1x timeout tx-period 2
dot1x max-reauth-req 1
spanning-tree portfast

Is there anything wrong with this? If you need any more information just ask.

Thanks in advance

Rob Ingram · ‎04-11-2018

Hi, after the phone is successfully authenticated via 802.1X or MAB, the AAA server needs to send a RADIUS-Accept message to the switch with the device-traffic-class=voice VSA.The switch authorizes the MAC address of the phone and allows it access to the voice VLAN.

Therefore try adding this to your Authorisation rule on your AAA server:

Cisco-AV-Pair = “device-traffic-class=voice”

HTH