Fail-open VLAN for voice

Started by config t, June 15, 2022, 07:58:32 PM

Previous topic - Next topic

config t

doing a dot1x deployment with one of my customers and we are going to implement a fail-open vlan for essential voice. i have never had to configure this before so reaching out to see if there are any considerations or gotchas i'm unaware of. these are mostly cisco 3850s.

here is the interface config i am planning to use on the 3850's:

switchport access vlan X
switchport mode access
switchport voice vlan X
carrier-delay msec 0
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation replace
authentication event server dead action authorize voice
mab
dot1x pae authenticator


there is no dynamic vlan assignment yet so authenticated devices will fall into the vlan configured on the port. I believe this configuration will have the desired effect of force-authorizing the phones in case of a RADIUS dead event.
:matrix:

Please don't mistake my experience for intelligence.

deanwebb

That should work, it's a voice vlan with mab, should be good to go. You can still issue a dot1x RADIUS-REJECT or CoA to change access, if needed.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.