I am trying to authenticate a Cisco 7970 IP phone that is setup to do 802.1x with ACS. When I check the log files on ACS is hows that the phone failed authentication but the phone is still allowed on the network and can make calls. I have added the MAC address as a ACS user and configured a password which matches the password configured on the phone. If I put the wrong password in its still allowed on the network the port is never shut down. I was speaking to someone who was able to do this and the some how enabled the av-pair. Only I am not sure what to put in there. Does anyway have an idea as to what would need to go in there so that when a phone fails authentication its put in the guest VLAN or denied access?
Right. This is the phone doing MD5. Every phone will have a unique and hard-coded username. It's designed to simplify configuration on the phone side.
You'll have to verify, since I don't have one handy, but I think the username is something like "SEP-mac-address-phone-model" or something like that.