I am working on a number of large campus deployments where the edge switches are 3750/3560's and the voice solution is Avaya 9600 IP Phones.
I have some beta firmware for the phones from Avaya which is able to exchange LLDP-MED messages between the 3750 I am using for testing, and the phone. The result of this is that the Phone learns the voice vlan via LLDP in the same way as a cisco phone would. Which is great because it means the phone does not need ot get this info from a data vlan first. This aspect works fine in testing.
The IP Phonne has its dot1x supplicant disabled so it will not send EAPOL messages. The hosts behind it however, are allowed to pass-through EAPOL. At the moment though I am concentrating on the phone only.
There is a requirement for dot1x on this network. The issue I have is that with dot1x enabled and using multi-domian authentication, the phone never seems to move to the voice vlan and so the switch correctly blocks the phone.
The LLDP-MED details for the phone look fine. A look at the '802.1x interface details' command shows that the phone is seen in the data domain and not the voice domain. The mac-address table shows the mac for the phone in the voice vlan as a staic entry with its 'ports' entry set to 'drop'.
So it looks to me as if the switch is recognising the phone and placing it onto the correct vlan. LLDP-MED clearly shows that the phone does know the voice vlan it should be using but the fact that the dot1x process always sees the phone on the data domain suggest the phone is not tagging its frames into the switch.
I think the switch is assigning the voice vlan to the phone correctly, but something in dot1x is preventing the phone from moving to it.
What needs to happen for the switch to see that the phone is in the MDA voice domain ?
If the phone was tagging with the voice vlan would that do it ?
Any suggestion very welcome, especially if I have misunderstood the process.
Don't know if it helps, but I have the same states as you described when using inaccessible authentication bypass.
I use Avaya 9600 without LLDP, but with dot1x multi-domain. When ACS is reachable, everything is ok (Avaya 9600 and laptop behind it)
When ACS is down, the Laptop will work in the critical Vlan, but the 9600 will not get it's IP from the Voice Vlan. I also have it's MAC address on drop in the "sh mac" command. it seems that instead of multi-domain the port switch back to multi host or so..
The answer is in the behaviour of the switch. MDA always requires dot1x authentication on the data domain, therefore its not possible to have the phone moved into the voice vlan without a sucessful authentication first.
The solution is to enable the dot1x supplicant on the phone and get the ACS to pass back the VSA 'Traffic-Class-Voice' to the switch. The switch will only ever move the phone onto the voice vlan when it sees this attribute returned after authentication.
So I have this configuration scenario which now works as expected.
The phone and switch exchange LLDP messages. From this the phone learns it voice vlan. The phone then attempts dot1x authentication. If sucessfull, the ACS returns the required VSA which is recognised by the switch. The switch, upon seeing the VSA, places the phone into the voice domain. and the port is authorised in that domain.
Shaun, I have a customer that is going to be doing something similar later this year. Would it be possible for you to attach a snippet of your switch configuration that supports the Avaya IP Phones and what version of code is running on the Phones to support the LLDP-MED interaction with the Cisco switches and to the ACS server?
Run v3.0 code on the Avaya Phones, this has a fix in for the lldp-med network-tlv and use 12.2(46)SE on the switches.
We tried it with 12.2(50) which has a load of changes to the dot1x command set and although the dot1x config is so much more flexible in this release, we found that it broke LLDP-MED. The phone will no longer learn the vlan on power up. we found that the only way we could get the phone to learn correctly was to repeatedly shut and no-shut the port, sometimes it would work, but most of the time it would not. Clearly someting has changed in 12.2(50) as far as LLDP-MED is concerned.
We reverted to 12.2(46) and it works perfectly everytime.
I will post the config as soon as I get back to work on Monday, but in the meantime I hope this helps a little.
In the ACS server, configure each phone as a user with its mac address as username and the password which is entered by the user at the phone keypad when prompted, then add the following details to the 'Cisco IOS/PIX RADIUS Attributes' field...
Tick the checkbox labeled '[009/001] cisco-av-pair' and enter this string exactly as shown.. (and int the attached pic)
The Radius returns this attribute back to the switch which uses it to place the phone into the vlan it learns from LLDP-MED
You have reached the Cisco Logistics Support Center.. To Check Status of
your RMA, visit Product Returns & Replacements (RMA). Need help? Contact
us by Phone or Email. North Americas Phone: 1800 553 2447 Option 4
Email: firstname.lastname@example.org Europe Phone: +3...
The short answer is that you don't.... That isn't entirely true while at
the same time it kind of is, but for the most part you don't configure
the softkeys. You enable or disable them via TCL. Here is the long
answer. Be sure to read the whole thing or e...
Topology: IP Phone > Switches > Microsoft NPS setup to forward 802.1x
proxy to > ISE 2.1 patch 3 Authentication: EAP-TLS using Cisco MIC SANs
Phone Models 802.1X support? 802.1x flavor Addtl Comment EAP-MD5 EAP-TLS
Cisco 3905 Y Y N Cisco 6911 Y Y N Cisco ...