Critical Voice VLAN Support

The Critical Voice VLAN Support feature directs phone traffic to the configured voice VLAN of a port if the authentication server becomes unreachable.

With normal network connectivity, when an IP phone successfully authenticates on a port, the authentication server directs the phone traffic to the voice domain of the port. If the authentication server becomes unreachable, IP phones cannot authenticate the phone traffic. In multidomain authentication (MDA) mode or multiauthentication mode, you can configure the Critical Voice VLAN Support feature to direct phone traffic to the configured voice VLAN of the port. The phone is authorized as an unknown domain. Both data and voice are enabled for the phone.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Restrictions for Critical Voice VLAN Support

  • Different VLANs must be configured for voice and data.

  • The voice VLAN must be configured on a device.

  • The Critical Voice VLAN Support feature does not support standard Access Control Lists (ACLs) on the switch port.

Information About Critical Voice VLAN Support

Critical Voice VLAN Support in Multidomain Authentication Mode

If a critical voice VLAN is deployed using an interface in multidomain authentication (MDA) mode, the host mode is changed to multihost and the first phone device is installed as a static forwarding entries. Any additional phone devices are installed as dynamic forwarding entry in the Host Access Table (HAT).

For further information about host modes, see the 802.1X Authentication Services Configuration Guide.

Note


If a critical port is already authorized and reauthentication occurs, the switch puts the port in the critical-authentication state in the current VLAN, which might be the one previously assigned by the RADIUS server.



Note


Inaccessible authentication bypass is compatible with guest VLAN. When a guest VLAN is enabled on a 802.1X port, the features interact as follows: if all RADIUS servers are not available and if a client is connected to a critical port and was previously assigned to a guest VLAN, the switch keeps the port in the guest VLAN.


Critical Voice VLAN Support in Multiauthentication Mode

If the critical authentication feature is deployed in multiauthentication mode, only one phone device will be allowed and a second phone trying to authorize will trigger a violation.

The show authentication sessions command displays the critical voice client data. A critically authorized voice client in multiauthentication host mode will be in the “authz success” and “authz fail” state.


Note


If critical voice is required, then critical data should be configured too. Otherwise, the critical voice client will be displayed in the “authz fail” state while the voice VLAN will be open.


Critical Voice VLAN Support in a Service Template

On enterprise Edge (eEdge) devices, the critical access of phones is configured by activating a critical service template when the authentication server becomes unreachable. The voice feature plug-in registers with the Enterprise Policy Manager (EPM) by using an authentication, authorization, and accounting (AAA) voice attribute, and it allows unconditional access to the voice VLAN while the AAA services are unavailable.

To enable critical voice VLAN support, the critical authentication of phones must be configured using a combination of control policy rules and a service template.

When the authentication server is unavailable and the host is unauthorized, the AAA attribute device-traffic-type is not populated. The phone is authorized as an unknown domain, and both the data and voice VLAN are enabled for this device, allowing the device to handle voice traffic.

How to Configure Critical Voice VLAN Support

Configuring a Voice VLAN in a Service Template

Perform this task on a port to configure critical voice VLAN support using a service template.

SUMMARY STEPS

    1.    enable

    2.    configure terminal

    3.    service-template template-name

    4.    vlan vlan-id

    5.    exit

    6.    service-template template-name

    7.    voice vlan

    8.    exit

    9.    class-map type control subscriber {match-all | match-any | match-none} control-class-name

    10.    match result-type [method {dot1x | mab | webauth}] result-type

    11.    match authorization-status {authorized | unauthorized}

    12.    exit

    13.    class-map type control subscriber {match-all | match-any | match-none} control-class-name

    14.    match result-type [method {dot1x | mab | webauth}] result-type

    15.    match authorization-status {authorized | unauthorized}

    16.    end


DETAILED STEPS
     Command or ActionPurpose
    Step 1 enable


    Example:
    Device> enable
    
     

    Enables privileged EXEC mode.

    • Enter your password if prompted.

     
    Step 2 configure terminal


    Example:
    Device# configure terminal
    
     

    Enters global configuration mode.

     
    Step 3 service-template template-name


    Example:
    Device(config)# service-template SERVICE-TEMPLATE
     

    Defines a template that contains a set of service policy attributes to apply to subscriber sessions and enters service template configuration mode.

     
    Step 4vlan vlan-id


    Example:
    Device(config-service-template)# vlan 116
     

    Assigns a VLAN to a subscriber session.

     
    Step 5exit


    Example:
    Device(config-service-template)# exit
     

    Exits service template configuration mode and returns to global configuration mode.

