Security

Reply
Occasional Contributor II

Cisco wired Avaya phone problem

Dears

Currently I am conducting a POC on clearpass and a cisco switch, we are facing some problems with authentication.

 

We are basically doing DOT1X using AD for PCs and Mac Auth all for the IP Phones (avaya)

we have to services one for dot1x and one for mac auth..

We have set up the cisco switch configuration for multi-auth and mab and COA and everything looks fine..

Also port is set to voice vlan and access vlan (Data) 

when a PC connects he is by default in the data vlan and when he's authenticated the CPPM returns another vlan which is the internet and intranet vlan and he's authenticated..

When a ip phone connects, it authenticates using Mac auth and the CPPM returns cisco-device-class=voice (or something like that) and the ip phone is successfully connected to the voice vlan.the problem is the phone can not get its DHCP...

although if I configured the port without any authentication (dot1x or mac auth) and I set up the port for voice vlan and access vlan, the phone connects and gets its IP normally via dhcp.

I have configured lldp run..

the customer is reluctant to configure anything qos although i doubt it would cause this problem..

The enforcement profile for the phone contains the Vlan assignment plus cisco device traffic, and i tried another one where it returns only cisco device traffic and it gave the ip phone its vlan even faster.

 

I have rules in enforcement policies based on device category and they're all working fine and the phone and pcs are all profiled and even printers worked fine and were profiled.

 

I have configured ip helper addresses of cource (The phone gets ip address on an unauthenticated port)

I can't think of something that may cause this problem except some specific commands on the switch's port or a special VSA that needs to be sent from the clearpass that I can't find anywhere...

So please, urgent help is needed and appreciated

 

P.S. I didn't open a case because they take too long, i'm still awaiting reply since 2 days about a failure to profile a Sun thin client so I matched based on mac vendor and I still haven't received any replies..

Cisco switch model is 3750 pd ef 48 ports..version is 15.0.2se

clearpass is 6.5 on an evaluation VM

 

Guru Elite

Re: Cisco wired Avaya phone problem

Are you working with an Aruba partner on the PoC?

Thanks,
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: Cisco wired Avaya phone problem

Actually, we are an aruba partner..

Guru Elite

Re: Cisco wired Avaya phone problem

What is your 802.1X timeout?

Can you post the configuration from one of your ports?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: Cisco wired Avaya phone problem

interface GigabitEthernet1/0/2 //or any port that you want to be authenticated

 description HOST-PORT

 switchport access vlan 250

 switchport mode access

 switchport nonegotiate

 switchport voice vlan 109

 speed auto

 duplex full

 authentication order dot1x mab

 authentication priority dot1x mab

 authentication port-control auto

authentication mode multi-auth

 authentication periodic

 authentication timer reauthenticate server

 mab     

 dot1x pae authenticator

 dot1x timeout server-timeout 30

 dot1x timeout tx-period 10

 dot1x max-reauth-req 3

 spanning-tree portfast

 spanning-tree bpduguard enable

!

Re: Cisco wired Avaya phone problem

you say it connects correctly to the voice VLAN, how do you know it does when DHCP afterwards doesn't work? did you do a packetcapture on the port, do you see DHCP discovers being send?

 

do you only send that extra =voice option? because i don't believe you can actually send the voice vlan, if you send a vlan assignment in the accept packet it will set the data vlan.

Occasional Contributor II

Re: Cisco wired Avaya phone problem

I know it connects to the voice vlan, because the phone says its in vlan 102 which is the voice, it starts with vlan 0 then after the CPPM sends its vlan it goes to vlan 102, i have tried sending an enforcement policy with device-traffic-class = voice + vlan assignment and just device-traffic-class=voice without vlan assignment and they both have placed it in its vlan.

then the ip phone's lcd says its doing DHCP Requests, and it keeps increasing a counter until 60 seconds and then fails to get its IP and reboots...

When i connect the phone in a normal port with just this config

switchport access vlan 2

switchport voice vlan 102

switchport mode access

the ip phone gets its ip in just 3 seconds as well as the vlan.

I haen't done a packet capture yet

also when I "show vlan" on the cisco switch I see the Phone's port in both the voice vlan and data vlan(PC is also connected)

 

Re: Cisco wired Avaya phone problem

what do you get when you do: show authentication sessions

 

you are a running a new version so it might be different, but with the 12.x versions im quite sure that you can't set the voice VLAN and if you earlier posted config is correct and you set the voice VLAN there then that is what is going to be used i believe.

Occasional Contributor II

Re: Cisco wired Avaya phone problem

I don't have the output with me right now but it shows success or authenticated

also on the access tracker I get success and no alerts and everything is just as it should except the ip phone got no IP Address

Re: Cisco wired Avaya phone problem

the domain part is what interests me.

 

ClearPass will show a success when authentication passes and it is able to send the accept to the switch. it doesn't check if the things you send to the switch make sense to the switch or not.

 

this is something you will have to debug on the switch side. look up the dot1x debug commands and see if the switch mentions it doesn't like something you send.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: