I have a large Cisco deployment of Cisco APs and IP Phones. I am utilizing both Data and Voice VLANs on the switchports.
My basic switchport configuration is:
interface GigabitEthernet0/5
switchport access vlan 32
switchport mode access
switchport voice vlan 34
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
end
I am trying to create a MAB service that will Classify a Cisco AP and an IP Phone when they connect to the network for the first time. Can someone point me in the right direction?
It appears when an IP Phone boots up, you must pass back the following RADIUS attribute.
Radius:Cisco | Cisco-AVPair | = | device-traffic-class=voice |
so the phone will participate on the Voice VLAN correctly. If not, it gets hung on trying to register the phone because it appears to be stuck in the data vlan, when it needs to be on the voice vlan.
If I pass this attribute back for all Cisco Devices, but the device is now an AP, then the AP thinks it should be on the voice vlan instead of the data vlan.
Is there an easier way to do this and have them profiled so my service policies can simply be:
Authorization:[Endpoints Repository]:Category EQUALS VoIP Phone -----> Cisco Phone
Authorization:[Endpoints Repository]:Category EQUALS Access Point ------> Cisco AP