im building a setup with clearpass (6.2) on a cisco 3560 switch (recent firmware 12.2(48), 12.2(52)) on which both data and voice vlan is configured. according to the cisco documentation it should be possible to do dot1x authentication for both of them. the voice device (alcatel lucent ip touch phone) supports dot1x (with MD5 and TLS).
cisco global config
aaa authentication dot1x default group radius
dot1x system-auth-control
cisco interface config
switchport mode access
switchport access vlan 10
switchport voice vlan 20
dot1x port-control auto
this works fine without dot1x, once i enable dot1x radius authentication succeeds (the phone even mentions this) but the device remains in the data vlan.
according to cisco you have to do the following to support this multi domain dot1x:
cisco switch interface
dot1x host-mode multi-domain
clearpass
send the string "device-traffic-class=voice" as a Cisco Attribute-Value (AV) pair. (like this: http://community.arubanetworks.com/aruba/attachments/aruba/aaa-nac-guest-access-byod/3078/1/Capture.JPG)
which i have done both, but it seems the switch doesn't react, when i do # show authentication sessions i keep seeing Domain DATA.
does anyone has experience with this setup? did you do anything else next to what i wrote above? have something to debug on the cisco to get if it recieves the extra attribute?