     
    Step 6 service-template template-name


    Example:
    Device(config)# service-template CRITICAL-VOICE
     

    Defines a template that contains a set of service policy attributes to apply to subscriber sessions and enters service template configuration mode.

     
    Step 7voice vlan


    Example:
    Device(config-service-template)# voice vlan
     

    Assigns a critical voice VLAN to a subscriber session.

     
    Step 8exit


    Example:
    Device(config-service-template)# exit
     

    Exits service template configuration mode and returns to global configuration mode.

     
    Step 9class-map type control subscriber {match-all | match-any | match-none} control-class-name


    Example:
    Device(config)# class-map type control subscriber match-all AAA-SVR-DOWN-UNAUTHD-HOST
     

    Creates a control class, which defines the conditions under which the actions of a control policy are executed and enters control class-map filter configuration mode.

     
    Step 10match result-type [method {dot1x | mab | webauth}] result-type


    Example:
    Device(config-filter-control-classmap)# match result-type aaa-timeout
     

    Creates a condition that returns true based on the specified authentication result.

     
    Step 11match authorization-status {authorized | unauthorized}


    Example:
    Device(config-filter-control-classmap)# match authorization-status unauthorized
     

    Creates a condition that returns true based on the authorization status of a session.

     
    Step 12exit


    Example:
    Device(config-filter-control-classmap)# exit
     

    Exits control class-map filter configuration mode and returns to global configuration mode.

     
    Step 13class-map type control subscriber {match-all | match-any | match-none} control-class-name


    Example:
    Device(config)# class-map type control subscriber match-all AAA-SVR-DOWN-AUTHD-HOST
     

    Creates a control class, which defines the conditions under which the actions of a control policy are executed and enters control class-map filter configuration mode.

     
    Step 14match result-type [method {dot1x | mab | webauth}] result-type


    Example:
    Device(config-filter-control-classmap)# match result-type aaa-timeout
     

    Creates a condition that returns true based on the specified authentication result.

     
    Step 15match authorization-status {authorized | unauthorized}


    Example:
    Device(config-filter-control-classmap)# match authorization-status authorized
     

    Creates a condition that returns true based on the authorization status of a session.

     
    Step 16end


    Example:
    Device(config-filter-control-classmap)# end
     

    Exits control class-map filter configuration mode and returns to privileged EXEC mode.

     

    Activating Critical Voice VLAN

    Perform the following task to activate a critical voice VLAN that is configured on a service template.

    SUMMARY STEPS

      1.    enable

      2.    configure terminal

      3.    policy-map type control subscriber control-policy-name

      4.    event authentication-failure [match-all | match-first]

      5.    priority-number class {control-class-name | always} [do-all | do-until-failure | do-until-success]

      6.    action-number activate {policy type control subscriber control-policy-name | service-template template-name [aaa-list list-name] [precedence [replace-all]]}

      7.    action-number activate {policy type control subscriber control-policy-name | service-template template-name [aaa-list list-name] [precedence [replace-all]]}

      8.    action-number authorize

      9.    action-number pause reauthentication

      10.    exit

      11.    priority-number class {control-class-name | always} [do-all | do-until-failure | do-until-success]

      12.    action-number pause reauthentication

      13.    end


    DETAILED STEPS
       Command or ActionPurpose
      Step 1 enable


      Example:
      Device> enable
      
       

      Enables privileged EXEC mode.

      • Enter your password if prompted.

       
      Step 2 configure terminal


      Example:
      Device# configure terminal
      
       

      Enters global configuration mode.

       
      Step 3policy-map type control subscriber control-policy-name


      Example:
      Device(config)# policy-map type control subscriber cisco-subscriber
       

      Defines a control policy for subscriber sessions and enters control policy-map event configuration mode.

       
      Step 4event authentication-failure [match-all | match-first]


      Example:
      Device(config-event-control-policymap)# event authentication-failure match-first
       

      Specifies the type of event that triggers actions in a control policy if all authentication events are a match and enters control policy-map class configuration mode.

       
      Step 5priority-number class {control-class-name | always} [do-all | do-until-failure | do-until-success]


      Example:
      Device(config-class-control-policymap)# 10 class AAA-SVR-DOWN-UNAUTHD-HOST do-until-failure
       

      Specifies that the control class should execute the actions in a control policy, in the specified order, until one of the actions fails, and enters control policy-map action configuration mode.

       
      Step 6 action-number activate {policy type control subscriber control-policy-name | service-template template-name [aaa-list list-name] [precedence [replace-all]]}


      Example:
      Device(config-action-control-policymap)# 10 activate service-template foo-DATA
       

      Activates a control policy associated with the VLAN on a subscriber session.

