Security

last person joined: 6 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Avaya IP Phone not getting IP once we applied (801.1X / MAC) Authentication Commands

This thread has been viewed 23 times
  • 1.  Avaya IP Phone not getting IP once we applied (801.1X / MAC) Authentication Commands

    Posted Jun 01, 2021 03:52 PM
    Hello,

    We are working on a new implementation of Aruba ClearPass 6.9.5 in our company. We have an issue with Avaya Phone and MAC authentication. IP Phone is connected to access port and authentication method is MAC Authentication.

    After the enforcement is applied, the switch port shows UP but doesn't get IP Address from DHCP Server and MAC address is not showing in the switch. The switch is HPE 5130-48G-PoE+-4SFP+ (370W) EI JG937A with latest firmware (Version 7.1.070, Release 3506P11).

    As a switch configuration, this is the global configuration:

    dot1x authentication-method eap
    dot1x timer supp-timeout 10
    dot1x timer tx-period 10
    #
    port-security enable
    port-security mac-move permit
    #
    radius nas-ip <switch management IP>
    #
    radius scheme radius-auth
    primary authentication <ClearPass Publisher IP> key simple <secret key>
    primary accounting <ClearPass Publisher IP> key simple <secret key>
    secondary authentication <ClearPass Subscriber IP> key simple <secret key>
    secondary accounting <ClearPass Subscriber IP> key simple <secret key>
    accounting-on enable
    user-name-format without-domain
    #
    radius dynamic-author server
    client ip <ClearPass Publisher IP> key simple <secret key>
    client ip <ClearPass Subscriber IP> key simple <secret key>
    #
    domain system
    authentication lan-access radius-scheme radius-auth
    authorization lan-access radius-scheme radius-auth
    accounting lan-access radius-scheme radius-auth #
    #
    domain default enable system
    #

    For access port, this is the configuration for one access port:

    #
    interface GigabitEthernet1/0/41
    description Test IP Phone
    port link-type hybrid
    undo port hybrid vlan 1
    port hybrid vlan 6 tagged
    port hybrid vlan 4 untagged
    port hybrid pvid vlan 4
    undo voice-vlan mode auto
    voice-vlan 6 enable
    mac-vlan enable
    stp edged-port
    poe enable
    undo dot1x handshake
    dot1x mandatory-domain system
    undo dot1x multicast-trigger
    dot1x re-authenticate
    dot1x unicast-trigger
    dot1x re-authenticate server-unreachable keep-online
    mac-authentication max-user 10
    mac-authentication domain system
    mac-authentication timer auth-delay 15
    mac-authentication re-authenticate server-unreachable keep-online
    mac-authentication host-mode multi-vlan
    mac-authentication parallel-with-dot1x
    mac-authentication re-authenticate
    port-security port-mode userlogin-secure-or-mac-ext
    #

    VLAN 4 is Data
    VLAN 6 is Voice

    Both VLANs already configured in DHCP Server.

    Regards,

    ------------------------------
    Hamad Hamad
    ------------------------------


  • 2.  RE: Avaya IP Phone not getting IP once we applied (801.1X / MAC) Authentication Commands

    Posted Jun 02, 2021 01:42 AM
    please refer to the "HPE FlexNetwork (Comware v7) Enforcement" section of Wired Policy enforcement technote
    https://support.hpe.com/hpesc/public/docDisplay?docId=a00091135en_us

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
    ------------------------------



  • 3.  RE: Avaya IP Phone not getting IP once we applied (801.1X / MAC) Authentication Commands

    Posted Jun 02, 2021 04:13 AM
    Hello ariyap,

    I saw this document before and we almost follow the configuration there. We don't have issue with MAC Authentication for printers, CCTV Cameras, fingerprint devices. Only we are facing issue with Avaya IP Phone.

    IP Phones cannot take IP address in both cases: connected alone to a specific port or connected together with a desktop (access port --> IP Phone --> PC).

    ------------------------------
    Hamad Hamad
    ------------------------------



  • 4.  RE: Avaya IP Phone not getting IP once we applied (801.1X / MAC) Authentication Commands

    Posted Jun 08, 2021 04:00 AM

    Assumed that the config of the switch is ok (MAB does work for other clients), I would trace the port on the switch and log on the DHCP server to see DHCP communication.