Hi,
I've got a 2920 on 16.07.0004 and we're running 802.1X and MAB in parallel on a bunch of switch ports against a RADIUS Server.
All the authentication and VLAN assignment stuff works perfectly well when we are explicit in the instructions we send back from RADIUS, eg, 'user in AD Group XYZ, assign to VLAN 9', 'device is a phone, assign to VLAN 6', etc. This all works, even with a PC plugged in to the back of the phone, they both get assigned to different VLANs and it works fine... Lovely.
However...
If we do 802.1x for a phone and proactively assign it to a specific VLAN, and then connect a PC to the phone that also does 802.1x, but I just want to dump the PC in to whatever switchport's default VLAN is, so I just return a 'Permit Access' without any explicit VLAN info, the switch always errors and says Rejected No VLAN.
Is what I'm doing actually possibe?
Cheers,
Richard
Config extract follows...
radius-server host 172.16.x.x key "blah"
radius-server host 172.16.x.x dyn-authorization
radius-server host 172.16.x.x time-window plus-or-minus-time-window
radius-server host 172.16.x.x time-window 60
aaa server-group radius "RADIUSServer" host 172.16.x.x
aaa accounting update periodic 1
aaa accounting network start-stop radius
aaa accounting session-id common
aaa authentication port-access eap-radius server-group "RADIUSServer" cached-reauth
aaa authentication mac-based chap-radius server-group "RADIUSServer" cached-reauth
aaa port-access gvrp-vlans
aaa port-access authenticator 1/1 quiet-period 30
aaa port-access authenticator 1/1 tx-period 10
aaa port-access authenticator 1/1 supplicant-timeout 10
aaa port-access authenticator 1/1 logoff-period 862400
aaa port-access authenticator 1/1 client-limit 32
aaa port-access authenticator active
aaa port-access mac-based 1/1 addr-limit 32
aaa port-access mac-based 1/1 addr-moves
aaa port-access 1/1 controlled-direction in
aaa port-access 1/1 mixed