Security

Hello,
Please need to know the configuration that should be applied on switch port to allow access and voice vlans in the same port for Cisco Catalyst 9200 & 2960

Appreciate your help

Thanks

interface FastEthernet0/1
description VoIP-Phone-Port-with-PC
switchport mode access
switchport voice vlan 200
authentication event fail action next-method
authentication event server dead action authorize vlan 1
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority mab dot1x
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout server-timeout 30
dot1x timeout tx-period 10
dot1x max-req 3
dot1x max-reauth-req 10
spanning-tree portfast

Hi DB86
Thank you for your reply
I need to authenticate the phone with MAC, so i thick if i added command "switchport voice vlan 200" the phone will assign the vlan directly

Thanks
Original Message:
Sent: Nov 30, 2022 05:04 PM
From: Dustin Burns
Subject: What is the configuration to allow access and voice vlans

interface FastEthernet0/1
description VoIP-Phone-Port-with-PC
switchport mode access
switchport voice vlan 200
authentication event fail action next-method
authentication event server dead action authorize vlan 1
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority mab dot1x
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout server-timeout 30
dot1x timeout tx-period 10
dot1x max-req 3
dot1x max-reauth-req 10
spanning-tree portfast

Yea you can always send back a voice VLAN via RADIUS which will override that.

------------------------------
Dustin Burns

Lead Mobility Engineer @Worldcom Exchange, Inc.

ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2022
If my post was useful accept solution and/or give kudos
------------------------------

Original Message:
Sent: Nov 30, 2022 05:44 PM
From: Mahmoud Marie
Subject: What is the configuration to allow access and voice vlans

Hi DB86
Thank you for your reply
I need to authenticate the phone with MAC, so i thick if i added command "switchport voice vlan 200" the phone will assign the vlan directly

Thanks
Original Message:
Sent: Nov 30, 2022 05:04 PM
From: Dustin Burns
Subject: What is the configuration to allow access and voice vlans

interface FastEthernet0/1
description VoIP-Phone-Port-with-PC
switchport mode access
switchport voice vlan 200
authentication event fail action next-method
authentication event server dead action authorize vlan 1
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority mab dot1x
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout server-timeout 30
dot1x timeout tx-period 10
dot1x max-req 3
dot1x max-reauth-req 10
spanning-tree portfast

to send the voice vlan via RADIUS, the following commands are correct or not:

interface GigabitEthernet1/0/2
switchport mode access
switchport voice vlan 300
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout server-timeout 5
dot1x timeout tx-period 10
dot1x timeout supp-timeout 10
dot1x max-req 10
dot1x max-reauth-req 10
spanning-tree portfast
spanning-tree guard root

Thanks
Original Message:
Sent: Nov 30, 2022 05:46 PM
From: Dustin Burns
Subject: What is the configuration to allow access and voice vlans

Yea you can always send back a voice VLAN via RADIUS which will override that.

------------------------------
Dustin Burns

Lead Mobility Engineer @Worldcom Exchange, Inc.

ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2022
If my post was useful accept solution and/or give kudos

Original Message:
Sent: Nov 30, 2022 05:44 PM
From: Mahmoud Marie
Subject: What is the configuration to allow access and voice vlans

Hi DB86
Thank you for your reply
I need to authenticate the phone with MAC, so i thick if i added command "switchport voice vlan 200" the phone will assign the vlan directly

Thanks
Original Message:
Sent: Nov 30, 2022 05:04 PM
From: Dustin Burns
Subject: What is the configuration to allow access and voice vlans

interface FastEthernet0/1
description VoIP-Phone-Port-with-PC
switchport mode access
switchport voice vlan 200
authentication event fail action next-method
authentication event server dead action authorize vlan 1
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority mab dot1x
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout server-timeout 30
dot1x timeout tx-period 10
dot1x max-req 3
dot1x max-reauth-req 10
spanning-tree portfast

What are you using for a RADIUS Server?

------------------------------
Dustin Burns

Lead Mobility Engineer @Worldcom Exchange, Inc.

ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2022
If my post was useful accept solution and/or give kudos
------------------------------

Original Message:
Sent: Nov 30, 2022 05:57 PM
From: Mahmoud Marie
Subject: What is the configuration to allow access and voice vlans

to send the voice vlan via RADIUS, the following commands are correct or not:

interface GigabitEthernet1/0/2
switchport mode access
switchport voice vlan 300
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout server-timeout 5
dot1x timeout tx-period 10
dot1x timeout supp-timeout 10
dot1x max-req 10
dot1x max-reauth-req 10
spanning-tree portfast
spanning-tree guard root

Thanks
Original Message:
Sent: Nov 30, 2022 05:46 PM
From: Dustin Burns
Subject: What is the configuration to allow access and voice vlans

Yea you can always send back a voice VLAN via RADIUS which will override that.

------------------------------
Dustin Burns

Lead Mobility Engineer @Worldcom Exchange, Inc.

ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2022
If my post was useful accept solution and/or give kudos

Original Message:
Sent: Nov 30, 2022 05:44 PM
From: Mahmoud Marie
Subject: What is the configuration to allow access and voice vlans

Hi DB86
Thank you for your reply
I need to authenticate the phone with MAC, so i thick if i added command "switchport voice vlan 200" the phone will assign the vlan directly

Thanks
Original Message:
Sent: Nov 30, 2022 05:04 PM
From: Dustin Burns
Subject: What is the configuration to allow access and voice vlans

interface FastEthernet0/1
description VoIP-Phone-Port-with-PC
switchport mode access
switchport voice vlan 200
authentication event fail action next-method
authentication event server dead action authorize vlan 1
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority mab dot1x
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout server-timeout 30
dot1x timeout tx-period 10
dot1x max-req 3
dot1x max-reauth-req 10
spanning-tree portfast

We using ARUBA CPPM and need to authenticate the phone with MAC
Original Message:
Sent: Nov 30, 2022 06:18 PM
From: Dustin Burns
Subject: What is the configuration to allow access and voice vlans

What are you using for a RADIUS Server?

------------------------------
Dustin Burns

Lead Mobility Engineer @Worldcom Exchange, Inc.

ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2022
If my post was useful accept solution and/or give kudos

Original Message:
Sent: Nov 30, 2022 05:57 PM
From: Mahmoud Marie
Subject: What is the configuration to allow access and voice vlans

to send the voice vlan via RADIUS, the following commands are correct or not:

interface GigabitEthernet1/0/2
switchport mode access
switchport voice vlan 300
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout server-timeout 5
dot1x timeout tx-period 10
dot1x timeout supp-timeout 10
dot1x max-req 10
dot1x max-reauth-req 10
spanning-tree portfast
spanning-tree guard root

Thanks
Original Message:
Sent: Nov 30, 2022 05:46 PM
From: Dustin Burns
Subject: What is the configuration to allow access and voice vlans

Yea you can always send back a voice VLAN via RADIUS which will override that.

------------------------------
Dustin Burns

Lead Mobility Engineer @Worldcom Exchange, Inc.

ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2022
If my post was useful accept solution and/or give kudos

Original Message:
Sent: Nov 30, 2022 05:44 PM
From: Mahmoud Marie
Subject: What is the configuration to allow access and voice vlans

Hi DB86
Thank you for your reply
I need to authenticate the phone with MAC, so i thick if i added command "switchport voice vlan 200" the phone will assign the vlan directly

Thanks
Original Message:
Sent: Nov 30, 2022 05:04 PM
From: Dustin Burns
Subject: What is the configuration to allow access and voice vlans

interface FastEthernet0/1
description VoIP-Phone-Port-with-PC
switchport mode access
switchport voice vlan 200
authentication event fail action next-method
authentication event server dead action authorize vlan 1
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority mab dot1x
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout server-timeout 30
dot1x timeout tx-period 10
dot1x max-req 3
dot1x max-reauth-req 10
spanning-tree portfast

Send this additional value back with the VLAN assignment for the voice VLAN.


And this for assigning the VLAN



------------------------------
Dustin Burns

Lead Mobility Engineer @Worldcom Exchange, Inc.

ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2022
If my post was useful accept solution and/or give kudos
------------------------------

Original Message:
Sent: Nov 30, 2022 06:31 PM
From: Mahmoud Marie
Subject: What is the configuration to allow access and voice vlans

We using ARUBA CPPM and need to authenticate the phone with MAC
Original Message:
Sent: Nov 30, 2022 06:18 PM
From: Dustin Burns
Subject: What is the configuration to allow access and voice vlans

What are you using for a RADIUS Server?

------------------------------
Dustin Burns

Lead Mobility Engineer @Worldcom Exchange, Inc.

ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2022
If my post was useful accept solution and/or give kudos

Original Message:
Sent: Nov 30, 2022 05:57 PM
From: Mahmoud Marie
Subject: What is the configuration to allow access and voice vlans

to send the voice vlan via RADIUS, the following commands are correct or not:

interface GigabitEthernet1/0/2
switchport mode access
switchport voice vlan 300
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout server-timeout 5
dot1x timeout tx-period 10
dot1x timeout supp-timeout 10
dot1x max-req 10
dot1x max-reauth-req 10
spanning-tree portfast
spanning-tree guard root

Thanks
Original Message:
Sent: Nov 30, 2022 05:46 PM
From: Dustin Burns
Subject: What is the configuration to allow access and voice vlans

Yea you can always send back a voice VLAN via RADIUS which will override that.

------------------------------
Dustin Burns

Lead Mobility Engineer @Worldcom Exchange, Inc.

ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2022
If my post was useful accept solution and/or give kudos

Original Message:
Sent: Nov 30, 2022 05:44 PM
From: Mahmoud Marie
Subject: What is the configuration to allow access and voice vlans

Hi DB86
Thank you for your reply
I need to authenticate the phone with MAC, so i thick if i added command "switchport voice vlan 200" the phone will assign the vlan directly

Thanks
Original Message:
Sent: Nov 30, 2022 05:04 PM
From: Dustin Burns
Subject: What is the configuration to allow access and voice vlans

interface FastEthernet0/1
description VoIP-Phone-Port-with-PC
switchport mode access
switchport voice vlan 200
authentication event fail action next-method
authentication event server dead action authorize vlan 1
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority mab dot1x
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout server-timeout 30
dot1x timeout tx-period 10
dot1x max-req 3
dot1x max-reauth-req 10
spanning-tree portfast

Should i write "device-traffic-class-voice" manually, as its not shown in the drop list:

Thanks
Original Message:
Sent: Nov 30, 2022 08:11 PM
From: Dustin Burns
Subject: What is the configuration to allow access and voice vlans

Send this additional value back with the VLAN assignment for the voice VLAN.


And this for assigning the VLAN



------------------------------
Dustin Burns

Lead Mobility Engineer @Worldcom Exchange, Inc.

ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2022
If my post was useful accept solution and/or give kudos

Original Message:
Sent: Nov 30, 2022 06:31 PM
From: Mahmoud Marie
Subject: What is the configuration to allow access and voice vlans

We using ARUBA CPPM and need to authenticate the phone with MAC
Original Message:
Sent: Nov 30, 2022 06:18 PM
From: Dustin Burns
Subject: What is the configuration to allow access and voice vlans

What are you using for a RADIUS Server?

------------------------------
Dustin Burns

Lead Mobility Engineer @Worldcom Exchange, Inc.

ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2022
If my post was useful accept solution and/or give kudos

Original Message:
Sent: Nov 30, 2022 05:57 PM
From: Mahmoud Marie
Subject: What is the configuration to allow access and voice vlans

to send the voice vlan via RADIUS, the following commands are correct or not:

interface GigabitEthernet1/0/2
switchport mode access
switchport voice vlan 300
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout server-timeout 5
dot1x timeout tx-period 10
dot1x timeout supp-timeout 10
dot1x max-req 10
dot1x max-reauth-req 10
spanning-tree portfast
spanning-tree guard root

Thanks
Original Message:
Sent: Nov 30, 2022 05:46 PM
From: Dustin Burns
Subject: What is the configuration to allow access and voice vlans

Yea you can always send back a voice VLAN via RADIUS which will override that.

------------------------------
Dustin Burns

Lead Mobility Engineer @Worldcom Exchange, Inc.

ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2022
If my post was useful accept solution and/or give kudos

Original Message:
Sent: Nov 30, 2022 05:44 PM
From: Mahmoud Marie
Subject: What is the configuration to allow access and voice vlans

Hi DB86
Thank you for your reply
I need to authenticate the phone with MAC, so i thick if i added command "switchport voice vlan 200" the phone will assign the vlan directly

Thanks
Original Message:
Sent: Nov 30, 2022 05:04 PM
From: Dustin Burns
Subject: What is the configuration to allow access and voice vlans

interface FastEthernet0/1
description VoIP-Phone-Port-with-PC
switchport mode access
switchport voice vlan 200
authentication event fail action next-method
authentication event server dead action authorize vlan 1
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority mab dot1x
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout server-timeout 30
dot1x timeout tx-period 10
dot1x max-req 3
dot1x max-reauth-req 10
spanning-tree portfast

Clearpass is sending the request back to a Cisco switch, you can add the parameter as free-text.

• To authorize a voice device, the AAA server must be configured to send a Cisco Attribute-Value (AV) pair attribute with a value of device-traffic-class=voice. Without this value, the switch treats the voice device as a data device.
  
  From Cisco support:
  https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_8021x/configuration/15-mt/sec-user-8021x-15-mt-book/sec-ieee-mda.html
  
  

Original Message:
Sent: Dec 01, 2022 06:15 AM
From: Mahmoud Marie
Subject: What is the configuration to allow access and voice vlans

Should i write "device-traffic-class-voice" manually, as its not shown in the drop list:

Thanks
Original Message:
Sent: Nov 30, 2022 08:11 PM
From: Dustin Burns
Subject: What is the configuration to allow access and voice vlans

Send this additional value back with the VLAN assignment for the voice VLAN.


And this for assigning the VLAN



------------------------------
Dustin Burns

Lead Mobility Engineer @Worldcom Exchange, Inc.

ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2022
If my post was useful accept solution and/or give kudos

Original Message:
Sent: Nov 30, 2022 06:31 PM
From: Mahmoud Marie
Subject: What is the configuration to allow access and voice vlans

We using ARUBA CPPM and need to authenticate the phone with MAC
Original Message:
Sent: Nov 30, 2022 06:18 PM
From: Dustin Burns
Subject: What is the configuration to allow access and voice vlans

What are you using for a RADIUS Server?

------------------------------
Dustin Burns

Lead Mobility Engineer @Worldcom Exchange, Inc.

ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2022
If my post was useful accept solution and/or give kudos

Original Message:
Sent: Nov 30, 2022 05:57 PM
From: Mahmoud Marie
Subject: What is the configuration to allow access and voice vlans

to send the voice vlan via RADIUS, the following commands are correct or not:

interface GigabitEthernet1/0/2
switchport mode access
switchport voice vlan 300
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout server-timeout 5
dot1x timeout tx-period 10
dot1x timeout supp-timeout 10
dot1x max-req 10
dot1x max-reauth-req 10
spanning-tree portfast
spanning-tree guard root

Thanks
Original Message:
Sent: Nov 30, 2022 05:46 PM
From: Dustin Burns
Subject: What is the configuration to allow access and voice vlans

Yea you can always send back a voice VLAN via RADIUS which will override that.

------------------------------
Dustin Burns

Lead Mobility Engineer @Worldcom Exchange, Inc.

ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2022
If my post was useful accept solution and/or give kudos

Original Message:
Sent: Nov 30, 2022 05:44 PM
From: Mahmoud Marie
Subject: What is the configuration to allow access and voice vlans

Hi DB86
Thank you for your reply
I need to authenticate the phone with MAC, so i thick if i added command "switchport voice vlan 200" the phone will assign the vlan directly

Thanks
Original Message:
Sent: Nov 30, 2022 05:04 PM
From: Dustin Burns
Subject: What is the configuration to allow access and voice vlans

interface FastEthernet0/1
description VoIP-Phone-Port-with-PC
switchport mode access
switchport voice vlan 200
authentication event fail action next-method
authentication event server dead action authorize vlan 1
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority mab dot1x
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout server-timeout 30
dot1x timeout tx-period 10
dot1x max-req 3
dot1x max-reauth-req 10
spanning-tree portfast

Yes enter it manually. device-traffic-class=voice. You were missing the =.

------------------------------
Dustin Burns

Lead Mobility Engineer @Worldcom Exchange, Inc.

ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2022
If my post was useful accept solution and/or give kudos
------------------------------

Original Message:
Sent: Dec 01, 2022 06:15 AM
From: Mahmoud Marie
Subject: What is the configuration to allow access and voice vlans

Should i write "device-traffic-class-voice" manually, as its not shown in the drop list:

Thanks
Original Message:
Sent: Nov 30, 2022 08:11 PM
From: Dustin Burns
Subject: What is the configuration to allow access and voice vlans

Send this additional value back with the VLAN assignment for the voice VLAN.


And this for assigning the VLAN



------------------------------
Dustin Burns

Lead Mobility Engineer @Worldcom Exchange, Inc.

ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2022
If my post was useful accept solution and/or give kudos

Original Message:
Sent: Nov 30, 2022 06:31 PM
From: Mahmoud Marie
Subject: What is the configuration to allow access and voice vlans

We using ARUBA CPPM and need to authenticate the phone with MAC
Original Message:
Sent: Nov 30, 2022 06:18 PM
From: Dustin Burns
Subject: What is the configuration to allow access and voice vlans

What are you using for a RADIUS Server?

------------------------------
Dustin Burns

Lead Mobility Engineer @Worldcom Exchange, Inc.

ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2022
If my post was useful accept solution and/or give kudos

Original Message:
Sent: Nov 30, 2022 05:57 PM
From: Mahmoud Marie
Subject: What is the configuration to allow access and voice vlans

to send the voice vlan via RADIUS, the following commands are correct or not:

interface GigabitEthernet1/0/2
switchport mode access
switchport voice vlan 300
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout server-timeout 5
dot1x timeout tx-period 10
dot1x timeout supp-timeout 10
dot1x max-req 10
dot1x max-reauth-req 10
spanning-tree portfast
spanning-tree guard root

Thanks
Original Message:
Sent: Nov 30, 2022 05:46 PM
From: Dustin Burns
Subject: What is the configuration to allow access and voice vlans

Yea you can always send back a voice VLAN via RADIUS which will override that.

------------------------------
Dustin Burns

Lead Mobility Engineer @Worldcom Exchange, Inc.

ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2022
If my post was useful accept solution and/or give kudos

Original Message:
Sent: Nov 30, 2022 05:44 PM
From: Mahmoud Marie
Subject: What is the configuration to allow access and voice vlans

Hi DB86
Thank you for your reply
I need to authenticate the phone with MAC, so i thick if i added command "switchport voice vlan 200" the phone will assign the vlan directly

Thanks
Original Message:
Sent: Nov 30, 2022 05:04 PM
From: Dustin Burns
Subject: What is the configuration to allow access and voice vlans

interface FastEthernet0/1
description VoIP-Phone-Port-with-PC
switchport mode access
switchport voice vlan 200
authentication event fail action next-method
authentication event server dead action authorize vlan 1
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority mab dot1x
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout server-timeout 30
dot1x timeout tx-period 10
dot1x max-req 3
dot1x max-reauth-req 10
spanning-tree portfast

Hello Dustin,

its working after adding device-traffic-class=voice. should i adding switchport voice vlan 200 to the port configuration ? as it not authenticate without adding it.

-Without adding Switchport voice vlan 200

-With adding Switchport voice vlan 200


Thanks
Original Message:
Sent: Dec 01, 2022 12:20 PM
From: Dustin Burns
Subject: What is the configuration to allow access and voice vlans

Yes enter it manually. device-traffic-class=voice. You were missing the =.

------------------------------
Dustin Burns

Lead Mobility Engineer @Worldcom Exchange, Inc.

ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2022
If my post was useful accept solution and/or give kudos

Original Message:
Sent: Dec 01, 2022 06:15 AM
From: Mahmoud Marie
Subject: What is the configuration to allow access and voice vlans

Should i write "device-traffic-class-voice" manually, as its not shown in the drop list:

Thanks
Original Message:
Sent: Nov 30, 2022 08:11 PM
From: Dustin Burns
Subject: What is the configuration to allow access and voice vlans

Send this additional value back with the VLAN assignment for the voice VLAN.


And this for assigning the VLAN



------------------------------
Dustin Burns

Lead Mobility Engineer @Worldcom Exchange, Inc.

ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2022
If my post was useful accept solution and/or give kudos

Original Message:
Sent: Nov 30, 2022 06:31 PM
From: Mahmoud Marie
Subject: What is the configuration to allow access and voice vlans

We using ARUBA CPPM and need to authenticate the phone with MAC
Original Message:
Sent: Nov 30, 2022 06:18 PM
From: Dustin Burns
Subject: What is the configuration to allow access and voice vlans

What are you using for a RADIUS Server?

------------------------------
Dustin Burns

Lead Mobility Engineer @Worldcom Exchange, Inc.

ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2022
If my post was useful accept solution and/or give kudos

Original Message:
Sent: Nov 30, 2022 05:57 PM
From: Mahmoud Marie
Subject: What is the configuration to allow access and voice vlans

to send the voice vlan via RADIUS, the following commands are correct or not:

interface GigabitEthernet1/0/2
switchport mode access
switchport voice vlan 300
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout server-timeout 5
dot1x timeout tx-period 10
dot1x timeout supp-timeout 10
dot1x max-req 10
dot1x max-reauth-req 10
spanning-tree portfast
spanning-tree guard root

Thanks
Original Message:
Sent: Nov 30, 2022 05:46 PM
From: Dustin Burns
Subject: What is the configuration to allow access and voice vlans

Yea you can always send back a voice VLAN via RADIUS which will override that.

