We are also having this issue, so you are not alone. I currently have a case open with TAC to see what they have to say about this. I have also noticed that this feature doesn't work with the Low Impact design (using dACLs). The pre-authentication ACL applied to the port remains active even when the user/device is authorized which causes the traffic on the port to be blocked accordingly.
Curious if anyone has any suggestions on how to handle these two scenarios.
I've been reading the IP Telephony In IEEE 802.1X-Enabled Networks Deployment and Configuration Guide.
In this guide I've found the following paragraph, which confrimed my findings.
Cisco confirms the impact on a inaccessible AAA server for devices in the voice-vlan.
There is only full support for the data-vlan. The voice-vlan can only be configured by using Radius's AV's.
2.3.6 Inaccessible-Auth Bypass
If an IEEE 802.1x authentication fails because the AAA server is unavailable, the switch can be configured to allow clients access to a special VLAN (sometimes called the “Critical VLAN”) that provides configurable access to the network. The Critical VLAN can be any VLAN except for the voice VLAN. When MDA is deployed, Inaccessible-Auth Bypass is fully supported for the data domain. The operational impact of this feature on IP Phones depends on the authorization state of the voice domain when the failure occurs. ● If a phone has previously authenticated and re-authentication occurs after the AAA server has become unreachable, the switch puts the critical port in the critical-authentication state in the current VLAN (either the statically configured voice VLAN or a dynamically assigned voice VLAN from the AAA server). IP connectivity will not be disrupted for previously authenticated phones. ● If a phone plugs into the port when the AAA server is down, the switch will put the port in the critical VLAN. Phones that get assigned to the critical VLAN will not function properly (since they will not have access to the voice VLAN). Because the switch relies on the device-traffic-class=voice VSA that only the AAA server can provide, the switch has no way to authorize a phone into the voice domain if the AAA server is down. While there is no concept of Inaccessible Auth Bypass for phones today, it is important to remember that wired phones are typically static devices. Therefore, most wired phones will be properly authenticated when the AAA server is up and stay authenticated when the AAA server is unavailable. Only phones that connect to the network when the AAA server is down will be affected. Since this would be a rare occurrence, the current behavior of Inaccessible-Auth Bypass is usually not a significant operational issue for IP telephony deployments
You have reached the Cisco Logistics Support Center.. To Check Status of
your RMA, visit Product Returns & Replacements (RMA). Need help? Contact
us by Phone or Email. North Americas Phone: 1800 553 2447 Option 4
Email: email@example.com Europe Phone: +3...
The short answer is that you don't.... That isn't entirely true while at
the same time it kind of is, but for the most part you don't configure
the softkeys. You enable or disable them via TCL. Here is the long
answer. Be sure to read the whole thing or e...
Topology: IP Phone > Switches > Microsoft NPS setup to forward 802.1x
proxy to > ISE 2.1 patch 3 Authentication: EAP-TLS using Cisco MIC SANs
Phone Models 802.1X support? 802.1x flavor Addtl Comment EAP-MD5 EAP-TLS
Cisco 3905 Y Y N Cisco 6911 Y Y N Cisco ...