Security

Hello,

We are working on a new implementation of Aruba ClearPass 6.9.5 in our company. We have an issue with Avaya Phone and MAC authentication. IP Phone is connected to access port and authentication method is MAC Authentication.

After the enforcement is applied, the switch port shows UP but doesn't get IP Address from DHCP Server and MAC address is not showing in the switch. The switch is HPE 5130-48G-PoE+-4SFP+ (370W) EI JG937A with latest firmware (Version 7.1.070, Release 3506P11).

As a switch configuration, this is the global configuration:

dot1x authentication-method eap
dot1x timer supp-timeout 10
dot1x timer tx-period 10
#
port-security enable
port-security mac-move permit
#
radius nas-ip <switch management IP>
#
radius scheme radius-auth
primary authentication <ClearPass Publisher IP> key simple <secret key>
primary accounting <ClearPass Publisher IP> key simple <secret key>
secondary authentication <ClearPass Subscriber IP> key simple <secret key>
secondary accounting <ClearPass Subscriber IP> key simple <secret key>
accounting-on enable
user-name-format without-domain
#
radius dynamic-author server
client ip <ClearPass Publisher IP> key simple <secret key>
client ip <ClearPass Subscriber IP> key simple <secret key>
#
domain system
authentication lan-access radius-scheme radius-auth
authorization lan-access radius-scheme radius-auth
accounting lan-access radius-scheme radius-auth #
#
domain default enable system
#

For access port, this is the configuration for one access port:

#
interface GigabitEthernet1/0/41
description Test IP Phone
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 6 tagged
port hybrid vlan 4 untagged
port hybrid pvid vlan 4
undo voice-vlan mode auto
voice-vlan 6 enable
mac-vlan enable
stp edged-port
poe enable
undo dot1x handshake
dot1x mandatory-domain system
undo dot1x multicast-trigger
dot1x re-authenticate
dot1x unicast-trigger
dot1x re-authenticate server-unreachable keep-online
mac-authentication max-user 10
mac-authentication domain system
mac-authentication timer auth-delay 15
mac-authentication re-authenticate server-unreachable keep-online
mac-authentication host-mode multi-vlan
mac-authentication parallel-with-dot1x
mac-authentication re-authenticate
port-security port-mode userlogin-secure-or-mac-ext
#

VLAN 4 is Data
VLAN 6 is Voice

Both VLANs already configured in DHCP Server.

Regards,

------------------------------
Hamad Hamad
------------------------------

please refer to the "HPE FlexNetwork (Comware v7) Enforcement" section of Wired Policy enforcement technote
https://support.hpe.com/hpesc/public/docDisplay?docId=a00091135en_us

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
------------------------------

Original Message:
Sent: Jun 01, 2021 02:41 AM
From: Hamad Hamad
Subject: Avaya IP Phone not getting IP once we applied (801.1X / MAC) Authentication Commands

Hello,

We are working on a new implementation of Aruba ClearPass 6.9.5 in our company. We have an issue with Avaya Phone and MAC authentication. IP Phone is connected to access port and authentication method is MAC Authentication.

After the enforcement is applied, the switch port shows UP but doesn't get IP Address from DHCP Server and MAC address is not showing in the switch. The switch is HPE 5130-48G-PoE+-4SFP+ (370W) EI JG937A with latest firmware (Version 7.1.070, Release 3506P11).

As a switch configuration, this is the global configuration:

dot1x authentication-method eap
dot1x timer supp-timeout 10
dot1x timer tx-period 10
#
port-security enable
port-security mac-move permit
#
radius nas-ip <switch management IP>
#
radius scheme radius-auth
primary authentication <ClearPass Publisher IP> key simple <secret key>
primary accounting <ClearPass Publisher IP> key simple <secret key>
secondary authentication <ClearPass Subscriber IP> key simple <secret key>
secondary accounting <ClearPass Subscriber IP> key simple <secret key>
accounting-on enable
user-name-format without-domain
#
radius dynamic-author server
client ip <ClearPass Publisher IP> key simple <secret key>
client ip <ClearPass Subscriber IP> key simple <secret key>
#
domain system
authentication lan-access radius-scheme radius-auth
authorization lan-access radius-scheme radius-auth
accounting lan-access radius-scheme radius-auth #
#
domain default enable system
#