------------------------------
Dustin Burns

Lead Mobility Engineer @Worldcom Exchange, Inc.

ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2022
If my post was useful accept solution and/or give kudos

Original Message:
Sent: Nov 30, 2022 05:44 PM
From: Mahmoud Marie
Subject: What is the configuration to allow access and voice vlans

Hi DB86
Thank you for your reply
I need to authenticate the phone with MAC, so i thick if i added command "switchport voice vlan 200" the phone will assign the vlan directly

Thanks
Original Message:
Sent: Nov 30, 2022 05:04 PM
From: Dustin Burns
Subject: What is the configuration to allow access and voice vlans

interface FastEthernet0/1
description VoIP-Phone-Port-with-PC
switchport mode access
switchport voice vlan 200
authentication event fail action next-method
authentication event server dead action authorize vlan 1
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority mab dot1x
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout server-timeout 30
dot1x timeout tx-period 10
dot1x max-req 3
dot1x max-reauth-req 10
spanning-tree portfast

Hey Dustin,

when clearpass sends back "device-traffic-class=voice", do you still need to send back a "tunnel-private-group-id" RADIUS attribute?

looking at the cisco switch config, it already has "switchport voice vlan 200" for that interface.
So when clearpass send back "device-traffic-class=voice", that should tell the switch to put it on VLAN 200. Right?
do you need to send back "tunnel-private-group-id" ?



------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
------------------------------

Original Message:
Sent: Nov 30, 2022 08:11 PM
From: Dustin Burns
Subject: What is the configuration to allow access and voice vlans

Send this additional value back with the VLAN assignment for the voice VLAN.


And this for assigning the VLAN



------------------------------
Dustin Burns

Lead Mobility Engineer @Worldcom Exchange, Inc.

ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2022
If my post was useful accept solution and/or give kudos

Original Message:
Sent: Nov 30, 2022 06:31 PM
From: Mahmoud Marie
Subject: What is the configuration to allow access and voice vlans

We using ARUBA CPPM and need to authenticate the phone with MAC
Original Message:
Sent: Nov 30, 2022 06:18 PM
From: Dustin Burns
Subject: What is the configuration to allow access and voice vlans

What are you using for a RADIUS Server?

------------------------------
Dustin Burns

Lead Mobility Engineer @Worldcom Exchange, Inc.

ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2022
If my post was useful accept solution and/or give kudos

Original Message:
Sent: Nov 30, 2022 05:57 PM
From: Mahmoud Marie
Subject: What is the configuration to allow access and voice vlans

to send the voice vlan via RADIUS, the following commands are correct or not:

interface GigabitEthernet1/0/2
switchport mode access
switchport voice vlan 300
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout server-timeout 5
dot1x timeout tx-period 10
dot1x timeout supp-timeout 10
dot1x max-req 10
dot1x max-reauth-req 10
spanning-tree portfast
spanning-tree guard root

Thanks
Original Message:
Sent: Nov 30, 2022 05:46 PM
From: Dustin Burns
Subject: What is the configuration to allow access and voice vlans

Yea you can always send back a voice VLAN via RADIUS which will override that.

------------------------------
Dustin Burns

Lead Mobility Engineer @Worldcom Exchange, Inc.

ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2022
If my post was useful accept solution and/or give kudos

Original Message:
Sent: Nov 30, 2022 05:44 PM
From: Mahmoud Marie
Subject: What is the configuration to allow access and voice vlans

Hi DB86
Thank you for your reply
I need to authenticate the phone with MAC, so i thick if i added command "switchport voice vlan 200" the phone will assign the vlan directly

Thanks
Original Message:
Sent: Nov 30, 2022 05:04 PM
From: Dustin Burns
Subject: What is the configuration to allow access and voice vlans

interface FastEthernet0/1
description VoIP-Phone-Port-with-PC
switchport mode access
switchport voice vlan 200
authentication event fail action next-method
authentication event server dead action authorize vlan 1
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority mab dot1x
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout server-timeout 30
dot1x timeout tx-period 10
dot1x max-req 3
dot1x max-reauth-req 10
spanning-tree portfast