Avaya Ip Phones, 3750's, LLDP and DOT1x

Unanswered Question
Jan 14th, 2009

Hi All,

I am working on a number of large campus deployments where the edge switches are 3750/3560's and the voice solution is Avaya 9600 IP Phones.

I have some beta firmware for the phones from Avaya which is able to exchange LLDP-MED messages between the 3750 I am using for testing, and the phone. The result of this is that the Phone learns the voice vlan via LLDP in the same way as a cisco phone would. Which is great because it means the phone does not need ot get this info from a data vlan first. This aspect works fine in testing.

The IP Phonne has its dot1x supplicant disabled so it will not send EAPOL messages. The hosts behind it however, are allowed to pass-through EAPOL. At the moment though I am concentrating on the phone only.

There is a requirement for dot1x on this network. The issue I have is that with dot1x enabled and using multi-domian authentication, the phone never seems to move to the voice vlan and so the switch correctly blocks the phone.

The LLDP-MED details for the phone look fine. A look at the '802.1x interface details' command shows that the phone is seen in the data domain and not the voice domain. The mac-address table shows the mac for the phone in the voice vlan as a staic entry with its 'ports' entry set to 'drop'.

So it looks to me as if the switch is recognising the phone and placing it onto the correct vlan. LLDP-MED clearly shows that the phone does know the voice vlan it should be using but the fact that the dot1x process always sees the phone on the data domain suggest the phone is not tagging its frames into the switch.

I think the switch is assigning the voice vlan to the phone correctly, but something in dot1x is preventing the phone from moving to it.

What needs to happen for the switch to see that the phone is in the MDA voice domain ?

If the phone was tagging with the voice vlan would that do it ?

Any suggestion very welcome, especially if I have misunderstood the process.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
its-system Tue, 01/27/2009 - 06:30

Don't know if it helps, but I have the same states as you described when using inaccessible authentication bypass.

I use Avaya 9600 without LLDP, but with dot1x multi-domain. When ACS is reachable, everything is ok (Avaya 9600 and laptop behind it)

When ACS is down, the Laptop will work in the critical Vlan, but the 9600 will not get it's IP from the Voice Vlan. I also have it's MAC address on drop in the "sh mac" command. it seems that instead of multi-domain the port switch back to multi host or so..

roadhouse1387 Wed, 01/28/2009 - 01:35

Hi guys,

Thanks for the help, I have it sorted now.

The answer is in the behaviour of the switch. MDA always requires dot1x authentication on the data domain, therefore its not possible to have the phone moved into the voice vlan without a sucessful authentication first.

The solution is to enable the dot1x supplicant on the phone and get the ACS to pass back the VSA 'Traffic-Class-Voice' to the switch. The switch will only ever move the phone onto the voice vlan when it sees this attribute returned after authentication.

So I have this configuration scenario which now works as expected.

The phone and switch exchange LLDP messages. From this the phone learns it voice vlan. The phone then attempts dot1x authentication. If sucessfull, the ACS returns the required VSA which is recognised by the switch. The switch, upon seeing the VSA, places the phone into the voice domain. and the port is authorised in that domain.

Great !

Thanks for the help guys...



RICHARD MESSINGER Fri, 04/24/2009 - 09:11

Shaun, I have a customer that is going to be doing something similar later this year. Would it be possible for you to attach a snippet of your switch configuration that supports the Avaya IP Phones and what version of code is running on the Phones to support the LLDP-MED interaction with the Cisco switches and to the ACS server?


roadhouse1387 Sat, 04/25/2009 - 03:15

HI, No problem r.

Run v3.0 code on the Avaya Phones, this has a fix in for the lldp-med network-tlv and use 12.2(46)SE on the switches.

We tried it with 12.2(50) which has a load of changes to the dot1x command set and although the dot1x config is so much more flexible in this release, we found that it broke LLDP-MED. The phone will no longer learn the vlan on power up. we found that the only way we could get the phone to learn correctly was to repeatedly shut and no-shut the port, sometimes it would work, but most of the time it would not. Clearly someting has changed in 12.2(50) as far as LLDP-MED is concerned.

We reverted to 12.2(46) and it works perfectly everytime.

I will post the config as soon as I get back to work on Monday, but in the meantime I hope this helps a little.



roadhouse1387 Fri, 05/01/2009 - 03:22

Hi r.

Here are the relevent parts of the config we are using to authorise avaya ip phones.we are doing other

things on the ports as well such as MAB, WOL and guest vlan but you can see the important bits.

aaa group server radius RSERVERS

server x.x.x.x auth-port 1812 acct-port 1646


aaa authentication login networks group tacacs+ line

aaa authentication dot1x default group RSERVERS

aaa authorization exec default group tacacs+ none

aaa authorization network default group RSERVERS


lldp run


interface GigabitEthernet0/7

description Typical Switchport

switchport access vlan 900

switchport mode access

switchport voice vlan 602

priority-queue out

mls qos trust dscp

dot1x mac-auth-bypass

dot1x pae authenticator

dot1x port-control auto

dot1x host-mode multi-domain

dot1x violation-mode protect

dot1x control-direction in

dot1x guest-vlan 901

spanning-tree portfast


radius-server host x.x.x.x auth-port 1812 acct-port 1646 key yyy

In the ACS server, configure each phone as a user with its mac address as username and the password which is entered by the user at the phone keypad when prompted, then add the following details to the 'Cisco IOS/PIX RADIUS Attributes' field...

Tick the checkbox labeled '[009/001] cisco-av-pair' and enter this string exactly as shown.. (and int the attached pic)


The Radius returns this attribute back to the switch which uses it to place the phone into the vlan it learns from LLDP-MED

Hope this helps





This Discussion