1) Cat 2960 with latest IOS release 12.2(46)SE which supports MDA;
2) Using Win2K IAS as radius server; and
3) Third party IP Phone (Avaya) with dot1x supplicant enabled. I have a PC with dot1x capability connected to the second port of the IP phone.
This is what I have configured on the IP Phone port:
switchport access vlan 221
switchport mode access
switchport voice vlan 222
dot1x pae authenticator
dot1x port-control auto
dot1x host-mode multi-domain
dot1x violation-mode protect
dot1x timeout reauth-period 30
I have also configured the Win2K IAS Radius server to send RADIUS attribute "cisco-av-pair" to tell the Authenticator (Cisco Catalyst 2960) that a Supplicant (IP Phone) is allowed on the voice VLAN as described in the config-notes link above.
When the IP Phone supplicant starts to authenticate, it succeeds but that port does not authorize the VOICE domain even though the 2960 receives the RADIUS attribute "cisco-av-pair" from the Radius server. I have confirmed receipt of this attribute through debugging on the switch.
RADIUS: Received from id 1645/64 22.214.171.124:1645, Access-Accept, len
17:02:38: RADIUS: authenticator 7D AC 50 FE 14 B4 DC FC - 3A A4 E5 3F 76 1E 62
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...