       
      Step 7 action-number activate {policy type control subscriber control-policy-name | service-template template-name [aaa-list list-name] [precedence [replace-all]]}


      Example:
      Device(config-action-control-policymap)# 10 activate service-template CRITICAL-VOICE
       

      Activates a control policy associated with the voice VLAN on a subscriber session.

       
      Step 8action-number authorize


      Example:
      Device(config-action-control-policymap)# 30 authorize
       

      Initiates the authorization of a subscriber session.

       
      Step 9 action-number pause reauthentication


      Example:
      Device(config-action-control-policymap)# 40 pause reauthentication
       

      Pauses the reauthentication process after an authentication failure.

       
      Step 10exit


      Example:
      Device(config-action-control-policymap)# exit
       

      Exits control policy-map action configuration mode and enters control policy-map class configuration mode.

       
      Step 11priority-number class {control-class-name | always} [do-all | do-until-failure | do-until-success]


      Example:
      Device(config-class-control-policymap)# 20 class AAA-SVR-DOWN-AUTHD-HOST
       

      Specifies that the control class should execute the actions in a control policy, in the specified order, until one of the actions fails, and enters control policy-map action configuration mode.

       
      Step 12 action-number pause reauthentication


      Example:
      Device(config-action-control-policymap)# 10 pause reauthentication
       

      Pauses the reauthentication process after an authentication failure.

       
      Step 13end


      Example:
      Device(config-action-control-policymap)# exit
       

      Exits control policy-map action configuration mode and enters privileged EXEC mode.

       

      Configuration Examples for Critical Voice VLAN Support

      Example: Configuring a Voice VLAN in a Service Template

      Device> enable
      Device# configure terminal
      Device(config)# service-template SERVICE-TEMPLATE
      Device(config-service-template)# vlan 116
      Device(config-service-template)# exit
      Device(config)# service-template CRITICAL-VOICE
      Device(config-service-template)# voice vlan
      Device(config-service-template)# exit
      Device(config)# class-map type control subscriber match-all AAA-SVR-DOWN-UNAUTHD-HOST
      Device(config-filter-control-classmap)# match result-type aaa-timeout
      Device(config-filter-control-classmap)# match authorization-status unauthorized
      Device(config-filter-control-classmap)# exit
      Device(config)# class-map type control subscriber match-all AAA-SVR-DOWN-AUTHD-HOST
      Device(config-filter-control-classmap)# match result-type aaa-timeout
      Device(config-filter-control-classmap)# match authorization-status authorized
      Device(config-filter-control-classmap)# end
      

      Example: Activating a Critical Voice VLAN on a Service Template

      Device> enable
      Device# configure terminal
      Device(config)# policy-map type control subscriber cisco-subscriber
      Device(config-event-control-policymap)# event authentication-failure match-first
      Device(config-class-control-policymap)# 10 class AAA-SVR-DOWN-UNAUTHD-HOST do-until-failure
      Device(config-action-control-policymap)# 10 activate service-template SERVICE-TEMPLATE
      Device(config-action-control-policymap)# 10 activate service-template CRITICAL-VOICE
      Device(config-action-control-policymap)# 30 authorize
      Device(config-action-control-policymap)# 40 pause reauthentication
      Device(config-action-control-policymap)# exit
      Device(config-class-control-policymap)# 20 class AAA-SVR-DOWN-AUTHD-HOST
      Device(config-action-control-policymap)# 10 pause reauthentication
      Device(config-action-control-policymap)# end
      

      Additional References for Critical Voice VLAN Support

      Related Documents

      Related Topic

      Document Title

      Cisco IOS commands

      Cisco IOS Master Command List, All Releases

      Cisco Identity-Based Networking Services commands

      Cisco IOS Identity-Based Networking Services Command Reference

      Standards and RFCs

      Standard/RFC

      Title

      IEEE 802.1X

      Port based Network Access Control

      Technical Assistance

      Description

      Link

      The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

      http:/​/​www.cisco.com/​cisco/​web/​support/​index.html

      Feature Information for Critical Voice VLAN Support

      The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

      Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.
      Table 1 Feature Information for Critical Voice VLAN Support

      Feature Name

      Releases

      Feature Information

      Critical Voice VLAN Support

      Cisco IOS XE Release 3.3SE

      This feature enables critical voice VLAN support, which puts phone traffic into the configured voice VLAN of a port if the authentication server becomes unreachable.

      In Cisco IOS XE 3.3SE, this feature is supported on the following platforms:
      • Cisco 5700 Series Wireless LAN Controllers

      • Cisco Catalyst 3650 Series Switches

      • Cisco Catalyst 3850 Series Switches

      • Cisco Catalyst 4500E Supervisor Engine 7L-E

      The following command was added or modified: voice vlan