Security

Dear Experts, 

We are trying to implement 802.1x using cisco switch (C1000). Laptop is connected to ip phone (Dlink) and ip phone is connected to switchport. Below is the configuration on cisco switch. Please note that we want to dynamically assign the voice vlan. If port assignment is mandatory let me know

interface FastEthernet0/1
switchport mode access
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x timeout supp-timeout 15
dot1x max-reauth-req 1

On successful mac authentication, we are sending this profile to switch

Currently upon successful mac auth, the ip phone is not registering to pbx. The customer is already running LLDP/Voice vlan on other switches. This setup is for ClearPass PoC. 

Can someone point out if its a configuration issue (clearpass or switch)?

if you will push Cisco-AVPair = device-traffic-class=voice, the switch will search for Voice VLAN. 
Your configuration does not contain a Voice VLAN.

interface FastEthernet0/1
switchport mode access
switchport voice vlan 222
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x timeout supp-timeout 15
dot1x max-reauth-req 1

So if y ou choose to go with AVPair device-traffic-class=voice, you will need to configure the Voice VLAN in the port. If you don't want the Voice VLAN on the Port, then all you need to do is remove the 6. Cisco-AVPair and thats it.

Additionally, you are using IBNS 1.0 format. This is an old format of configuration in Cisco which will soon be deprecated. I would recommend to move to IBNS2.0 (if its Cisco 1000 it supports it). On IBNS 2.0 you would need to configure Policy Maps and then assign the Policy Map in the Port. One example:

The port configuration:
interface range GigabitEthernet1/0/1-23
 switchport access vlan <default untrusted vlan>
 switchport mode access
 switchport nonegotiate
 switchport voice vlan 222
 ip device tracking maximum <whatever number you need>
 authentication periodic
 authentication timer reauthenticate server
 access-session control-direction in
 access-session closed
 access-session port-control auto
 mab
 no macro auto processing
 dot1x pae authenticator
 dot1x timeout quiet-period 30
 dot1x timeout server-timeout 30
 dot1x timeout tx-period 7
 dot1x max-req 3
 dot1x max-reauth-req 3
 spanning-tree portfast edge
 service-policy type control subscriber CLEARPASS_POLICY_MAP
 ip dhcp snooping limit rate 20
!

The Policy Configuration:
policy-map type control subscriber CLEARPASS_POLICY_MAP
 event session-started match-all
  10 class always do-until-failure
   10 authenticate using dot1x priority 10
   20 authenticate using mab priority 20
 event authentication-failure match-first
  5 class DOT1X_FAILED do-until-failure
   10 terminate dot1x
   20 authenticate using mab priority 20
  10 class DOT1X_FAILED do-until-failure
   10 terminate dot1x
  20 class MAB_FAILED do-until-failure
   10 terminate mab
   20 authenticate using dot1x priority 10
  30 class DOT1X_NO_RESP do-until-failure
   10 terminate dot1x
   20 authentication-restart 60
  40 class always do-until-failure
   10 terminate mab
   20 terminate dot1x
   30 authentication-restart 60
  60 class always do-until-failure
   10 terminate dot1x
   20 terminate mab
   30 authentication-restart 60
 event agent-found match-all
  10 class always do-until-failure
   10 terminate mab
   20 authenticate using dot1x priority 10
 event authentication-success match-all
  10 class always do-until-failure
   10 activate service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
 event aaa-available match-all
  10 class IN_CRITICAL_AUTH do-until-failure
   10 clear-session
  20 class NOT_IN_CRITICAL_AUTH do-until-failure
   10 resume reauthentication
 event inactivity-timeout match-all
  10 class always do-until-failure
   10 clear-session
 event violation match-all
  10 class always do-until-failure
   10 restrict
 event authorization-failure match-all
  10 class AUTHC_SUCCESS-AUTHZ_FAIL do-until-failure
   10 authentication-restart 60

Dear Experts, 

We are trying to implement 802.1x using cisco switch (C1000). Laptop is connected to ip phone (Dlink) and ip phone is connected to switchport. Below is the configuration on cisco switch. Please note that we want to dynamically assign the voice vlan. If port assignment is mandatory let me know

interface FastEthernet0/1
switchport mode access
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x timeout supp-timeout 15
dot1x max-reauth-req 1

On successful mac authentication, we are sending this profile to switch

Currently upon successful mac auth, the ip phone is not registering to pbx. The customer is already running LLDP/Voice vlan on other switches. This setup is for ClearPass PoC. 

Can someone point out if its a configuration issue (clearpass or switch)?

if you will push Cisco-AVPair = device-traffic-class=voice, the switch will search for Voice VLAN. 
Your configuration does not contain a Voice VLAN.

interface FastEthernet0/1
switchport mode access
switchport voice vlan 222
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x timeout supp-timeout 15
dot1x max-reauth-req 1

So if y ou choose to go with AVPair device-traffic-class=voice, you will need to configure the Voice VLAN in the port. If you don't want the Voice VLAN on the Port, then all you need to do is remove the 6. Cisco-AVPair and thats it.

Additionally, you are using IBNS 1.0 format. This is an old format of configuration in Cisco which will soon be deprecated. I would recommend to move to IBNS2.0 (if its Cisco 1000 it supports it). On IBNS 2.0 you would need to configure Policy Maps and then assign the Policy Map in the Port. One example:

The port configuration:
interface range GigabitEthernet1/0/1-23
 switchport access vlan <default untrusted vlan>
 switchport mode access
 switchport nonegotiate
 switchport voice vlan 222
 ip device tracking maximum <whatever number you need>
 authentication periodic
 authentication timer reauthenticate server
 access-session control-direction in
 access-session closed
 access-session port-control auto
 mab
 no macro auto processing
 dot1x pae authenticator
 dot1x timeout quiet-period 30
 dot1x timeout server-timeout 30
 dot1x timeout tx-period 7
 dot1x max-req 3
 dot1x max-reauth-req 3
 spanning-tree portfast edge
 service-policy type control subscriber CLEARPASS_POLICY_MAP
 ip dhcp snooping limit rate 20
!

The Policy Configuration:
policy-map type control subscriber CLEARPASS_POLICY_MAP
 event session-started match-all
  10 class always do-until-failure
   10 authenticate using dot1x priority 10
   20 authenticate using mab priority 20
 event authentication-failure match-first
  5 class DOT1X_FAILED do-until-failure
   10 terminate dot1x
   20 authenticate using mab priority 20
  10 class DOT1X_FAILED do-until-failure
   10 terminate dot1x
  20 class MAB_FAILED do-until-failure
   10 terminate mab
   20 authenticate using dot1x priority 10
  30 class DOT1X_NO_RESP do-until-failure
   10 terminate dot1x
   20 authentication-restart 60
  40 class always do-until-failure
   10 terminate mab
   20 terminate dot1x
   30 authentication-restart 60
  60 class always do-until-failure
   10 terminate dot1x
   20 terminate mab
   30 authentication-restart 60
 event agent-found match-all
  10 class always do-until-failure
   10 terminate mab
   20 authenticate using dot1x priority 10
 event authentication-success match-all
  10 class always do-until-failure
   10 activate service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
 event aaa-available match-all
  10 class IN_CRITICAL_AUTH do-until-failure
   10 clear-session
  20 class NOT_IN_CRITICAL_AUTH do-until-failure
   10 resume reauthentication
 event inactivity-timeout match-all
  10 class always do-until-failure
   10 clear-session
 event violation match-all
  10 class always do-until-failure
   10 restrict
 event authorization-failure match-all
  10 class AUTHC_SUCCESS-AUTHZ_FAIL do-until-failure
   10 authentication-restart 60

Dear Experts, 

We are trying to implement 802.1x using cisco switch (C1000). Laptop is connected to ip phone (Dlink) and ip phone is connected to switchport. Below is the configuration on cisco switch. Please note that we want to dynamically assign the voice vlan. If port assignment is mandatory let me know

interface FastEthernet0/1
switchport mode access
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x timeout supp-timeout 15
dot1x max-reauth-req 1

On successful mac authentication, we are sending this profile to switch

Currently upon successful mac auth, the ip phone is not registering to pbx. The customer is already running LLDP/Voice vlan on other switches. This setup is for ClearPass PoC. 

Can someone point out if its a configuration issue (clearpass or switch)?

Yes, it will assign dynamically the Voice VLAN, if there is a Voice VLAN configured in the Port.

What you are doing with this configuration is that:
You are pushing VLAN 222
You are pushing device-traffic-class=voice (which means you are telling the switch that this device is for Voice purpose place it in Voice VLAN)
However, on your configuration in the switch, the port has no Voice VLAN Configured, therefor it won't place it in the Voice VLAN.