For access port, this is the configuration for one access port:

#
interface GigabitEthernet1/0/41
description Test IP Phone
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 6 tagged
port hybrid vlan 4 untagged
port hybrid pvid vlan 4
undo voice-vlan mode auto
voice-vlan 6 enable
mac-vlan enable
stp edged-port
poe enable
undo dot1x handshake
dot1x mandatory-domain system
undo dot1x multicast-trigger
dot1x re-authenticate
dot1x unicast-trigger
dot1x re-authenticate server-unreachable keep-online
mac-authentication max-user 10
mac-authentication domain system
mac-authentication timer auth-delay 15
mac-authentication re-authenticate server-unreachable keep-online
mac-authentication host-mode multi-vlan
mac-authentication parallel-with-dot1x
mac-authentication re-authenticate
port-security port-mode userlogin-secure-or-mac-ext
#

VLAN 4 is Data
VLAN 6 is Voice

Both VLANs already configured in DHCP Server.

Regards,

------------------------------
Hamad Hamad
------------------------------

Hello ariyap,

I saw this document before and we almost follow the configuration there. We don't have issue with MAC Authentication for printers, CCTV Cameras, fingerprint devices. Only we are facing issue with Avaya IP Phone.

IP Phones cannot take IP address in both cases: connected alone to a specific port or connected together with a desktop (access port --> IP Phone --> PC).

------------------------------
Hamad Hamad
------------------------------

Original Message:
Sent: Jun 02, 2021 01:42 AM
From: Ariya Parsamanesh
Subject: Avaya IP Phone not getting IP once we applied (801.1X / MAC) Authentication Commands

please refer to the "HPE FlexNetwork (Comware v7) Enforcement" section of Wired Policy enforcement technote
https://support.hpe.com/hpesc/public/docDisplay?docId=a00091135en_us

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.

Original Message:
Sent: Jun 01, 2021 02:41 AM
From: Hamad Hamad
Subject: Avaya IP Phone not getting IP once we applied (801.1X / MAC) Authentication Commands

Hello,

We are working on a new implementation of Aruba ClearPass 6.9.5 in our company. We have an issue with Avaya Phone and MAC authentication. IP Phone is connected to access port and authentication method is MAC Authentication.

After the enforcement is applied, the switch port shows UP but doesn't get IP Address from DHCP Server and MAC address is not showing in the switch. The switch is HPE 5130-48G-PoE+-4SFP+ (370W) EI JG937A with latest firmware (Version 7.1.070, Release 3506P11).

As a switch configuration, this is the global configuration:

dot1x authentication-method eap
dot1x timer supp-timeout 10
dot1x timer tx-period 10
#
port-security enable
port-security mac-move permit
#
radius nas-ip <switch management IP>
#
radius scheme radius-auth
primary authentication <ClearPass Publisher IP> key simple <secret key>
primary accounting <ClearPass Publisher IP> key simple <secret key>
secondary authentication <ClearPass Subscriber IP> key simple <secret key>
secondary accounting <ClearPass Subscriber IP> key simple <secret key>
accounting-on enable
user-name-format without-domain
#
radius dynamic-author server
client ip <ClearPass Publisher IP> key simple <secret key>
client ip <ClearPass Subscriber IP> key simple <secret key>
#
domain system
authentication lan-access radius-scheme radius-auth
authorization lan-access radius-scheme radius-auth
accounting lan-access radius-scheme radius-auth #
#
domain default enable system
#

For access port, this is the configuration for one access port:

#
interface GigabitEthernet1/0/41
description Test IP Phone
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 6 tagged
port hybrid vlan 4 untagged
port hybrid pvid vlan 4
undo voice-vlan mode auto
voice-vlan 6 enable
mac-vlan enable
stp edged-port
poe enable
undo dot1x handshake
dot1x mandatory-domain system
undo dot1x multicast-trigger
dot1x re-authenticate
dot1x unicast-trigger
dot1x re-authenticate server-unreachable keep-online
mac-authentication max-user 10
mac-authentication domain system
mac-authentication timer auth-delay 15
mac-authentication re-authenticate server-unreachable keep-online
mac-authentication host-mode multi-vlan
mac-authentication parallel-with-dot1x
mac-authentication re-authenticate
port-security port-mode userlogin-secure-or-mac-ext
#

VLAN 4 is Data
VLAN 6 is Voice

Both VLANs already configured in DHCP Server.

