Hi All,
I'm looking at the possibility to use user-roles within some of our head office / depot switches, we already use these extensively within our store environment however the setup in stores is a little different.
Whilst most of my user roles work fine I'm having some trouble on ports that have both a standard Windows PC attached and also a Mitel IP phone, in these circumstances we use a single data outlet with the PC attached to the thru port on the phone.
This setup works fine when user-roles are not enabled, with the data VLAN being untagged and the voice VLAN tagged as below and each device completing a successful 802.1x authentication.
interface 1/1
name "Authenticated Port"
tagged vlan 8
untagged vlan 101
aaa port-access authenticator
aaa port-access authenticator client-limit 4
aaa port-access mac-based
aaa port-access controlled-direction in
aaa port-access auth-order mac-based authenticator
aaa port-access auth-priority authenticator mac-based
spanning-tree admin-edge-port
spanning-tree root-guard bpdu-protection
However, when I enable user-roles I get the following error message and one of the devices ends up in the denyall role.
I 06/10/20 16:50:41 00560 ports: ST2-CMDR: port 1/1 PD Detected.
I 06/10/20 16:50:41 00561 ports: ST2-CMDR: port 1/1 Applying Power to PD.
I 06/10/20 16:50:44 00435 ports: ST2-CMDR: port 1/1 is Blocked by AAA
I 06/10/20 16:50:44 00435 ports: ST2-CMDR: port 1/1 is Blocked by STP
I 06/10/20 16:50:44 00076 ports: ST2-CMDR: port 1/1 is now on-line
W 06/10/20 16:51:15 05800 dca: ST2-CMDR: Failed to apply user role
'ROLE-PHONE-WIRED' to 8021X client 08000F3985EC on port 1/1: device
attribute is already applied on this port.
I've also tried amending the logic in CPPM to return the same role for each device to no avail.
Essentially I guess my question is how do I configure a user-role to permit both devices as long as they are authenticated on the same port - is this even possible, I presume it must be as this isn't exactly an uncommon setup.
Thanks in advance,
Matt.