Examples of Behaviors

Unreachable RADIUS server

A device, such as an IP phone or PC, goes to a RADIUS server and is unable to authentication. The authentication of the device is then applied to a Critical VLAN or a critical user-role.

Stack(config)# show port-ac clients

 Port Access Client Status

 Port 	Client Name 	MAC Address 		IPAddress 	User Role Type VLAN
 ----- ------------ ------------- ---------- --------- --------- 
 1/1 		b4b0178db6a2 b4b017-8db6a2			n/a       critical   MAC

Tagged critical role

When a critical-role has tagged VID and configured as voice, the port-connected to the MED device (IP phone) will be a tagged member of the voice VLAN. The switch will only support one tagged VLAN as critical. For clients with auto-VLAN-negotiation capabilities (MED devices), the switch sends the VLAN information in the “TIA TR-41 Committee – Network Policy” of the LLDP packet. If the MED device advertising is using CDP, the switch sends the VLAN information in the "VOIP VLAN Reply" field of CDP. The MED devices will use that VLAN to tag their traffic. To enable this VLAN advertisement in LLDP, we need to make the Critical VLAN as ‘voice’ VLAN.

For clients which send tagged traffic, switch can put them in Critical Tagged-VLAN:
  1. Create tagged VLAN.

  2. Make the tagged VLAN voice.

  3. Create a user-role.

  4. Make the tagged VLAN a member of the user-role.

  5. Make the user-role a critical user-role with the command aaa authorization user-role name <CRITICAL-VOICE> vlan-id-tagged <ID>

Stack(config)# show vlan 10
		VLAN ID : 10     
  Name : VLAN10                          
  Status : Port-based
  Voice : Yes
  Jumbo : No 
  Private VLAN : none     
  Associated Primary VID : none      
  Associated Secondary VIDs : none                                

  Port Information Mode     Unknown VLAN Status    
  ---------------- -------- ------------ ----------
  1/1              MACAUTH  Learn        Up        
  Overridden Port VLAN configuration

  ------ ------------
  1/1    MACAUTH  

show lldp info remote-device

If we execute show LLDP info remote, we can see that the phone has learned which tag to apply for traffic. if we run show lldp info remote, the results are as follows:

Stack(config)# show lldp info remote-device 1/1

LLDP Remote Device Information Detail

  Local Port   : 1/1
  ChassisType  : network-address     
  ChassisId    :                  
  PortType     : mac-address                                               
  PortId       : b4 b0 17 8d b6 a2                                         
  SysName      : AVX8DB6A2                       
  PortDescr    :                                                             
  Pvid         :                          

  System Capabilities Supported  : bridge, telephone
  System Capabilities Enabled    : bridge

  Remote Management Address
     Type    : ipv4

  MED Information Detail 
    EndpointClass          :Class3
    Media Policy Vlan id   :10
    Media Policy Priority  :6
    Media Policy Dscp      :46
    Media Policy Tagged    :True
    Poe Device Type        :PD
    Power Requested        :2.6 W
    Power Source           :From PSE
Run Packet Captures to show the switch advertising which VLAN phone to use or that the phone is advertising which VLAN to use.