Dot1x MAB with MDA Issue

Unanswered Question
Jun 19th, 2010

I have configured MAB (MAC Authentication Bypass) with MDA (Multi Domain Access). All devices are successfully authenticating with their respective VLAN. MAB devices got authenticating as Voice.

I am using ACS (Radius) for authentication and DHCP relay.

Problem is voice device is not getting IP from DHCP server. There is no error reporting on switch and radius. Without Dot1x everything is working.

switchport access vlan 105

switchport mode access

switchport voice vlan 108

switchport port-security maximum 2

switchport port-security

switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

dot1x mac-auth-bypass eap

dot1x pae authenticator

dot1x port-control auto

dot1x host-mode multi-domain

dot1x max-req 1

dot1x guest-vlan 105

spanning-tree portfast

spanning-tree bpduguard enable

ip verify source

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Faisal Sehbai Sat, 06/19/2010 - 20:54


Can you please furnish a sh ver and a sh runn from the switch? What version of ACS are you using? Are you sending back any attributes back for the phone?


Muhammad Zubair Sat, 06/19/2010 - 23:57

we are using 3 Layer model (Core, Distribution & Access) and all VLAN interfaces are on distribution.

I am passing av-pair value device-traffic-class=voice from ACS

We are using ACS 4.1 for windows and ACS is successfully authenticating both devices.

Even show Dot1x Interface shows proper authentication with proper domain

Faisal Sehbai Tue, 06/22/2010 - 06:59


Interesting. Have you given LLDP a shot yet with your phones? What sort of phones are you using?


Muhammad Zubair Tue, 06/22/2010 - 07:35

Dear Faisal,

I am using Siemens OptiPoint and I think that is not supporting CDP/LLDP.



Faisal Sehbai Tue, 06/22/2010 - 14:13


Last thing I'd ask you to try is to remove the ip source verify and port-security commands both, and test.

If that doesn't fly then open a TAC case.




This Discussion

Related Content