With Cisco 1000 (and i have implemented a lot of them) you either have to push a VLAN (without including device-traffic-class=voice) or you need to push just the line device-traffic-class=voice (without pushing the VLAN).
In addition, there are devices which do not understand the Voice VLAN (old Yealink Phones, old Grandstream) which i faced a lot of issues, where i had to adapt different enforcements. In such cases we only push VLAN (and we do not push device-traffic-class=voice). This means that those devices do not understand voice devices as voice, but you need to put them as data device.

if you will push Cisco-AVPair = device-traffic-class=voice, the switch will search for Voice VLAN. 
Your configuration does not contain a Voice VLAN.

interface FastEthernet0/1
switchport mode access
switchport voice vlan 222
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x timeout supp-timeout 15
dot1x max-reauth-req 1

So if y ou choose to go with AVPair device-traffic-class=voice, you will need to configure the Voice VLAN in the port. If you don't want the Voice VLAN on the Port, then all you need to do is remove the 6. Cisco-AVPair and thats it.

Additionally, you are using IBNS 1.0 format. This is an old format of configuration in Cisco which will soon be deprecated. I would recommend to move to IBNS2.0 (if its Cisco 1000 it supports it). On IBNS 2.0 you would need to configure Policy Maps and then assign the Policy Map in the Port. One example:

The port configuration:
interface range GigabitEthernet1/0/1-23
 switchport access vlan <default untrusted vlan>
 switchport mode access
 switchport nonegotiate
 switchport voice vlan 222
 ip device tracking maximum <whatever number you need>
 authentication periodic
 authentication timer reauthenticate server
 access-session control-direction in
 access-session closed
 access-session port-control auto
 mab
 no macro auto processing
 dot1x pae authenticator
 dot1x timeout quiet-period 30
 dot1x timeout server-timeout 30
 dot1x timeout tx-period 7
 dot1x max-req 3
 dot1x max-reauth-req 3
 spanning-tree portfast edge
 service-policy type control subscriber CLEARPASS_POLICY_MAP
 ip dhcp snooping limit rate 20
!

The Policy Configuration:
policy-map type control subscriber CLEARPASS_POLICY_MAP
 event session-started match-all
  10 class always do-until-failure
   10 authenticate using dot1x priority 10
   20 authenticate using mab priority 20
 event authentication-failure match-first
  5 class DOT1X_FAILED do-until-failure
   10 terminate dot1x
   20 authenticate using mab priority 20
  10 class DOT1X_FAILED do-until-failure
   10 terminate dot1x
  20 class MAB_FAILED do-until-failure
   10 terminate mab
   20 authenticate using dot1x priority 10
  30 class DOT1X_NO_RESP do-until-failure
   10 terminate dot1x
   20 authentication-restart 60
  40 class always do-until-failure
   10 terminate mab
   20 terminate dot1x
   30 authentication-restart 60
  60 class always do-until-failure
   10 terminate dot1x
   20 terminate mab
   30 authentication-restart 60
 event agent-found match-all
  10 class always do-until-failure
   10 terminate mab
   20 authenticate using dot1x priority 10
 event authentication-success match-all
  10 class always do-until-failure
   10 activate service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
 event aaa-available match-all
  10 class IN_CRITICAL_AUTH do-until-failure
   10 clear-session
  20 class NOT_IN_CRITICAL_AUTH do-until-failure
   10 resume reauthentication
 event inactivity-timeout match-all
  10 class always do-until-failure
   10 clear-session
 event violation match-all
  10 class always do-until-failure
   10 restrict
 event authorization-failure match-all
  10 class AUTHC_SUCCESS-AUTHZ_FAIL do-until-failure
   10 authentication-restart 60

Dear Experts, 

We are trying to implement 802.1x using cisco switch (C1000). Laptop is connected to ip phone (Dlink) and ip phone is connected to switchport. Below is the configuration on cisco switch. Please note that we want to dynamically assign the voice vlan. If port assignment is mandatory let me know

interface FastEthernet0/1
switchport mode access
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x timeout supp-timeout 15
dot1x max-reauth-req 1

On successful mac authentication, we are sending this profile to switch

Currently upon successful mac auth, the ip phone is not registering to pbx. The customer is already running LLDP/Voice vlan on other switches. This setup is for ClearPass PoC. 

Can someone point out if its a configuration issue (clearpass or switch)?

Yes, it will assign dynamically the Voice VLAN, if there is a Voice VLAN configured in the Port.

What you are doing with this configuration is that:
You are pushing VLAN 222
You are pushing device-traffic-class=voice (which means you are telling the switch that this device is for Voice purpose place it in Voice VLAN)
However, on your configuration in the switch, the port has no Voice VLAN Configured, therefor it won't place it in the Voice VLAN.

With Cisco 1000 (and i have implemented a lot of them) you either have to push a VLAN (without including device-traffic-class=voice) or you need to push just the line device-traffic-class=voice (without pushing the VLAN).
In addition, there are devices which do not understand the Voice VLAN (old Yealink Phones, old Grandstream) which i faced a lot of issues, where i had to adapt different enforcements. In such cases we only push VLAN (and we do not push device-traffic-class=voice). This means that those devices do not understand voice devices as voice, but you need to put them as data device.

if you will push Cisco-AVPair = device-traffic-class=voice, the switch will search for Voice VLAN. 
Your configuration does not contain a Voice VLAN.

interface FastEthernet0/1
switchport mode access
switchport voice vlan 222
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x timeout supp-timeout 15
dot1x max-reauth-req 1

So if y ou choose to go with AVPair device-traffic-class=voice, you will need to configure the Voice VLAN in the port. If you don't want the Voice VLAN on the Port, then all you need to do is remove the 6. Cisco-AVPair and thats it.

Additionally, you are using IBNS 1.0 format. This is an old format of configuration in Cisco which will soon be deprecated. I would recommend to move to IBNS2.0 (if its Cisco 1000 it supports it). On IBNS 2.0 you would need to configure Policy Maps and then assign the Policy Map in the Port. One example:

The port configuration:
interface range GigabitEthernet1/0/1-23
 switchport access vlan <default untrusted vlan>
 switchport mode access
 switchport nonegotiate
 switchport voice vlan 222
 ip device tracking maximum <whatever number you need>
 authentication periodic
 authentication timer reauthenticate server
 access-session control-direction in
 access-session closed
 access-session port-control auto
 mab
 no macro auto processing
 dot1x pae authenticator
 dot1x timeout quiet-period 30
 dot1x timeout server-timeout 30
 dot1x timeout tx-period 7
 dot1x max-req 3
 dot1x max-reauth-req 3
 spanning-tree portfast edge
 service-policy type control subscriber CLEARPASS_POLICY_MAP
 ip dhcp snooping limit rate 20
!

The Policy Configuration:
policy-map type control subscriber CLEARPASS_POLICY_MAP
 event session-started match-all
  10 class always do-until-failure
   10 authenticate using dot1x priority 10
   20 authenticate using mab priority 20
 event authentication-failure match-first
  5 class DOT1X_FAILED do-until-failure
   10 terminate dot1x
   20 authenticate using mab priority 20
  10 class DOT1X_FAILED do-until-failure
   10 terminate dot1x
  20 class MAB_FAILED do-until-failure
   10 terminate mab
   20 authenticate using dot1x priority 10
  30 class DOT1X_NO_RESP do-until-failure
   10 terminate dot1x
   20 authentication-restart 60
  40 class always do-until-failure
   10 terminate mab
   20 terminate dot1x
   30 authentication-restart 60
  60 class always do-until-failure
   10 terminate dot1x
   20 terminate mab
   30 authentication-restart 60
 event agent-found match-all
  10 class always do-until-failure
   10 terminate mab
   20 authenticate using dot1x priority 10
 event authentication-success match-all
  10 class always do-until-failure
   10 activate service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
 event aaa-available match-all
  10 class IN_CRITICAL_AUTH do-until-failure
   10 clear-session
  20 class NOT_IN_CRITICAL_AUTH do-until-failure
   10 resume reauthentication
 event inactivity-timeout match-all
  10 class always do-until-failure
   10 clear-session
 event violation match-all
  10 class always do-until-failure
   10 restrict
 event authorization-failure match-all
  10 class AUTHC_SUCCESS-AUTHZ_FAIL do-until-failure
   10 authentication-restart 60

Dear Experts, 

We are trying to implement 802.1x using cisco switch (C1000). Laptop is connected to ip phone (Dlink) and ip phone is connected to switchport. Below is the configuration on cisco switch. Please note that we want to dynamically assign the voice vlan. If port assignment is mandatory let me know

interface FastEthernet0/1
switchport mode access
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x timeout supp-timeout 15
dot1x max-reauth-req 1

On successful mac authentication, we are sending this profile to switch

Currently upon successful mac auth, the ip phone is not registering to pbx. The customer is already running LLDP/Voice vlan on other switches. This setup is for ClearPass PoC. 

Can someone point out if its a configuration issue (clearpass or switch)?

Yes, it will assign dynamically the Voice VLAN, if there is a Voice VLAN configured in the Port.

What you are doing with this configuration is that:
You are pushing VLAN 222
You are pushing device-traffic-class=voice (which means you are telling the switch that this device is for Voice purpose place it in Voice VLAN)
However, on your configuration in the switch, the port has no Voice VLAN Configured, therefor it won't place it in the Voice VLAN.

With Cisco 1000 (and i have implemented a lot of them) you either have to push a VLAN (without including device-traffic-class=voice) or you need to push just the line device-traffic-class=voice (without pushing the VLAN).
In addition, there are devices which do not understand the Voice VLAN (old Yealink Phones, old Grandstream) which i faced a lot of issues, where i had to adapt different enforcements. In such cases we only push VLAN (and we do not push device-traffic-class=voice). This means that those devices do not understand voice devices as voice, but you need to put them as data device.

if you will push Cisco-AVPair = device-traffic-class=voice, the switch will search for Voice VLAN. 
Your configuration does not contain a Voice VLAN.

interface FastEthernet0/1
switchport mode access
switchport voice vlan 222
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x timeout supp-timeout 15
dot1x max-reauth-req 1

So if y ou choose to go with AVPair device-traffic-class=voice, you will need to configure the Voice VLAN in the port. If you don't want the Voice VLAN on the Port, then all you need to do is remove the 6. Cisco-AVPair and thats it.

Additionally, you are using IBNS 1.0 format. This is an old format of configuration in Cisco which will soon be deprecated. I would recommend to move to IBNS2.0 (if its Cisco 1000 it supports it). On IBNS 2.0 you would need to configure Policy Maps and then assign the Policy Map in the Port. One example:

The port configuration:
interface range GigabitEthernet1/0/1-23
 switchport access vlan <default untrusted vlan>
 switchport mode access
 switchport nonegotiate
 switchport voice vlan 222
 ip device tracking maximum <whatever number you need>
 authentication periodic
 authentication timer reauthenticate server
 access-session control-direction in
 access-session closed
 access-session port-control auto
 mab
 no macro auto processing
 dot1x pae authenticator
 dot1x timeout quiet-period 30
 dot1x timeout server-timeout 30
 dot1x timeout tx-period 7
 dot1x max-req 3
 dot1x max-reauth-req 3
 spanning-tree portfast edge
 service-policy type control subscriber CLEARPASS_POLICY_MAP
 ip dhcp snooping limit rate 20
!

The Policy Configuration:
policy-map type control subscriber CLEARPASS_POLICY_MAP
 event session-started match-all
  10 class always do-until-failure
   10 authenticate using dot1x priority 10
   20 authenticate using mab priority 20
 event authentication-failure match-first
  5 class DOT1X_FAILED do-until-failure
   10 terminate dot1x
   20 authenticate using mab priority 20
  10 class DOT1X_FAILED do-until-failure
   10 terminate dot1x
  20 class MAB_FAILED do-until-failure
   10 terminate mab
   20 authenticate using dot1x priority 10
  30 class DOT1X_NO_RESP do-until-failure
   10 terminate dot1x
   20 authentication-restart 60
  40 class always do-until-failure
   10 terminate mab
   20 terminate dot1x
   30 authentication-restart 60
  60 class always do-until-failure
   10 terminate dot1x
   20 terminate mab
   30 authentication-restart 60
 event agent-found match-all
  10 class always do-until-failure
   10 terminate mab
   20 authenticate using dot1x priority 10
 event authentication-success match-all
  10 class always do-until-failure
   10 activate service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
 event aaa-available match-all
  10 class IN_CRITICAL_AUTH do-until-failure
   10 clear-session
  20 class NOT_IN_CRITICAL_AUTH do-until-failure
   10 resume reauthentication
 event inactivity-timeout match-all
  10 class always do-until-failure
   10 clear-session
 event violation match-all
  10 class always do-until-failure
   10 restrict
 event authorization-failure match-all
  10 class AUTHC_SUCCESS-AUTHZ_FAIL do-until-failure
   10 authentication-restart 60

Dear Experts, 

We are trying to implement 802.1x using cisco switch (C1000). Laptop is connected to ip phone (Dlink) and ip phone is connected to switchport. Below is the configuration on cisco switch. Please note that we want to dynamically assign the voice vlan. If port assignment is mandatory let me know

interface FastEthernet0/1
switchport mode access
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x timeout supp-timeout 15
dot1x max-reauth-req 1

On successful mac authentication, we are sending this profile to switch

Currently upon successful mac auth, the ip phone is not registering to pbx. The customer is already running LLDP/Voice vlan on other switches. This setup is for ClearPass PoC. 

Can someone point out if its a configuration issue (clearpass or switch)?

Yes, it will assign dynamically the Voice VLAN, if there is a Voice VLAN configured in the Port.

What you are doing with this configuration is that:
You are pushing VLAN 222
You are pushing device-traffic-class=voice (which means you are telling the switch that this device is for Voice purpose place it in Voice VLAN)
However, on your configuration in the switch, the port has no Voice VLAN Configured, therefor it won't place it in the Voice VLAN.

With Cisco 1000 (and i have implemented a lot of them) you either have to push a VLAN (without including device-traffic-class=voice) or you need to push just the line device-traffic-class=voice (without pushing the VLAN).
In addition, there are devices which do not understand the Voice VLAN (old Yealink Phones, old Grandstream) which i faced a lot of issues, where i had to adapt different enforcements. In such cases we only push VLAN (and we do not push device-traffic-class=voice). This means that those devices do not understand voice devices as voice, but you need to put them as data device.

if you will push Cisco-AVPair = device-traffic-class=voice, the switch will search for Voice VLAN. 
Your configuration does not contain a Voice VLAN.

interface FastEthernet0/1
switchport mode access
switchport voice vlan 222
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x timeout supp-timeout 15
dot1x max-reauth-req 1

So if y ou choose to go with AVPair device-traffic-class=voice, you will need to configure the Voice VLAN in the port. If you don't want the Voice VLAN on the Port, then all you need to do is remove the 6. Cisco-AVPair and thats it.

Additionally, you are using IBNS 1.0 format. This is an old format of configuration in Cisco which will soon be deprecated. I would recommend to move to IBNS2.0 (if its Cisco 1000 it supports it). On IBNS 2.0 you would need to configure Policy Maps and then assign the Policy Map in the Port. One example:

The port configuration:
interface range GigabitEthernet1/0/1-23
 switchport access vlan <default untrusted vlan>
 switchport mode access
 switchport nonegotiate
 switchport voice vlan 222
 ip device tracking maximum <whatever number you need>
 authentication periodic
 authentication timer reauthenticate server
 access-session control-direction in
 access-session closed
 access-session port-control auto
 mab
 no macro auto processing
 dot1x pae authenticator
 dot1x timeout quiet-period 30
 dot1x timeout server-timeout 30
 dot1x timeout tx-period 7
 dot1x max-req 3
 dot1x max-reauth-req 3
 spanning-tree portfast edge
 service-policy type control subscriber CLEARPASS_POLICY_MAP
 ip dhcp snooping limit rate 20
!

The Policy Configuration:
policy-map type control subscriber CLEARPASS_POLICY_MAP
 event session-started match-all
  10 class always do-until-failure
   10 authenticate using dot1x priority 10
   20 authenticate using mab priority 20
 event authentication-failure match-first
  5 class DOT1X_FAILED do-until-failure
   10 terminate dot1x
   20 authenticate using mab priority 20
  10 class DOT1X_FAILED do-until-failure
   10 terminate dot1x
  20 class MAB_FAILED do-until-failure
   10 terminate mab
   20 authenticate using dot1x priority 10
  30 class DOT1X_NO_RESP do-until-failure
   10 terminate dot1x
   20 authentication-restart 60
  40 class always do-until-failure
   10 terminate mab
   20 terminate dot1x
   30 authentication-restart 60
  60 class always do-until-failure
   10 terminate dot1x
   20 terminate mab
   30 authentication-restart 60
 event agent-found match-all
  10 class always do-until-failure
   10 terminate mab
   20 authenticate using dot1x priority 10
 event authentication-success match-all
  10 class always do-until-failure
   10 activate service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
 event aaa-available match-all
  10 class IN_CRITICAL_AUTH do-until-failure
   10 clear-session
  20 class NOT_IN_CRITICAL_AUTH do-until-failure
   10 resume reauthentication
 event inactivity-timeout match-all
  10 class always do-until-failure
   10 clear-session
 event violation match-all
  10 class always do-until-failure
   10 restrict
 event authorization-failure match-all
  10 class AUTHC_SUCCESS-AUTHZ_FAIL do-until-failure
   10 authentication-restart 60

Dear Experts, 

We are trying to implement 802.1x using cisco switch (C1000). Laptop is connected to ip phone (Dlink) and ip phone is connected to switchport. Below is the configuration on cisco switch. Please note that we want to dynamically assign the voice vlan. If port assignment is mandatory let me know

interface FastEthernet0/1
switchport mode access
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x timeout supp-timeout 15
dot1x max-reauth-req 1

On successful mac authentication, we are sending this profile to switch

Currently upon successful mac auth, the ip phone is not registering to pbx. The customer is already running LLDP/Voice vlan on other switches. This setup is for ClearPass PoC. 

Can someone point out if its a configuration issue (clearpass or switch)?

