Wireless Access

Reply
MVP
Posts: 1,111
Registered: ‎10-11-2011

MAC Auth + LLDP + Phone, Problems

I have a Polycom CX600 Lync phone that is not getting correct IP/VLAN assignments when the port is untrusted.  When trusted, LLDP works and puts the phone in the proper VLAN.  However, I have to use a form of port security, so the port must be untrusted with MAC auth used by the Polycom phones.

 

As I said before, the phone works correctly when in untrusted mode, so I know LLDP profile and VOIP profile are configured correctly.  The only thing I've done differently is set the port to untrusted, removed the VOIP profile, added a MAC auth AAA policy with default MAC role (VOIP role that contains VOIP profile).  I've verified that the phone is passing MAC auth and obtaining the VOIP role.  However, the phone is still in the access VLAN and has an IP from that VLAN, rather than the VOIP VLAN.  Issuing the "show neighbor-devices phone" command results in a "-" being displayed under the Voice VLAN column, rather than a VLAN being displayed.  When the port was in trusted mode, it would show the voice VLAN #. 

 

I'm not sure if I have an LLDP problem or a phone problem.  Any thoughts?

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Aruba Employee
Posts: 1
Registered: ‎06-03-2013

Re: MAC Auth + LLDP + Phone, Problems

I have few Cisco & Avaya phone which works fine with the configs you mentioned. But I do see issue with one of Avaya phone which some times doesn't send packets with correct vlan tag and it gets IP assigned from different vlan but reboot of the phone solves the problem.
To trubleshoot this you may try following
1. Reboot the phone , enable/disable the poe profile.
2. Check Show mac-address table and show user-table verbose, shows the correct vlan. This makes sure that phone is classified under correct vlan and issue may be phone side.
3. You can do the packet capture on the port where phone is connected and verify that where the MAS is sending correct vlan in the LLDP "Network Policy" TLV are not and after that wherether the phone is sending the DHCP request with the correct tagged vlan.

 

Show neighbor doesn't show the Voice either to me but still phone gets IP from correct vocie vlan.

 

BTW which AOS version you are using?

MVP
Posts: 1,111
Registered: ‎10-11-2011

Re: MAC Auth + LLDP + Phone, Problems

I'm on 7.2.2.1.

 

 

I was a bit confused by the MAS documentation... will VoIP auto-discovery work with non-CDP phones on untrusted ports?  If not, than I think I need to use LLDP-med and static VOIP mode for my Polycom phones.

 

I have phone that a reboot puts the phone in the right VLAN, most of the time.  Part of that may be due to the fact that we have DHCP scope options that pass the phone its VLAN ID.  So I'm not entirely sure the switch is sending the VLAN ID in the TLV as you stated.  I'll mirror the traffic and see what I can find.

 

I was thinking that one way to get around this would be to setup a UDR to put the phone in the VOIP VLAN right off the bat.  I'm going to give that a try and see how it pans out.

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Aruba
Posts: 429
Registered: ‎05-30-2012

Re: MAC Auth + LLDP + Phone, Problems

Toggling the "voip-mode" knob to auto-discover is only for CDP devices and only takes affect when using "voip-profile" on a physical interface versus "voip-profile" in a user-role.

 

The "voip-mode" knob is not to be confused with the ability to use a UDR to match on a "device-type equals phone". If using "voip-profile" on an interface or using AAA to put a phone in the right VLAN, you need to remove any DHCP scope options that may tell the phone to TAG. The switch must be responsbile for this otherwise the phone may TAG when we aren't expecting it and therefore we will not allow the traffic to pass.

 

Can you supply your actual configuration and the outputs for "show station-table" and "show user-table verbose"?

 

Best regards,

 

Madani

MVP
Posts: 1,111
Registered: ‎10-11-2011

Re: MAC Auth + LLDP + Phone, Problems

[ Edited ]

I'd like to avoid sharing the config over the forums.

 

Attached is the output from the commands you asked for.

