Hello,
We are working on a
new implementation of Aruba ClearPass 6.9.5 in our company. We have an issue with Avaya Phone and MAC authentication. IP Phone is connected to access port and authentication method is MAC Authentication.
After the enforcement is applied, the switch port shows UP but doesn't get IP Address from DHCP Server and MAC address is not showing in the switch. The switch is HPE 5130-48G-PoE+-4SFP+ (370W) EI JG937A with latest firmware (Version 7.1.070, Release 3506P11).
As a switch configuration, this is the global configuration:
dot1x authentication-method eap
dot1x timer supp-timeout 10
dot1x timer tx-period 10
#
port-security enable
port-security mac-move permit
#
radius nas-ip <switch management IP>
#
radius scheme radius-auth
primary authentication <ClearPass Publisher IP> key simple <secret key>
primary accounting <ClearPass Publisher IP> key simple <secret key>
secondary authentication <ClearPass Subscriber IP> key simple <secret key>
secondary accounting <ClearPass Subscriber IP> key simple <secret key>
accounting-on enable
user-name-format without-domain
#
radius dynamic-author server
client ip <ClearPass Publisher IP> key simple <secret key>
client ip <ClearPass Subscriber IP> key simple <secret key>
#
domain system
authentication lan-access radius-scheme radius-auth
authorization lan-access radius-scheme radius-auth
accounting lan-access radius-scheme radius-auth #
#
domain default enable system
#
For access port, this is the configuration for one access port:
#
interface GigabitEthernet1/0/41
description Test IP Phone
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 6 tagged
port hybrid vlan 4 untagged
port hybrid pvid vlan 4
undo voice-vlan mode auto
voice-vlan 6 enable
mac-vlan enable
stp edged-port
poe enable
undo dot1x handshake
dot1x mandatory-domain system
undo dot1x multicast-trigger
dot1x re-authenticate
dot1x unicast-trigger
dot1x re-authenticate server-unreachable keep-online
mac-authentication max-user 10
mac-authentication domain system
mac-authentication timer auth-delay 15
mac-authentication re-authenticate server-unreachable keep-online
mac-authentication host-mode multi-vlan
mac-authentication parallel-with-dot1x
mac-authentication re-authenticate
port-security port-mode userlogin-secure-or-mac-ext
#
VLAN 4 is Data
VLAN 6 is Voice
Both VLANs already configured in DHCP Server.
Regards,
------------------------------
Hamad Hamad
------------------------------