Explaining it in a simple way, Voice-VLAN is like all other VLAN but with this you just have the tagging which enables QoS purposes and also you can make the switch put the Voice devices (if the switch can detect that it is a voice device) go through the voice vlan.
If you want to create a Voice VLAN, lets say VLAN=1000, but you don't want to have the configuration on the port (switchport voice vlan 1000), then you need to send attributes Tunnel-Type = VLAN (13) & Tunnel-Medium-Type = IEEE-802 (6) & Tunnel-Private-Group-Id=1000, and you will make sure that VLAN1000 will be enforced only for Voice devices which are profiled/role mapped and enforced from Clearpass.

Yes, it will assign dynamically the Voice VLAN, if there is a Voice VLAN configured in the Port.

What you are doing with this configuration is that:
You are pushing VLAN 222
You are pushing device-traffic-class=voice (which means you are telling the switch that this device is for Voice purpose place it in Voice VLAN)
However, on your configuration in the switch, the port has no Voice VLAN Configured, therefor it won't place it in the Voice VLAN.

With Cisco 1000 (and i have implemented a lot of them) you either have to push a VLAN (without including device-traffic-class=voice) or you need to push just the line device-traffic-class=voice (without pushing the VLAN).
In addition, there are devices which do not understand the Voice VLAN (old Yealink Phones, old Grandstream) which i faced a lot of issues, where i had to adapt different enforcements. In such cases we only push VLAN (and we do not push device-traffic-class=voice). This means that those devices do not understand voice devices as voice, but you need to put them as data device.

if you will push Cisco-AVPair = device-traffic-class=voice, the switch will search for Voice VLAN. 
Your configuration does not contain a Voice VLAN.

interface FastEthernet0/1
switchport mode access
switchport voice vlan 222
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x timeout supp-timeout 15
dot1x max-reauth-req 1

So if y ou choose to go with AVPair device-traffic-class=voice, you will need to configure the Voice VLAN in the port. If you don't want the Voice VLAN on the Port, then all you need to do is remove the 6. Cisco-AVPair and thats it.

Additionally, you are using IBNS 1.0 format. This is an old format of configuration in Cisco which will soon be deprecated. I would recommend to move to IBNS2.0 (if its Cisco 1000 it supports it). On IBNS 2.0 you would need to configure Policy Maps and then assign the Policy Map in the Port. One example:

The port configuration:
interface range GigabitEthernet1/0/1-23
 switchport access vlan <default untrusted vlan>
 switchport mode access
 switchport nonegotiate
 switchport voice vlan 222
 ip device tracking maximum <whatever number you need>
 authentication periodic
 authentication timer reauthenticate server
 access-session control-direction in
 access-session closed
 access-session port-control auto
 mab
 no macro auto processing
 dot1x pae authenticator
 dot1x timeout quiet-period 30
 dot1x timeout server-timeout 30
 dot1x timeout tx-period 7
 dot1x max-req 3
 dot1x max-reauth-req 3
 spanning-tree portfast edge
 service-policy type control subscriber CLEARPASS_POLICY_MAP
 ip dhcp snooping limit rate 20
!

The Policy Configuration:
policy-map type control subscriber CLEARPASS_POLICY_MAP
 event session-started match-all
  10 class always do-until-failure
   10 authenticate using dot1x priority 10
   20 authenticate using mab priority 20
 event authentication-failure match-first
  5 class DOT1X_FAILED do-until-failure
   10 terminate dot1x
   20 authenticate using mab priority 20
  10 class DOT1X_FAILED do-until-failure
   10 terminate dot1x
  20 class MAB_FAILED do-until-failure
   10 terminate mab
   20 authenticate using dot1x priority 10
  30 class DOT1X_NO_RESP do-until-failure
   10 terminate dot1x
   20 authentication-restart 60
  40 class always do-until-failure
   10 terminate mab
   20 terminate dot1x
   30 authentication-restart 60
  60 class always do-until-failure
   10 terminate dot1x
   20 terminate mab
   30 authentication-restart 60
 event agent-found match-all
  10 class always do-until-failure
   10 terminate mab
   20 authenticate using dot1x priority 10
 event authentication-success match-all
  10 class always do-until-failure
   10 activate service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
 event aaa-available match-all
  10 class IN_CRITICAL_AUTH do-until-failure
   10 clear-session
  20 class NOT_IN_CRITICAL_AUTH do-until-failure
   10 resume reauthentication
 event inactivity-timeout match-all
  10 class always do-until-failure
   10 clear-session
 event violation match-all
  10 class always do-until-failure
   10 restrict
 event authorization-failure match-all
  10 class AUTHC_SUCCESS-AUTHZ_FAIL do-until-failure
   10 authentication-restart 60

Dear Experts, 

We are trying to implement 802.1x using cisco switch (C1000). Laptop is connected to ip phone (Dlink) and ip phone is connected to switchport. Below is the configuration on cisco switch. Please note that we want to dynamically assign the voice vlan. If port assignment is mandatory let me know

interface FastEthernet0/1
switchport mode access
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x timeout supp-timeout 15
dot1x max-reauth-req 1

On successful mac authentication, we are sending this profile to switch

Currently upon successful mac auth, the ip phone is not registering to pbx. The customer is already running LLDP/Voice vlan on other switches. This setup is for ClearPass PoC. 

Can someone point out if its a configuration issue (clearpass or switch)?

Explaining it in a simple way, Voice-VLAN is like all other VLAN but with this you just have the tagging which enables QoS purposes and also you can make the switch put the Voice devices (if the switch can detect that it is a voice device) go through the voice vlan.
If you want to create a Voice VLAN, lets say VLAN=1000, but you don't want to have the configuration on the port (switchport voice vlan 1000), then you need to send attributes Tunnel-Type = VLAN (13) & Tunnel-Medium-Type = IEEE-802 (6) & Tunnel-Private-Group-Id=1000, and you will make sure that VLAN1000 will be enforced only for Voice devices which are profiled/role mapped and enforced from Clearpass.

Yes, it will assign dynamically the Voice VLAN, if there is a Voice VLAN configured in the Port.

What you are doing with this configuration is that:
You are pushing VLAN 222
You are pushing device-traffic-class=voice (which means you are telling the switch that this device is for Voice purpose place it in Voice VLAN)
However, on your configuration in the switch, the port has no Voice VLAN Configured, therefor it won't place it in the Voice VLAN.

With Cisco 1000 (and i have implemented a lot of them) you either have to push a VLAN (without including device-traffic-class=voice) or you need to push just the line device-traffic-class=voice (without pushing the VLAN).
In addition, there are devices which do not understand the Voice VLAN (old Yealink Phones, old Grandstream) which i faced a lot of issues, where i had to adapt different enforcements. In such cases we only push VLAN (and we do not push device-traffic-class=voice). This means that those devices do not understand voice devices as voice, but you need to put them as data device.

if you will push Cisco-AVPair = device-traffic-class=voice, the switch will search for Voice VLAN. 
Your configuration does not contain a Voice VLAN.

interface FastEthernet0/1
switchport mode access
switchport voice vlan 222
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x timeout supp-timeout 15
dot1x max-reauth-req 1

So if y ou choose to go with AVPair device-traffic-class=voice, you will need to configure the Voice VLAN in the port. If you don't want the Voice VLAN on the Port, then all you need to do is remove the 6. Cisco-AVPair and thats it.

Additionally, you are using IBNS 1.0 format. This is an old format of configuration in Cisco which will soon be deprecated. I would recommend to move to IBNS2.0 (if its Cisco 1000 it supports it). On IBNS 2.0 you would need to configure Policy Maps and then assign the Policy Map in the Port. One example:

The port configuration:
interface range GigabitEthernet1/0/1-23
 switchport access vlan <default untrusted vlan>
 switchport mode access
 switchport nonegotiate
 switchport voice vlan 222
 ip device tracking maximum <whatever number you need>
 authentication periodic
 authentication timer reauthenticate server
 access-session control-direction in
 access-session closed
 access-session port-control auto
 mab
 no macro auto processing
 dot1x pae authenticator
 dot1x timeout quiet-period 30
 dot1x timeout server-timeout 30
 dot1x timeout tx-period 7
 dot1x max-req 3
 dot1x max-reauth-req 3
 spanning-tree portfast edge
 service-policy type control subscriber CLEARPASS_POLICY_MAP
 ip dhcp snooping limit rate 20
!