 

The phone is working right now, so the attached command output may not be helpful.  Since I can't remove the scope options, production phones are using them, I'll change the access vlan in the switch profile to a vlan that doesn't include the scope options and reset the phone to see if it comes up in the correct VLAN.  Will post back with the results.

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Aruba
Posts: 429
Registered: ‎05-30-2012

Re: MAC Auth + LLDP + Phone, Problems

Yes, if you could get in the failed state, that would help.

 

Best regards,

 

Madani

Regular Contributor I
Posts: 159
Registered: ‎03-03-2011

Re: MAC Auth + LLDP + Phone, Problems

Is there any update to this? I'm running into this exact issue with an Avaya 1616. If the port is trusted, LLDP and voip-profile work great. With the port untrusted, nothing works. I see LLDP transmitting but no replys. 

 

 

Regards,

Josh
___________
ACMP, ACCP
Aruba
Posts: 429
Registered: ‎05-30-2012

Re: MAC Auth + LLDP + Phone, Problems

If you could share your configuration and topology, I can help otherwise I recommend opening a TAC case.

 

Best regards,

 

Madani

Regular Contributor I
Posts: 159
Registered: ‎03-03-2011

Re: MAC Auth + LLDP + Phone, Problems

s2500 running 7.2.2.1

Avaya 1616d01a phone

 

Below are the profiles that don't work when the port is set to untrusted. Let me know what else you want to see. 

 

interface gigabitethernet "0/0/1"
lldp-profile "lldp-factory-initial"
aaa-profile "phone_client"
switching-profile "VLAN 50"
no trusted port

___________________________________________________________________________________

 

LLDP Profile "lldp-factory-initial"
-----------------------------------
Parameter Value
--------- -----
LLDP pdu transmit Enabled
LLDP protocol receive processing Enabled
LLDP transmit interval (Secs) 30
LLDP transmit hold multiplier 4
LLDP fast transmit interval (Secs) 1
LLDP fast transmit counter 4
LLDP-MED protocol Enabled
Control proprietary neighbor discovery Disabled

___________________________________________________________________________________

 

 

AAA Profile "phone_client"
--------------------------
Parameter Value
--------- -----
Initial role logon
MAC Authentication Profile N/A
MAC Authentication Default Role guest
MAC Authentication Server Group default
802.1X Authentication Profile N/A
802.1X Authentication Default Role guest
802.1X Authentication Server Group N/A
Download Role from ClearPass Enabled
L2 Authentication Fail Through Disabled
RADIUS Accounting Server Group N/A
RADIUS Interim Accounting Disabled
XML API server N/A
AAA unreachable role N/A
RFC 3576 server N/A
User derivation rules phoneudr
SIP authentication role N/A
Enforce DHCP Disabled
Authentication Failure Blacklist Time 3600 sec

___________________________________________________________________________________

(IDF 3 - Aruba Stack) #show aaa derivation-rules user phoneudr

User Rule Table
---------------
Priority Attribute Operation Operand Action Value Total Hits New Hits Description
-------- --------- --------- ------- ------ ----- ---------- -------- -----------
1 device-type equals phone set role phonerole 0 0

Rule Entries: 1

 

___________________________________________________________________________________

 

user-role phonerole
voip-profile "DASD-Secondary-VOIP"
access-list stateless allowall-stateless

 

___________________________________________________________________________________

VoIP profile "DASD-Secondary-VOIP"
----------------------------------
Parameter Value
--------- -----
VoIP VLAN 85
DSCP 0
802.1p 0
VoIP Mode static

Regards,

Josh
___________
ACMP, ACCP
Aruba
Posts: 429
Registered: ‎05-30-2012

Re: MAC Auth + LLDP + Phone, Problems

Can you add the output of "show neighbor-devices", "show station-table", "show user-table" and "show interface gigabitethernet 0/0/1 switchport extensive"?

Search Airheads
Showing results for 
Search instead for 
Did you mean: