We are trying to setup an 8021x MAB policy for our phones. The phones are avaya phones. The windows RADIUS server's network policy constraints are configured for ethernet and must be a member of a security group. Also, I have set vendor specific Cisco AV Pair device-traffic-class=voice attribute in the policy. We have created an AD user account with the MAC as the username/password. Logs show MAB auth response is accept, but the shows eap failure Identity anonymous. Then the phone gets put on the failed auth guest vlan we setup, but cant ping the device. Any recommendations or advice for me to look at?
See the below image for port configuration. I still have an open ticket with TAC on this. Making some progress, but no solution yet.
Hello,
we have the same Problem. If i set vlan and voice vlan on the same setting my configuration works fine.
Then i set vlan to 1 the setting does not work. The Meraki switch does not use the cisco-av.pair setting from the Windows Network policy server.
The Port is beeing autheticated correctly but from the av pair setting is nothing in the log.
| May 17 12:42:04 | NLT-1 | 00:1a:e8:64:c2:ca | RADIUS | MAB authentication | resp: accept | |
| May 17 12:42:04 | NLT-1 | Port 21 | 00:1a:e8:64:c2:ca | 802.1X | RADIUS response | port: 21, rtt: 0.000 ms |
| May 17 12:42:04 | NLT-1 | Port 21 | 00:1a:e8:64:c2:ca | 802.1X | 802.1X deauthentication | port: 21 |
| May 17 12:42:03 | NLT-1 | Port 21 | Spanning Tree | Port RSTP role change | Port 21 disabled→designated | |
| May 17 12:42:03 | NLT-1 | Port 21 | Switch port | Port status change | port: 21, old: down, new: 1Gfdx |