The Policy Configuration:
policy-map type control subscriber CLEARPASS_POLICY_MAP
 event session-started match-all
  10 class always do-until-failure
   10 authenticate using dot1x priority 10
   20 authenticate using mab priority 20
 event authentication-failure match-first
  5 class DOT1X_FAILED do-until-failure
   10 terminate dot1x
   20 authenticate using mab priority 20
  10 class DOT1X_FAILED do-until-failure
   10 terminate dot1x
  20 class MAB_FAILED do-until-failure
   10 terminate mab
   20 authenticate using dot1x priority 10
  30 class DOT1X_NO_RESP do-until-failure
   10 terminate dot1x
   20 authentication-restart 60
  40 class always do-until-failure
   10 terminate mab
   20 terminate dot1x
   30 authentication-restart 60
  60 class always do-until-failure
   10 terminate dot1x
   20 terminate mab
   30 authentication-restart 60
 event agent-found match-all
  10 class always do-until-failure
   10 terminate mab
   20 authenticate using dot1x priority 10
 event authentication-success match-all
  10 class always do-until-failure
   10 activate service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
 event aaa-available match-all
  10 class IN_CRITICAL_AUTH do-until-failure
   10 clear-session
  20 class NOT_IN_CRITICAL_AUTH do-until-failure
   10 resume reauthentication
 event inactivity-timeout match-all
  10 class always do-until-failure
   10 clear-session
 event violation match-all
  10 class always do-until-failure
   10 restrict
 event authorization-failure match-all
  10 class AUTHC_SUCCESS-AUTHZ_FAIL do-until-failure
   10 authentication-restart 60

Dear Experts, 

We are trying to implement 802.1x using cisco switch (C1000). Laptop is connected to ip phone (Dlink) and ip phone is connected to switchport. Below is the configuration on cisco switch. Please note that we want to dynamically assign the voice vlan. If port assignment is mandatory let me know

interface FastEthernet0/1
switchport mode access
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x timeout supp-timeout 15
dot1x max-reauth-req 1

On successful mac authentication, we are sending this profile to switch

Currently upon successful mac auth, the ip phone is not registering to pbx. The customer is already running LLDP/Voice vlan on other switches. This setup is for ClearPass PoC. 

Can someone point out if its a configuration issue (clearpass or switch)?

In my environment, we have authentication host-mode multi-domain, and we implemented unmanaged switches behind the port (which is not recommended most of the cases) where we had two/three IP Phones, with PC connecting behind it (so total of 4-8 devices), and it worked without any issue.

In the Cisco C1000 guidline it states that:
- Multi-auth mode should be configured to allow devices behind a hub to obtain secured port access through individual authentication. Only one voice device can be authenticated in this mode if a voice VLAN is configured.
- Multi-domain mode should be configured if data host is connected through an IP phone to the port. Multi-domain mode should be configured if the voice device needs to be authenticated.
-  Multi-host mode also offers port access for multiple hosts behind a hub, but multi-host mode gives unrestricted port access to the devices after the first user gets authenticated.

So in your case, try Multi-Auth and/or Multi-Domain because it depends what type of IP Phone you are using and how it behaves.

Explaining it in a simple way, Voice-VLAN is like all other VLAN but with this you just have the tagging which enables QoS purposes and also you can make the switch put the Voice devices (if the switch can detect that it is a voice device) go through the voice vlan.
If you want to create a Voice VLAN, lets say VLAN=1000, but you don't want to have the configuration on the port (switchport voice vlan 1000), then you need to send attributes Tunnel-Type = VLAN (13) & Tunnel-Medium-Type = IEEE-802 (6) & Tunnel-Private-Group-Id=1000, and you will make sure that VLAN1000 will be enforced only for Voice devices which are profiled/role mapped and enforced from Clearpass.

Yes, it will assign dynamically the Voice VLAN, if there is a Voice VLAN configured in the Port.

What you are doing with this configuration is that:
You are pushing VLAN 222
You are pushing device-traffic-class=voice (which means you are telling the switch that this device is for Voice purpose place it in Voice VLAN)
However, on your configuration in the switch, the port has no Voice VLAN Configured, therefor it won't place it in the Voice VLAN.

With Cisco 1000 (and i have implemented a lot of them) you either have to push a VLAN (without including device-traffic-class=voice) or you need to push just the line device-traffic-class=voice (without pushing the VLAN).
In addition, there are devices which do not understand the Voice VLAN (old Yealink Phones, old Grandstream) which i faced a lot of issues, where i had to adapt different enforcements. In such cases we only push VLAN (and we do not push device-traffic-class=voice). This means that those devices do not understand voice devices as voice, but you need to put them as data device.

if you will push Cisco-AVPair = device-traffic-class=voice, the switch will search for Voice VLAN. 
Your configuration does not contain a Voice VLAN.

interface FastEthernet0/1
switchport mode access
switchport voice vlan 222
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x timeout supp-timeout 15
dot1x max-reauth-req 1

So if y ou choose to go with AVPair device-traffic-class=voice, you will need to configure the Voice VLAN in the port. If you don't want the Voice VLAN on the Port, then all you need to do is remove the 6. Cisco-AVPair and thats it.

Additionally, you are using IBNS 1.0 format. This is an old format of configuration in Cisco which will soon be deprecated. I would recommend to move to IBNS2.0 (if its Cisco 1000 it supports it). On IBNS 2.0 you would need to configure Policy Maps and then assign the Policy Map in the Port. One example:

The port configuration:
interface range GigabitEthernet1/0/1-23
 switchport access vlan <default untrusted vlan>
 switchport mode access
 switchport nonegotiate
 switchport voice vlan 222
 ip device tracking maximum <whatever number you need>
 authentication periodic
 authentication timer reauthenticate server
 access-session control-direction in
 access-session closed
 access-session port-control auto
 mab
 no macro auto processing
 dot1x pae authenticator
 dot1x timeout quiet-period 30
 dot1x timeout server-timeout 30
 dot1x timeout tx-period 7
 dot1x max-req 3
 dot1x max-reauth-req 3
 spanning-tree portfast edge
 service-policy type control subscriber CLEARPASS_POLICY_MAP
 ip dhcp snooping limit rate 20
!

The Policy Configuration:
policy-map type control subscriber CLEARPASS_POLICY_MAP
 event session-started match-all
  10 class always do-until-failure
   10 authenticate using dot1x priority 10
   20 authenticate using mab priority 20
 event authentication-failure match-first
  5 class DOT1X_FAILED do-until-failure
   10 terminate dot1x
   20 authenticate using mab priority 20
  10 class DOT1X_FAILED do-until-failure
   10 terminate dot1x
  20 class MAB_FAILED do-until-failure
   10 terminate mab
   20 authenticate using dot1x priority 10
  30 class DOT1X_NO_RESP do-until-failure
   10 terminate dot1x
   20 authentication-restart 60
  40 class always do-until-failure
   10 terminate mab
   20 terminate dot1x
   30 authentication-restart 60
  60 class always do-until-failure
   10 terminate dot1x
   20 terminate mab
   30 authentication-restart 60
 event agent-found match-all
  10 class always do-until-failure
   10 terminate mab
   20 authenticate using dot1x priority 10
 event authentication-success match-all
  10 class always do-until-failure
   10 activate service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
 event aaa-available match-all
  10 class IN_CRITICAL_AUTH do-until-failure
   10 clear-session
  20 class NOT_IN_CRITICAL_AUTH do-until-failure
   10 resume reauthentication
 event inactivity-timeout match-all
  10 class always do-until-failure
   10 clear-session
 event violation match-all
  10 class always do-until-failure
   10 restrict
 event authorization-failure match-all
  10 class AUTHC_SUCCESS-AUTHZ_FAIL do-until-failure
   10 authentication-restart 60

Dear Experts, 

We are trying to implement 802.1x using cisco switch (C1000). Laptop is connected to ip phone (Dlink) and ip phone is connected to switchport. Below is the configuration on cisco switch. Please note that we want to dynamically assign the voice vlan. If port assignment is mandatory let me know

interface FastEthernet0/1
switchport mode access
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x timeout supp-timeout 15
dot1x max-reauth-req 1

On successful mac authentication, we are sending this profile to switch

Currently upon successful mac auth, the ip phone is not registering to pbx. The customer is already running LLDP/Voice vlan on other switches. This setup is for ClearPass PoC. 

Can someone point out if its a configuration issue (clearpass or switch)?

In my environment, we have authentication host-mode multi-domain, and we implemented unmanaged switches behind the port (which is not recommended most of the cases) where we had two/three IP Phones, with PC connecting behind it (so total of 4-8 devices), and it worked without any issue.

In the Cisco C1000 guidline it states that:
- Multi-auth mode should be configured to allow devices behind a hub to obtain secured port access through individual authentication. Only one voice device can be authenticated in this mode if a voice VLAN is configured.
- Multi-domain mode should be configured if data host is connected through an IP phone to the port. Multi-domain mode should be configured if the voice device needs to be authenticated.
-  Multi-host mode also offers port access for multiple hosts behind a hub, but multi-host mode gives unrestricted port access to the devices after the first user gets authenticated.

So in your case, try Multi-Auth and/or Multi-Domain because it depends what type of IP Phone you are using and how it behaves.

Explaining it in a simple way, Voice-VLAN is like all other VLAN but with this you just have the tagging which enables QoS purposes and also you can make the switch put the Voice devices (if the switch can detect that it is a voice device) go through the voice vlan.
If you want to create a Voice VLAN, lets say VLAN=1000, but you don't want to have the configuration on the port (switchport voice vlan 1000), then you need to send attributes Tunnel-Type = VLAN (13) & Tunnel-Medium-Type = IEEE-802 (6) & Tunnel-Private-Group-Id=1000, and you will make sure that VLAN1000 will be enforced only for Voice devices which are profiled/role mapped and enforced from Clearpass.

