11-27-2023 04:34 AM - edited 11-27-2023 04:49 AM
I'm in the process of converting some legacy MAB configuration to IBNS 2.0/new-style and I can not get voice vlan to work.
My issue is that anything authenticated to the voice domain won even get a MAC address on the switchport.
All the authenticated voice devices gets the "device-traffic-class=voice" radius attribute set.
The configuration below is is how far I've come this far and it seems to work for everything except the voice devices.
(yes I should set the fallback vlan via radius, and add some timeout timers etc.)
But the voice device gets authenticated and identified in the VOICE domain. But I don't understand why
no MAC address is bound to the interface.
Is there something I am missing or does someone have any troubleshooting steps I should be running through.
My interface configuration is via a statically bound template:
template ORG_ACCESS_AI_STD_TEMPLATE
dot1x pae authenticator
spanning-tree portfast edge
spanning-tree bpduguard enable
switchport mode access
switchport voice vlan 24
storm-control broadcast level 5.00 1.00
storm-control multicast level 5.00 1.00
storm-control action shutdown
storm-control action trap
mls qos trust cos
mab
access-session closed
access-session port-control auto
service-policy type control subscriber ORG_ACCESS_AI_STD_POLICY
load-interval 60
keepalive 60
The policy-map:
class-map type control subscriber match-all VOICE
match client-type voice
policy-map type control subscriber ORG_ACCESS_AI_STD_POLICY
event session-started match-all
10 class always do-until-failure
10 authenticate using mab priority 10
event authentication-failure match-first
10 class always do-until-failure
10 activate service-template ORG_ACCESS_AI_FALLBACK_SERVICE
20 authorize
30 terminate mab
40 authentication-restart 60
event authentication-success match-first
10 class VOICE do-until-failure
10 activate service-template ORG_ACCESS_AI_VOICE_SERVICE
20 authorize
20 class always do-until-failure
10 activate service-template ORG_ACCESS_AI_SUCCESS_SERVICE
event violation match-all
10 class always do-until-failure
10 replace
Service templates:
service-template ORG_ACCESS_AI_FALLBACK_SERVICE
description fallback service
vlan 96
service-template ORG_ACCESS_AI_SUCCESS_SERVICE
description success service
vlan 96
service-template ORG_ACCESS_AI_VOICE_SERVICE
description success voice
voice vlan
Some troubleshooting outputs.
switch#show access-session int gig0/1
Interface MAC Address Method Domain Status Fg Session ID
----------------------------------------------------------------------
Gi0/1 xxxx.xxxx.xxxx mab VOICE Auth 82F07B260000036A23D4D98D
switch#show access-session int gig0/1 details
Interface: GigabitEthernet0/1
MAC Address: xxxx.xxxx.xxxx
IPv6 Address: Unknown
IPv4 Address: Unknown
User-Name: xxxxxxxxxxxx
Status: Authorized
Domain: VOICE
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Restart timeout: N/A
Periodic Acct timeout: N/A
Common Session ID: 82F07B260000036A23D4D98D
Acct Session ID: Unknown
Handle: 0xBA000201
Current Policy: ORG_ACCESS_AI_STD_POLICY
Local Policies:
Service Template: ORG_ACCESS_AI_VOICE_SERVICE (priority 150)
Voice Vlan: 24
Method status list:
Method State
mab Authc Success
switch#show mac address-table int gig0/1
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
switch#show lldp neighbors
Capability codes:
(R) Router, (B) Bridge, (T) Telephone, (C) DOCSIS Cable Device
(W) WLAN Access Point, (P) Repeater, (S) Station, (O) Other
Device ID Local Intf Hold-time Capability Port ID
Mitel 6920 Gi0/1 120 B,T xxxx.xxxx.xxxx
switch#show hardware
...
...
...
Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 12 WS-C2960CX-8PC-L 15.2(4)E6 C2960CX-UNIVERSALK9-M
UPDATE:
If I removed
access-session closed
from the interface configuration and used open authentication it seems to bind MAC addresses to the interfaces on the voice VLAN.
But it seems strange why I can't have the interfaces in closed mode.
Solved! Go to Solution.
12-07-2023 02:08 AM
UPDATE!
Our radius server sent the
Tunnel-Type and Tunnel-Medium-Type attributes in all MAB responses.
When I removed those and only added the cisco-avpair="device-traffic-class=voice" for the IP phone devices they became authorized and the MAC address was added to the MAC address table.
12-07-2023 02:08 AM
UPDATE!
Our radius server sent the
Tunnel-Type and Tunnel-Medium-Type attributes in all MAB responses.
When I removed those and only added the cisco-avpair="device-traffic-class=voice" for the IP phone devices they became authorized and the MAC address was added to the MAC address table.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide