I'm in the process of converting some legacy MAB configuration to IBNS 2.0/new-style and I can not get voice vlan to work.
My issue is that anything authenticated to the voice domain won even get a MAC address on the switchport.
All the authenticated voice devices gets the "device-traffic-class=voice" radius attribute set.
The configuration below is is how far I've come this far and it seems to work for everything except the voice devices.
(yes I should set the fallback vlan via radius, and add some timeout timers etc.)
But the voice device gets authenticated and identified in the VOICE domain. But I don't understand why
no MAC address is bound to the interface.
Is there something I am missing or does someone have any troubleshooting steps I should be running through.
My interface configuration is via a statically bound template:
template ORG_ACCESS_AI_STD_TEMPLATE
dot1x pae authenticator
spanning-tree portfast edge
spanning-tree bpduguard enable
switchport mode access
switchport voice vlan 24
storm-control broadcast level 5.00 1.00
storm-control multicast level 5.00 1.00
storm-control action shutdown
storm-control action trap
mls qos trust cos
mab
access-session closed
access-session port-control auto
service-policy type control subscriber ORG_ACCESS_AI_STD_POLICY
load-interval 60
keepalive 60
The policy-map:
class-map type control subscriber match-all VOICE
match client-type voice
policy-map type control subscriber ORG_ACCESS_AI_STD_POLICY
event session-started match-all
10 class always do-until-failure
10 authenticate using mab priority 10
event authentication-failure match-first
10 class always do-until-failure
10 activate service-template ORG_ACCESS_AI_FALLBACK_SERVICE
20 authorize
30 terminate mab
40 authentication-restart 60
event authentication-success match-first
10 class VOICE do-until-failure
10 activate service-template ORG_ACCESS_AI_VOICE_SERVICE
20 authorize
20 class always do-until-failure
10 activate service-template ORG_ACCESS_AI_SUCCESS_SERVICE
event violation match-all
10 class always do-until-failure
10 replace
Service templates:
service-template ORG_ACCESS_AI_FALLBACK_SERVICE
description fallback service
vlan 96
service-template ORG_ACCESS_AI_SUCCESS_SERVICE
description success service
vlan 96
service-template ORG_ACCESS_AI_VOICE_SERVICE
description success voice
voice vlan
Some troubleshooting outputs.
switch#show access-session int gig0/1
Interface MAC Address Method Domain Status Fg Session ID
----------------------------------------------------------------------
Gi0/1 xxxx.xxxx.xxxx mab VOICE Auth 82F07B260000036A23D4D98D
switch#show access-session int gig0/1 details
Interface: GigabitEthernet0/1
MAC Address: xxxx.xxxx.xxxx
IPv6 Address: Unknown
IPv4 Address: Unknown
User-Name: xxxxxxxxxxxx
Status: Authorized
Domain: VOICE
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Restart timeout: N/A
Periodic Acct timeout: N/A
Common Session ID: 82F07B260000036A23D4D98D
Acct Session ID: Unknown
Handle: 0xBA000201
Current Policy: ORG_ACCESS_AI_STD_POLICY
Local Policies:
Service Template: ORG_ACCESS_AI_VOICE_SERVICE (priority 150)
Voice Vlan: 24
Method status list:
Method State
mab Authc Success
switch#show mac address-table int gig0/1
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
switch#show lldp neighbors
Capability codes:
(R) Router, (B) Bridge, (T) Telephone, (C) DOCSIS Cable Device
(W) WLAN Access Point, (P) Repeater, (S) Station, (O) Other
Device ID Local Intf Hold-time Capability Port ID
Mitel 6920 Gi0/1 120 B,T xxxx.xxxx.xxxx
switch#show hardware
...
...
...
Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 12 WS-C2960CX-8PC-L 15.2(4)E6 C2960CX-UNIVERSALK9-M
UPDATE:
If I removed
access-session closed
from the interface configuration and used open authentication it seems to bind MAC addresses to the interfaces on the voice VLAN.
But it seems strange why I can't have the interfaces in closed mode.