Yes, it will assign dynamically the Voice VLAN, if there is a Voice VLAN configured in the Port.

What you are doing with this configuration is that:
You are pushing VLAN 222
You are pushing device-traffic-class=voice (which means you are telling the switch that this device is for Voice purpose place it in Voice VLAN)
However, on your configuration in the switch, the port has no Voice VLAN Configured, therefor it won't place it in the Voice VLAN.

With Cisco 1000 (and i have implemented a lot of them) you either have to push a VLAN (without including device-traffic-class=voice) or you need to push just the line device-traffic-class=voice (without pushing the VLAN).
In addition, there are devices which do not understand the Voice VLAN (old Yealink Phones, old Grandstream) which i faced a lot of issues, where i had to adapt different enforcements. In such cases we only push VLAN (and we do not push device-traffic-class=voice). This means that those devices do not understand voice devices as voice, but you need to put them as data device.

if you will push Cisco-AVPair = device-traffic-class=voice, the switch will search for Voice VLAN. 
Your configuration does not contain a Voice VLAN.

interface FastEthernet0/1
switchport mode access
switchport voice vlan 222
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x timeout supp-timeout 15
dot1x max-reauth-req 1

So if y ou choose to go with AVPair device-traffic-class=voice, you will need to configure the Voice VLAN in the port. If you don't want the Voice VLAN on the Port, then all you need to do is remove the 6. Cisco-AVPair and thats it.

Additionally, you are using IBNS 1.0 format. This is an old format of configuration in Cisco which will soon be deprecated. I would recommend to move to IBNS2.0 (if its Cisco 1000 it supports it). On IBNS 2.0 you would need to configure Policy Maps and then assign the Policy Map in the Port. One example:

The port configuration:
interface range GigabitEthernet1/0/1-23
 switchport access vlan <default untrusted vlan>
 switchport mode access
 switchport nonegotiate
 switchport voice vlan 222
 ip device tracking maximum <whatever number you need>
 authentication periodic
 authentication timer reauthenticate server
 access-session control-direction in
 access-session closed
 access-session port-control auto
 mab
 no macro auto processing
 dot1x pae authenticator
 dot1x timeout quiet-period 30
 dot1x timeout server-timeout 30
 dot1x timeout tx-period 7
 dot1x max-req 3
 dot1x max-reauth-req 3
 spanning-tree portfast edge
 service-policy type control subscriber CLEARPASS_POLICY_MAP
 ip dhcp snooping limit rate 20
!

The Policy Configuration:
policy-map type control subscriber CLEARPASS_POLICY_MAP
 event session-started match-all
  10 class always do-until-failure
   10 authenticate using dot1x priority 10
   20 authenticate using mab priority 20
 event authentication-failure match-first
  5 class DOT1X_FAILED do-until-failure
   10 terminate dot1x
   20 authenticate using mab priority 20
  10 class DOT1X_FAILED do-until-failure
   10 terminate dot1x
  20 class MAB_FAILED do-until-failure
   10 terminate mab
   20 authenticate using dot1x priority 10
  30 class DOT1X_NO_RESP do-until-failure
   10 terminate dot1x
   20 authentication-restart 60
  40 class always do-until-failure
   10 terminate mab
   20 terminate dot1x
   30 authentication-restart 60
  60 class always do-until-failure
   10 terminate dot1x
   20 terminate mab
   30 authentication-restart 60
 event agent-found match-all
  10 class always do-until-failure
   10 terminate mab
   20 authenticate using dot1x priority 10
 event authentication-success match-all
  10 class always do-until-failure
   10 activate service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
 event aaa-available match-all
  10 class IN_CRITICAL_AUTH do-until-failure
   10 clear-session
  20 class NOT_IN_CRITICAL_AUTH do-until-failure
   10 resume reauthentication
 event inactivity-timeout match-all
  10 class always do-until-failure
   10 clear-session
 event violation match-all
  10 class always do-until-failure
   10 restrict
 event authorization-failure match-all
  10 class AUTHC_SUCCESS-AUTHZ_FAIL do-until-failure
   10 authentication-restart 60

Dear Experts, 

We are trying to implement 802.1x using cisco switch (C1000). Laptop is connected to ip phone (Dlink) and ip phone is connected to switchport. Below is the configuration on cisco switch. Please note that we want to dynamically assign the voice vlan. If port assignment is mandatory let me know

interface FastEthernet0/1
switchport mode access
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x timeout supp-timeout 15
dot1x max-reauth-req 1

On successful mac authentication, we are sending this profile to switch

Currently upon successful mac auth, the ip phone is not registering to pbx. The customer is already running LLDP/Voice vlan on other switches. This setup is for ClearPass PoC. 

Can someone point out if its a configuration issue (clearpass or switch)?

In my environment, we have authentication host-mode multi-domain, and we implemented unmanaged switches behind the port (which is not recommended most of the cases) where we had two/three IP Phones, with PC connecting behind it (so total of 4-8 devices), and it worked without any issue.

In the Cisco C1000 guidline it states that:
- Multi-auth mode should be configured to allow devices behind a hub to obtain secured port access through individual authentication. Only one voice device can be authenticated in this mode if a voice VLAN is configured.
- Multi-domain mode should be configured if data host is connected through an IP phone to the port. Multi-domain mode should be configured if the voice device needs to be authenticated.
-  Multi-host mode also offers port access for multiple hosts behind a hub, but multi-host mode gives unrestricted port access to the devices after the first user gets authenticated.

So in your case, try Multi-Auth and/or Multi-Domain because it depends what type of IP Phone you are using and how it behaves.

Explaining it in a simple way, Voice-VLAN is like all other VLAN but with this you just have the tagging which enables QoS purposes and also you can make the switch put the Voice devices (if the switch can detect that it is a voice device) go through the voice vlan.
If you want to create a Voice VLAN, lets say VLAN=1000, but you don't want to have the configuration on the port (switchport voice vlan 1000), then you need to send attributes Tunnel-Type = VLAN (13) & Tunnel-Medium-Type = IEEE-802 (6) & Tunnel-Private-Group-Id=1000, and you will make sure that VLAN1000 will be enforced only for Voice devices which are profiled/role mapped and enforced from Clearpass.

Yes, it will assign dynamically the Voice VLAN, if there is a Voice VLAN configured in the Port.

What you are doing with this configuration is that:
You are pushing VLAN 222
You are pushing device-traffic-class=voice (which means you are telling the switch that this device is for Voice purpose place it in Voice VLAN)
However, on your configuration in the switch, the port has no Voice VLAN Configured, therefor it won't place it in the Voice VLAN.

With Cisco 1000 (and i have implemented a lot of them) you either have to push a VLAN (without including device-traffic-class=voice) or you need to push just the line device-traffic-class=voice (without pushing the VLAN).
In addition, there are devices which do not understand the Voice VLAN (old Yealink Phones, old Grandstream) which i faced a lot of issues, where i had to adapt different enforcements. In such cases we only push VLAN (and we do not push device-traffic-class=voice). This means that those devices do not understand voice devices as voice, but you need to put them as data device.

if you will push Cisco-AVPair = device-traffic-class=voice, the switch will search for Voice VLAN. 
Your configuration does not contain a Voice VLAN.

interface FastEthernet0/1
switchport mode access
switchport voice vlan 222
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x timeout supp-timeout 15
dot1x max-reauth-req 1

So if y ou choose to go with AVPair device-traffic-class=voice, you will need to configure the Voice VLAN in the port. If you don't want the Voice VLAN on the Port, then all you need to do is remove the 6. Cisco-AVPair and thats it.

Additionally, you are using IBNS 1.0 format. This is an old format of configuration in Cisco which will soon be deprecated. I would recommend to move to IBNS2.0 (if its Cisco 1000 it supports it). On IBNS 2.0 you would need to configure Policy Maps and then assign the Policy Map in the Port. One example:

The port configuration:
interface range GigabitEthernet1/0/1-23
 switchport access vlan <default untrusted vlan>
 switchport mode access
 switchport nonegotiate
 switchport voice vlan 222
 ip device tracking maximum <whatever number you need>
 authentication periodic
 authentication timer reauthenticate server
 access-session control-direction in
 access-session closed
 access-session port-control auto
 mab
 no macro auto processing
 dot1x pae authenticator
 dot1x timeout quiet-period 30
 dot1x timeout server-timeout 30
 dot1x timeout tx-period 7
 dot1x max-req 3
 dot1x max-reauth-req 3
 spanning-tree portfast edge
 service-policy type control subscriber CLEARPASS_POLICY_MAP
 ip dhcp snooping limit rate 20
!

