04-14-2015 07:50 AM
I've been struggling with this issue for a while now and cannot seem to find where the problem lies.
A basic overview of the infrastructure looks like this...
Cisco 4507 core switch with an ip helper on VLAN 158 (phone vlan) > trunk to Cisco 2960S in IDF > trunk to Aruba MAS 3500 > 9971 on access port and a PC daisy chained through the phone.
The PC gets DHCP IP immediately, but the phone takes a full 5 minutes. If the phone is connected directly to the Cisco 2960S it gets an IP via DHCP immediately.
The port config on the MAS 3500:
interface gigabitethernet "0/0/1"
no trusted port
VLAN 250 is our default insecure VLAN and we use ClearPass to authenticate and authorize anything the connects to the switch. The AAA profile is assiging the proper phone role and I can see all of that happening via Access Tracker. It's just taking a full 5 minutes every single time a phone needs an IP via DHCP.
I have a helper setup in the MAS 3500, but I dont see where or how I am supposed to apply that to a VLAN or interface.
interface-profile dhcp-relay-profile "Helper"
What am I missing?
04-20-2015 11:01 AM
Let me restate to confirm the connectivity
Phone is connected to port 0/0/1 of MAS, and PC is daisy changed behing the phone ?
* To prevent device from obtaining IP from any of the intermediate VALN(s), under aaa-profile (applied to target switch interface), enable 'preauth' knob as well. This will basically hold the DHCP offer reaching the device till complete authenitication is done and final VLAN is assigned. With that device can IP from proper subnet of final VLAN.
(MAS) (config) #aaa profile <XYZ>
(MAS) (AAA Profile "<XYZ>") #preauth
Post authentication, phone lands in which vlan?
Meaning, is CPPM configured to offer any specific VLAN (phone VLAN, etc..) along with policy (role/ACLs) details?
To apply DHCP relay on MAS, drop to that final VLAN interface config stanza
(MAS)(config) #interface vlan <XXX>
(MAS)(vlan "<XXX>") #dhcp-relay-profile <Helper-profile>
If no additional VLAN offered post authentication, then port will remain in switching-profile defind VLAN (here "vlan250"). Hence apply the DHCP helper profile under 'interface vlan 250'
04-20-2015 11:38 AM - edited 04-20-2015 11:39 AM
The PC is daisy chained to the phone, correct.
The PC gets the proper IP and VLAN assigment via ClearPass immediately without issue, so there is no problem with the computers daisy chained to the phones.
The phone is getting its proper phone role and VLAN, which I can see in Access Tracker. I have the VLAN also specified in the role in the MAS and I have the proper helper IP in the helper profile and that profile is applied to the VLAN interface.
The problem is that the phone itself takes a full 5 minutes to get it's IP.