I've got a unique setup I'm trying to get set up with regards to 802.1x and have ran into some issues.  I've got Avaya phones that I need to authenticate onto the voice vlan that they are getting via LLDP.  But I'm only using 802.1x to keep things off the voice VLAN which is in a VRF.  The PCs that will either be connected to the back of the phone or plugged directly into the switch cannot be configured for 802.1x as these PCs are not owned by the department.

My idea was to run multi-domain as seems to be the suggestion for phone deployments and then put anything that fails authentication into the Data VLAN (30) using guest-vlan as well as authorizing them to Vlan 30 when authentication fails.  It seems like authentication fail Vlan and guest Vlan cannot be used in multi-domain mode though, so I'm out of ideas and the port is not working properly.  Here is my current config that is not working as it's not putting the PC into Vlan 30 when authentication fails.  Vlan 40 is the voice Vlan. Vlan 30 is the data Vlan.

interface GigabitEthernet1/0/1

description Test 802.1x port

switchport mode access

switchport voice vlan 40

authentication event fail action authorize vlan 30

authentication event server dead action authorize vlan 30

authentication event no-response action authorize vlan 30

authentication host-mode multi-domain

authentication port-control auto

authentication violation restrict

dot1x pae authenticator

dot1x timeout server-timeout 15

dot1x timeout supp-timeout 2

spanning-tree portfast

Any ideas on how I can go about acheiving this?

Thanks,

Brian