Hello all,
I've configured a 5406zl to perform 802.1x authentication. This works fine: if a device gets authenticated, the port will be assigned to a VLAN defined by the RADIUS and if authentication failes, the VLAN is set to 101 (the "guest VLAN").
Now I've added another VLAN (called VoIP) and enabled LLDP-MED for our IP-Phones. I plugged in one phone and it has full access to the VOIP-VLAN. But the phone as no valid 802.1x configuration.
Here is a part from the config, I used port B1
aaa authentication port-access eap-radius
aaa port-access authenticator B1-B12
aaa port-access authenticator B1-B12 unauth-vid 101
aaa port-access authenticator active
vlan 1
name "DEFAULT_VLAN"
no untagged B1-B12
untagged A1-A18,A21-A24,B13-B24,Trk77
ip address x.x.x.x 255.255.0.0
ip igmp
exit
vlan 9
name "VOIP"
tagged A1-A18,A21-A24,B1-B24,Trk77
no ip address
qos dscp 101110
voice
exit
vlan 101
name "Extern"
untagged B1-B12
tagged Trk77
no ip address
exit
The the authenticator state:
show port-access authenticator
Port Access Authenticator Status
Port-access authenticator activated [No] : Yes
Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No
Auths/ Unauth Untagged Tagged % In RADIUS Cntrl
Port Guests Clients VLAN VLANs Port COS Limit ACL Dir Port Mode
---- ------- ------- -------- ------ --------- ----- ------ ----- ----------
B1 0/1 0 101 Yes No No No both 100FDx
Any idea why the device has access to the VoIP-VLAN without authentication?
Regards,
FunnyDingo
