So, I'm in the middle of trying to get dot1x authentication (or MAB for dot1x unsupported network devices - IP Phones, WAPs, Printers, etc) working across the board here.
The dot1x/RADIUS (using Windows NPS) authentication and authorization is working fine, Windows clients are using their AD Computer object to join the wired network, unauthenticated clients drop to the guest-wired VLAN as designed.
The issue I'm having comes from the VOICE vlan which will be used by the Cisco CUCM phones. These seem to be joining the DATA domain in a multi-domain host-mode, even with Cisco-AV-Pair "device-traffic-class=voice" defined in the NPS network Policy.
Here's the current switchport config:
And here's the show Authentication outputs:
As you can see, the Domain: DATA appears to be a problem. The phone never pulls an IP address from DHCP (and also therefore never gets option 150), the phone should be in the VOICE domain, surely, as denoted by "switchport voice vlan 11".
Here's the applied NPS policy for the IP Phones:
If I configure the switchport with no authentication, the phone joins the correct Voice VLAN, and gets an IP instantly.
Any ideas?
The dot1x/RADIUS (using Windows NPS) authentication and authorization is working fine, Windows clients are using their AD Computer object to join the wired network, unauthenticated clients drop to the guest-wired VLAN as designed.
The issue I'm having comes from the VOICE vlan which will be used by the Cisco CUCM phones. These seem to be joining the DATA domain in a multi-domain host-mode, even with Cisco-AV-Pair "device-traffic-class=voice" defined in the NPS network Policy.
Here's the current switchport config:
Code:
interface GigabitEthernet1/0/33
switchport access vlan 10
switchport mode access
switchport voice vlan 11
authentication event fail action authorize vlan 12
authentication event server dead action authorize
authentication event server dead action authorize voice
authentication event no-response action authorize vlan 12
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout quiet-period 2
dot1x timeout server-timeout 1
dot1x timeout tx-period 1
dot1x timeout supp-timeout 1
dot1x max-req 3
dot1x max-reauth-req 3
dot1x timeout held-period 1
spanning-tree portfast
spanning-tree bpduguard enableAnd here's the show Authentication outputs:
Code:
SW2#sh authe sess int gi1/0/33
Interface: GigabitEthernet1/0/33
MAC Address: 0024.97a9.2aa4
IP Address: Unknown
User-Name: 002497a92aa4
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-domain
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A65004300000B161A23B60A
Acct Session ID: 0x00000B21
Handle: 0x17000B17
Runnable methods list:
Method State
dot1x Failed over
mab Authc Success
SW2#sh authe sess
Interface MAC Address Method Domain Status Session ID
Gi1/0/33 0024.97a9.2aa4 mab DATA Authz Success 0A65004300000B161A23B60AAs you can see, the Domain: DATA appears to be a problem. The phone never pulls an IP address from DHCP (and also therefore never gets option 150), the phone should be in the VOICE domain, surely, as denoted by "switchport voice vlan 11".
Here's the applied NPS policy for the IP Phones:
If I configure the switchport with no authentication, the phone joins the correct Voice VLAN, and gets an IP instantly.
Any ideas?