@thecompnerd wrote:
cjoseph,
I've found that dynamic VLAN assignment will not work with MAB if the port is in multi-domain mode. Cisco's explanation:
You must configure the voice VLAN for the IP phone when the host mode is set to multidomain.
Note: If you use a dynamic VLAN in order to assign a voice VLAN on an MDA-enabled switch port, the voice device fails authorization.
The switch will log the following error message:
%AUTHMGR-5-FAIL: Authorization failed for client (0004.f2**.****) on Interface Gi3/17
I had to specifiy the voice VLAN & data VLAN. The Polycom phone has to retrieve it's VLAN via DHCP on the data VLAN, then it can hop over to the voice VLAN. After setting this up, the port showed up/up and had an IP address on the proper VLAN.
References:
http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a00808abf2d.shtml
http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_37_se/configuration/guide/sw8021x.html#wp1274573
I was having the same issue with dynamically setting the voice vlan when doing MAC Auth. I know this thread is old but I have found a resolution to this issue in CPPM when using MDA.
I found one document entry on Cisco's site when referencing Radius attribute configuration for IP Phone Authentication:
https://supportforums.cisco.com/docs/DOC-22478
Sending the "device-traffic-class=voice" in the enforcement profile will allow you to complete the authentication process. This still doesn't allow you to set voice vlan dynamically, it just sets the phone traffic to the voice vlan configured on the port.
I have attached a screenshot of the enforcement profile for CPPM.