Regards,

------------------------------
Hamad Hamad
------------------------------

Assumed that the config of the switch is ok (MAB does work for other clients), I would trace the port on the switch and log on the DHCP server to see DHCP communication.

Original Message:
Sent: Jun 02, 2021 04:13 AM
From: Hamad Hamad
Subject: Avaya IP Phone not getting IP once we applied (801.1X / MAC) Authentication Commands

Hello ariyap,

I saw this document before and we almost follow the configuration there. We don't have issue with MAC Authentication for printers, CCTV Cameras, fingerprint devices. Only we are facing issue with Avaya IP Phone.

IP Phones cannot take IP address in both cases: connected alone to a specific port or connected together with a desktop (access port --> IP Phone --> PC).

------------------------------
Hamad Hamad

Original Message:
Sent: Jun 02, 2021 01:42 AM
From: Ariya Parsamanesh
Subject: Avaya IP Phone not getting IP once we applied (801.1X / MAC) Authentication Commands

please refer to the "HPE FlexNetwork (Comware v7) Enforcement" section of Wired Policy enforcement technote
https://support.hpe.com/hpesc/public/docDisplay?docId=a00091135en_us

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.

Original Message:
Sent: Jun 01, 2021 02:41 AM
From: Hamad Hamad
Subject: Avaya IP Phone not getting IP once we applied (801.1X / MAC) Authentication Commands

Hello,

We are working on a new implementation of Aruba ClearPass 6.9.5 in our company. We have an issue with Avaya Phone and MAC authentication. IP Phone is connected to access port and authentication method is MAC Authentication.

After the enforcement is applied, the switch port shows UP but doesn't get IP Address from DHCP Server and MAC address is not showing in the switch. The switch is HPE 5130-48G-PoE+-4SFP+ (370W) EI JG937A with latest firmware (Version 7.1.070, Release 3506P11).

As a switch configuration, this is the global configuration:

dot1x authentication-method eap
dot1x timer supp-timeout 10
dot1x timer tx-period 10
#
port-security enable
port-security mac-move permit
#
radius nas-ip <switch management IP>
#
radius scheme radius-auth
primary authentication <ClearPass Publisher IP> key simple <secret key>
primary accounting <ClearPass Publisher IP> key simple <secret key>
secondary authentication <ClearPass Subscriber IP> key simple <secret key>
secondary accounting <ClearPass Subscriber IP> key simple <secret key>
accounting-on enable
user-name-format without-domain
#
radius dynamic-author server
client ip <ClearPass Publisher IP> key simple <secret key>
client ip <ClearPass Subscriber IP> key simple <secret key>
#
domain system
authentication lan-access radius-scheme radius-auth
authorization lan-access radius-scheme radius-auth
accounting lan-access radius-scheme radius-auth #
#
domain default enable system
#

For access port, this is the configuration for one access port:

#
interface GigabitEthernet1/0/41
description Test IP Phone
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 6 tagged
port hybrid vlan 4 untagged
port hybrid pvid vlan 4
undo voice-vlan mode auto
voice-vlan 6 enable
mac-vlan enable
stp edged-port
poe enable
undo dot1x handshake
dot1x mandatory-domain system
undo dot1x multicast-trigger
dot1x re-authenticate
dot1x unicast-trigger
dot1x re-authenticate server-unreachable keep-online
mac-authentication max-user 10
mac-authentication domain system
mac-authentication timer auth-delay 15
mac-authentication re-authenticate server-unreachable keep-online
mac-authentication host-mode multi-vlan
mac-authentication parallel-with-dot1x
mac-authentication re-authenticate
port-security port-mode userlogin-secure-or-mac-ext
#

VLAN 4 is Data
VLAN 6 is Voice

Both VLANs already configured in DHCP Server.

Regards,

------------------------------
Hamad Hamad
------------------------------