I've been trying to get the 802.1x working with our IP phones without success. I've followed the instructions found in the IBNS phased implementation plan at http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/Whitepaper_c11-532065.html
It appears that the ACS is trying to authenticate the phone using EAP-TLS.
This is however a red herring as I don't have any hits on the policy for the phone...
I have a rule which should match the phones...
There is an internal user created to the following format...
Identity Group: All Groups
Under Access Policies> Access Services
> 802.1x > Authorization
I have a rule using the following condition:
System:IdentityGroup in All Groups
This rule doesn't seem to get hit yet it is defined exactly as described in the above document?
Anyone got this working?