Help with 8021x MAB and VoIP phones

Solved
PhillipJFry
Here to help

Help with 8021x MAB and VoIP phones

We are trying to setup an 8021x MAB policy for our phones.  The phones are avaya phones.  The windows RADIUS server's network policy constraints are configured for ethernet and must be a member of a security group.  Also, I have set vendor specific  Cisco AV Pair device-traffic-class=voice attribute in the policy.  We have created an AD user account with the MAC as the username/password.  Logs show MAB auth response is accept, but the shows eap failure Identity anonymous.  Then the phone gets put on the failed auth guest vlan we setup, but cant ping the device.  Any recommendations or advice for me to look at?

PhillipJFry_0-1683819122133.png

 

PhillipJFry_1-1683819139493.png

 

1 Accepted Solution
PhillipJFry
Here to help

Wanted to inform everyone that we finally got the issue resolved.  The issue was because both mab devices, one being the phone, and the other being a pc, were both utilizing the same network access policy on the NPS server.  The network policy was passing the AV-Pair attribute for voice to both devices, causing a conflict.  Once I create a separate network policy for each device, the pc and phone both are authenticating like they should.

View solution in original post

7 Replies 7
alemabrahao
Kind of a big deal
Kind of a big deal

I suggest you review the documentation.

 

 

https://documentation.meraki.com/MS/Access_Control/Configuring_Microsoft_NPS_for_MAC-Based_RADIUS_-_...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
PhillipJFry
Here to help

I can get the single phone client to work if I use single host mode, but we are trying to do the "multi-domain" mode since we have PCs hind the phone.

JacekJ
Building a reputation

How does the port setting look like?

We set up the multi-domain with VoIP around 2-3 years ago so I might be wrong, but I think you need to provide the vlan and voice vlan on the port despite of the policy "telling" the switch what to do.

The vlan we set up to something that we simply don't use anywhere.

PhillipJFry
Here to help

See the below image for port configuration.  I still have an open ticket with TAC on this.  Making some progress, but no solution yet.

PhillipJFry_0-1685025205807.png

 

JanDeuss
New here

Screenshot 2023-05-25 152120.png

 

Hello,

 

we have the same Problem. If i set vlan and voice vlan on the same setting my configuration works fine.

 

Then i set vlan to 1 the setting does not work. The Meraki switch does not use the cisco-av.pair setting from the Windows Network policy server.

 

Screenshot 2023-05-25 153557.pngScreenshot 2023-05-25 153716.png

 

The Port is beeing autheticated correctly  but from the av pair setting is nothing in the log.

 

May 17 12:42:04NLT-1 00:1a:e8:64:c2:caRADIUSMAB authenticationresp: accept
May 17 12:42:04NLT-1Port 2100:1a:e8:64:c2:ca802.1XRADIUS responseport: 21, rtt: 0.000 ms
May 17 12:42:04NLT-1Port 2100:1a:e8:64:c2:ca802.1X802.1X deauthenticationport: 21
May 17 12:42:03NLT-1Port 21 Spanning TreePort RSTP role changePort 21 disabled→designated
May 17 12:42:03NLT-1Port 21 Switch portPort status changeport: 21, old: down, new: 1Gfdx

 

 

PhillipJFry
Here to help

Your logs and setup look very similar to ours.  So far it seem like the issue is because both devices are MAB auth. devices.  They are are hitting the same network policy on the radius server.  I still have an open ticket with TAC on this, hopefully we have some answers soon.

PhillipJFry
Here to help

Wanted to inform everyone that we finally got the issue resolved.  The issue was because both mab devices, one being the phone, and the other being a pc, were both utilizing the same network access policy on the NPS server.  The network policy was passing the AV-Pair attribute for voice to both devices, causing a conflict.  Once I create a separate network policy for each device, the pc and phone both are authenticating like they should.

Get notified when there are additional replies to this discussion.