The Policy Configuration:
policy-map type control subscriber CLEARPASS_POLICY_MAP
 event session-started match-all
  10 class always do-until-failure
   10 authenticate using dot1x priority 10
   20 authenticate using mab priority 20
 event authentication-failure match-first
  5 class DOT1X_FAILED do-until-failure
   10 terminate dot1x
   20 authenticate using mab priority 20
  10 class DOT1X_FAILED do-until-failure
   10 terminate dot1x
  20 class MAB_FAILED do-until-failure
   10 terminate mab
   20 authenticate using dot1x priority 10
  30 class DOT1X_NO_RESP do-until-failure
   10 terminate dot1x
   20 authentication-restart 60
  40 class always do-until-failure
   10 terminate mab
   20 terminate dot1x
   30 authentication-restart 60
  60 class always do-until-failure
   10 terminate dot1x
   20 terminate mab
   30 authentication-restart 60
 event agent-found match-all
  10 class always do-until-failure
   10 terminate mab
   20 authenticate using dot1x priority 10
 event authentication-success match-all
  10 class always do-until-failure
   10 activate service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
 event aaa-available match-all
  10 class IN_CRITICAL_AUTH do-until-failure
   10 clear-session
  20 class NOT_IN_CRITICAL_AUTH do-until-failure
   10 resume reauthentication
 event inactivity-timeout match-all
  10 class always do-until-failure
   10 clear-session
 event violation match-all
  10 class always do-until-failure
   10 restrict
 event authorization-failure match-all
  10 class AUTHC_SUCCESS-AUTHZ_FAIL do-until-failure
   10 authentication-restart 60

Dear Experts, 

We are trying to implement 802.1x using cisco switch (C1000). Laptop is connected to ip phone (Dlink) and ip phone is connected to switchport. Below is the configuration on cisco switch. Please note that we want to dynamically assign the voice vlan. If port assignment is mandatory let me know

interface FastEthernet0/1
switchport mode access
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x timeout supp-timeout 15
dot1x max-reauth-req 1

On successful mac authentication, we are sending this profile to switch

Currently upon successful mac auth, the ip phone is not registering to pbx. The customer is already running LLDP/Voice vlan on other switches. This setup is for ClearPass PoC. 

Can someone point out if its a configuration issue (clearpass or switch)?

Explaining it in a simple way, Voice-VLAN is like all other VLAN but with this you just have the tagging which enables QoS purposes and also you can make the switch put the Voice devices (if the switch can detect that it is a voice device) go through the voice vlan.
If you want to create a Voice VLAN, lets say VLAN=1000, but you don't want to have the configuration on the port (switchport voice vlan 1000), then you need to send attributes Tunnel-Type = VLAN (13) & Tunnel-Medium-Type = IEEE-802 (6) & Tunnel-Private-Group-Id=1000, and you will make sure that VLAN1000 will be enforced only for Voice devices which are profiled/role mapped and enforced from Clearpass.

Yes, it will assign dynamically the Voice VLAN, if there is a Voice VLAN configured in the Port.

What you are doing with this configuration is that:
You are pushing VLAN 222
You are pushing device-traffic-class=voice (which means you are telling the switch that this device is for Voice purpose place it in Voice VLAN)
However, on your configuration in the switch, the port has no Voice VLAN Configured, therefor it won't place it in the Voice VLAN.

With Cisco 1000 (and i have implemented a lot of them) you either have to push a VLAN (without including device-traffic-class=voice) or you need to push just the line device-traffic-class=voice (without pushing the VLAN).
In addition, there are devices which do not understand the Voice VLAN (old Yealink Phones, old Grandstream) which i faced a lot of issues, where i had to adapt different enforcements. In such cases we only push VLAN (and we do not push device-traffic-class=voice). This means that those devices do not understand voice devices as voice, but you need to put them as data device.

if you will push Cisco-AVPair = device-traffic-class=voice, the switch will search for Voice VLAN. 
Your configuration does not contain a Voice VLAN.

interface FastEthernet0/1
switchport mode access
switchport voice vlan 222
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x timeout supp-timeout 15
dot1x max-reauth-req 1

So if y ou choose to go with AVPair device-traffic-class=voice, you will need to configure the Voice VLAN in the port. If you don't want the Voice VLAN on the Port, then all you need to do is remove the 6. Cisco-AVPair and thats it.

Additionally, you are using IBNS 1.0 format. This is an old format of configuration in Cisco which will soon be deprecated. I would recommend to move to IBNS2.0 (if its Cisco 1000 it supports it). On IBNS 2.0 you would need to configure Policy Maps and then assign the Policy Map in the Port. One example:

The port configuration:
interface range GigabitEthernet1/0/1-23
 switchport access vlan <default untrusted vlan>
 switchport mode access
 switchport nonegotiate
 switchport voice vlan 222
 ip device tracking maximum <whatever number you need>
 authentication periodic
 authentication timer reauthenticate server
 access-session control-direction in
 access-session closed
 access-session port-control auto
 mab
 no macro auto processing
 dot1x pae authenticator
 dot1x timeout quiet-period 30
 dot1x timeout server-timeout 30
 dot1x timeout tx-period 7
 dot1x max-req 3
 dot1x max-reauth-req 3
 spanning-tree portfast edge
 service-policy type control subscriber CLEARPASS_POLICY_MAP
 ip dhcp snooping limit rate 20
!

The Policy Configuration:
policy-map type control subscriber CLEARPASS_POLICY_MAP
 event session-started match-all
  10 class always do-until-failure
   10 authenticate using dot1x priority 10
   20 authenticate using mab priority 20
 event authentication-failure match-first
  5 class DOT1X_FAILED do-until-failure
   10 terminate dot1x
   20 authenticate using mab priority 20
  10 class DOT1X_FAILED do-until-failure
   10 terminate dot1x
  20 class MAB_FAILED do-until-failure
   10 terminate mab
   20 authenticate using dot1x priority 10
  30 class DOT1X_NO_RESP do-until-failure
   10 terminate dot1x
   20 authentication-restart 60
  40 class always do-until-failure
   10 terminate mab
   20 terminate dot1x
   30 authentication-restart 60
  60 class always do-until-failure
   10 terminate dot1x
   20 terminate mab
   30 authentication-restart 60
 event agent-found match-all
  10 class always do-until-failure
   10 terminate mab
   20 authenticate using dot1x priority 10
 event authentication-success match-all
  10 class always do-until-failure
   10 activate service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
 event aaa-available match-all
  10 class IN_CRITICAL_AUTH do-until-failure
   10 clear-session
  20 class NOT_IN_CRITICAL_AUTH do-until-failure
   10 resume reauthentication
 event inactivity-timeout match-all
  10 class always do-until-failure
   10 clear-session
 event violation match-all
  10 class always do-until-failure
   10 restrict
 event authorization-failure match-all
  10 class AUTHC_SUCCESS-AUTHZ_FAIL do-until-failure
   10 authentication-restart 60

Dear Experts, 

We are trying to implement 802.1x using cisco switch (C1000). Laptop is connected to ip phone (Dlink) and ip phone is connected to switchport. Below is the configuration on cisco switch. Please note that we want to dynamically assign the voice vlan. If port assignment is mandatory let me know

interface FastEthernet0/1
switchport mode access
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x timeout supp-timeout 15
dot1x max-reauth-req 1

On successful mac authentication, we are sending this profile to switch

Currently upon successful mac auth, the ip phone is not registering to pbx. The customer is already running LLDP/Voice vlan on other switches. This setup is for ClearPass PoC. 

Can someone point out if its a configuration issue (clearpass or switch)?

Explaining it in a simple way, Voice-VLAN is like all other VLAN but with this you just have the tagging which enables QoS purposes and also you can make the switch put the Voice devices (if the switch can detect that it is a voice device) go through the voice vlan.
If you want to create a Voice VLAN, lets say VLAN=1000, but you don't want to have the configuration on the port (switchport voice vlan 1000), then you need to send attributes Tunnel-Type = VLAN (13) & Tunnel-Medium-Type = IEEE-802 (6) & Tunnel-Private-Group-Id=1000, and you will make sure that VLAN1000 will be enforced only for Voice devices which are profiled/role mapped and enforced from Clearpass.

Yes, it will assign dynamically the Voice VLAN, if there is a Voice VLAN configured in the Port.

What you are doing with this configuration is that:
You are pushing VLAN 222
You are pushing device-traffic-class=voice (which means you are telling the switch that this device is for Voice purpose place it in Voice VLAN)
However, on your configuration in the switch, the port has no Voice VLAN Configured, therefor it won't place it in the Voice VLAN.

With Cisco 1000 (and i have implemented a lot of them) you either have to push a VLAN (without including device-traffic-class=voice) or you need to push just the line device-traffic-class=voice (without pushing the VLAN).
In addition, there are devices which do not understand the Voice VLAN (old Yealink Phones, old Grandstream) which i faced a lot of issues, where i had to adapt different enforcements. In such cases we only push VLAN (and we do not push device-traffic-class=voice). This means that those devices do not understand voice devices as voice, but you need to put them as data device.

if you will push Cisco-AVPair = device-traffic-class=voice, the switch will search for Voice VLAN. 
Your configuration does not contain a Voice VLAN.

interface FastEthernet0/1
switchport mode access
switchport voice vlan 222
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x timeout supp-timeout 15
dot1x max-reauth-req 1

So if y ou choose to go with AVPair device-traffic-class=voice, you will need to configure the Voice VLAN in the port. If you don't want the Voice VLAN on the Port, then all you need to do is remove the 6. Cisco-AVPair and thats it.

