doing a dot1x deployment with one of my customers and we are going to implement a fail-open vlan for essential voice. i have never had to configure this before so reaching out to see if there are any considerations or gotchas i'm unaware of. these are mostly cisco 3850s.
here is the interface config i am planning to use on the 3850's:
switchport access vlan X
switchport mode access
switchport voice vlan X
carrier-delay msec 0
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation replace
authentication event server dead action authorize voice
mab
dot1x pae authenticator
there is no dynamic vlan assignment yet so authenticated devices will fall into the vlan configured on the port. I believe this configuration will have the desired effect of force-authorizing the phones in case of a RADIUS dead event.
That should work, it's a voice vlan with mab, should be good to go. You can still issue a dot1x RADIUS-REJECT or CoA to change access, if needed.