Additionally, you are using IBNS 1.0 format. This is an old format of configuration in Cisco which will soon be deprecated. I would recommend to move to IBNS2.0 (if its Cisco 1000 it supports it). On IBNS 2.0 you would need to configure Policy Maps and then assign the Policy Map in the Port. One example:

The port configuration:
interface range GigabitEthernet1/0/1-23
 switchport access vlan <default untrusted vlan>
 switchport mode access
 switchport nonegotiate
 switchport voice vlan 222
 ip device tracking maximum <whatever number you need>
 authentication periodic
 authentication timer reauthenticate server
 access-session control-direction in
 access-session closed
 access-session port-control auto
 mab
 no macro auto processing
 dot1x pae authenticator
 dot1x timeout quiet-period 30
 dot1x timeout server-timeout 30
 dot1x timeout tx-period 7
 dot1x max-req 3
 dot1x max-reauth-req 3
 spanning-tree portfast edge
 service-policy type control subscriber CLEARPASS_POLICY_MAP
 ip dhcp snooping limit rate 20
!

The Policy Configuration:
policy-map type control subscriber CLEARPASS_POLICY_MAP
 event session-started match-all
  10 class always do-until-failure
   10 authenticate using dot1x priority 10
   20 authenticate using mab priority 20
 event authentication-failure match-first
  5 class DOT1X_FAILED do-until-failure
   10 terminate dot1x
   20 authenticate using mab priority 20
  10 class DOT1X_FAILED do-until-failure
   10 terminate dot1x
  20 class MAB_FAILED do-until-failure
   10 terminate mab
   20 authenticate using dot1x priority 10
  30 class DOT1X_NO_RESP do-until-failure
   10 terminate dot1x
   20 authentication-restart 60
  40 class always do-until-failure
   10 terminate mab
   20 terminate dot1x
   30 authentication-restart 60
  60 class always do-until-failure
   10 terminate dot1x
   20 terminate mab
   30 authentication-restart 60
 event agent-found match-all
  10 class always do-until-failure
   10 terminate mab
   20 authenticate using dot1x priority 10
 event authentication-success match-all
  10 class always do-until-failure
   10 activate service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
 event aaa-available match-all
  10 class IN_CRITICAL_AUTH do-until-failure
   10 clear-session
  20 class NOT_IN_CRITICAL_AUTH do-until-failure
   10 resume reauthentication
 event inactivity-timeout match-all
  10 class always do-until-failure
   10 clear-session
 event violation match-all
  10 class always do-until-failure
   10 restrict
 event authorization-failure match-all
  10 class AUTHC_SUCCESS-AUTHZ_FAIL do-until-failure
   10 authentication-restart 60

Dear Experts, 

We are trying to implement 802.1x using cisco switch (C1000). Laptop is connected to ip phone (Dlink) and ip phone is connected to switchport. Below is the configuration on cisco switch. Please note that we want to dynamically assign the voice vlan. If port assignment is mandatory let me know

interface FastEthernet0/1
switchport mode access
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x timeout supp-timeout 15
dot1x max-reauth-req 1

On successful mac authentication, we are sending this profile to switch

Currently upon successful mac auth, the ip phone is not registering to pbx. The customer is already running LLDP/Voice vlan on other switches. This setup is for ClearPass PoC. 

Can someone point out if its a configuration issue (clearpass or switch)?

It will show as Data VLAN. 

Explaining it in a simple way, Voice-VLAN is like all other VLAN but with this you just have the tagging which enables QoS purposes and also you can make the switch put the Voice devices (if the switch can detect that it is a voice device) go through the voice vlan.
If you want to create a Voice VLAN, lets say VLAN=1000, but you don't want to have the configuration on the port (switchport voice vlan 1000), then you need to send attributes Tunnel-Type = VLAN (13) & Tunnel-Medium-Type = IEEE-802 (6) & Tunnel-Private-Group-Id=1000, and you will make sure that VLAN1000 will be enforced only for Voice devices which are profiled/role mapped and enforced from Clearpass.

Yes, it will assign dynamically the Voice VLAN, if there is a Voice VLAN configured in the Port.

What you are doing with this configuration is that:
You are pushing VLAN 222
You are pushing device-traffic-class=voice (which means you are telling the switch that this device is for Voice purpose place it in Voice VLAN)
However, on your configuration in the switch, the port has no Voice VLAN Configured, therefor it won't place it in the Voice VLAN.

With Cisco 1000 (and i have implemented a lot of them) you either have to push a VLAN (without including device-traffic-class=voice) or you need to push just the line device-traffic-class=voice (without pushing the VLAN).
In addition, there are devices which do not understand the Voice VLAN (old Yealink Phones, old Grandstream) which i faced a lot of issues, where i had to adapt different enforcements. In such cases we only push VLAN (and we do not push device-traffic-class=voice). This means that those devices do not understand voice devices as voice, but you need to put them as data device.

if you will push Cisco-AVPair = device-traffic-class=voice, the switch will search for Voice VLAN. 
Your configuration does not contain a Voice VLAN.

interface FastEthernet0/1
switchport mode access
switchport voice vlan 222
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x timeout supp-timeout 15
dot1x max-reauth-req 1

So if y ou choose to go with AVPair device-traffic-class=voice, you will need to configure the Voice VLAN in the port. If you don't want the Voice VLAN on the Port, then all you need to do is remove the 6. Cisco-AVPair and thats it.

Additionally, you are using IBNS 1.0 format. This is an old format of configuration in Cisco which will soon be deprecated. I would recommend to move to IBNS2.0 (if its Cisco 1000 it supports it). On IBNS 2.0 you would need to configure Policy Maps and then assign the Policy Map in the Port. One example:

The port configuration:
interface range GigabitEthernet1/0/1-23
 switchport access vlan <default untrusted vlan>
 switchport mode access
 switchport nonegotiate
 switchport voice vlan 222
 ip device tracking maximum <whatever number you need>
 authentication periodic
 authentication timer reauthenticate server
 access-session control-direction in
 access-session closed
 access-session port-control auto
 mab
 no macro auto processing
 dot1x pae authenticator
 dot1x timeout quiet-period 30
 dot1x timeout server-timeout 30
 dot1x timeout tx-period 7
 dot1x max-req 3
 dot1x max-reauth-req 3
 spanning-tree portfast edge
 service-policy type control subscriber CLEARPASS_POLICY_MAP
 ip dhcp snooping limit rate 20
!

The Policy Configuration:
policy-map type control subscriber CLEARPASS_POLICY_MAP
 event session-started match-all
  10 class always do-until-failure
   10 authenticate using dot1x priority 10
   20 authenticate using mab priority 20
 event authentication-failure match-first
  5 class DOT1X_FAILED do-until-failure
   10 terminate dot1x
   20 authenticate using mab priority 20
  10 class DOT1X_FAILED do-until-failure
   10 terminate dot1x
  20 class MAB_FAILED do-until-failure
   10 terminate mab
   20 authenticate using dot1x priority 10
  30 class DOT1X_NO_RESP do-until-failure
   10 terminate dot1x
   20 authentication-restart 60
  40 class always do-until-failure
   10 terminate mab
   20 terminate dot1x
   30 authentication-restart 60
  60 class always do-until-failure
   10 terminate dot1x
   20 terminate mab
   30 authentication-restart 60
 event agent-found match-all
  10 class always do-until-failure
   10 terminate mab
   20 authenticate using dot1x priority 10
 event authentication-success match-all
  10 class always do-until-failure
   10 activate service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
 event aaa-available match-all
  10 class IN_CRITICAL_AUTH do-until-failure
   10 clear-session
  20 class NOT_IN_CRITICAL_AUTH do-until-failure
   10 resume reauthentication
 event inactivity-timeout match-all
  10 class always do-until-failure
   10 clear-session
 event violation match-all
  10 class always do-until-failure
   10 restrict
 event authorization-failure match-all
  10 class AUTHC_SUCCESS-AUTHZ_FAIL do-until-failure
   10 authentication-restart 60

Dear Experts, 

We are trying to implement 802.1x using cisco switch (C1000). Laptop is connected to ip phone (Dlink) and ip phone is connected to switchport. Below is the configuration on cisco switch. Please note that we want to dynamically assign the voice vlan. If port assignment is mandatory let me know

interface FastEthernet0/1
switchport mode access
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x timeout supp-timeout 15
dot1x max-reauth-req 1

On successful mac authentication, we are sending this profile to switch

Currently upon successful mac auth, the ip phone is not registering to pbx. The customer is already running LLDP/Voice vlan on other switches. This setup is for ClearPass PoC. 

Can someone point out if its a configuration issue (clearpass or switch)?