Security

Hello,

I'm experiencing some problems. I'm using ArubaOS switches, local user-roles and Clearpass to authenticate end-user devices. All is working fine but I'm experiencing some problems with ports where I have connected a PC and a VoIP phone.

In the CPPM I can see how both devices are authenticated successfully, PC through 802.1x and phone through MAC auth. The problem is that once both devices have been authenticated and I can reach to both of them, the phone goes down and I lost connection to it.

I can see how roles are successfully applied with their respective vlans, untagged for PC and tagged for VoIP Phone.... I've made a debug on the ArubaOS switch and once all process has been completed I can see this event:

PSEC eDrvPoll:incoming mac <Device mac-address> on port x/xx for vlan x rejected by portsec demux. wma rejects the mac.
m8021xCtrl:Port x/xx: deleted client <client mac-address> User (null) from Client-List
MAC mWebAuth:Port x/xx MAC:<Cliend mac-address> deauthenticating all clients
MAC mWebAuth:Port x/xx MAC:<Cliend mac-address> deauthenticated all clients

In the first event, the vlan x, is not the vlan of the phone, is the default untagged vlan at this port. But previously, I have another event where I can see that this phone has been placed into the voice vlan after the authentication and after applying the user-role.

If I configure the port with the default untagged VLAN and the voice vlan tagged manually, all works fine..... Both devices remain authenticated and I can see with a "show port-access client x/xx detail" both user-roles has been applied and the tagged and untagged vlans applied with their respective user-roles..... but once I delete the tagged vlan at these port it does not work. I can reach to the phone for a few seconds but after the events detailed above... I loss connection with it.

I look forward your feedback.

Thanks in advance.

------------------------------
tech_sec
------------------------------

It may be that the phone is sending out traffic both tagged and untagged. Would it be an option to remove vlan tagging from the phone and switch configuration? And just run both devices untagged? There is no real need to tag your voice traffic and it may make things just more complex.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Aug 31, 2021 01:46 PM
From: Abraham Lopez
Subject: MAC Auth - VoIP phone issue

Hello,

I'm experiencing some problems. I'm using ArubaOS switches, local user-roles and Clearpass to authenticate end-user devices. All is working fine but I'm experiencing some problems with ports where I have connected a PC and a VoIP phone.

In the CPPM I can see how both devices are authenticated successfully, PC through 802.1x and phone through MAC auth. The problem is that once both devices have been authenticated and I can reach to both of them, the phone goes down and I lost connection to it.

I can see how roles are successfully applied with their respective vlans, untagged for PC and tagged for VoIP Phone.... I've made a debug on the ArubaOS switch and once all process has been completed I can see this event:

PSEC eDrvPoll:incoming mac <Device mac-address> on port x/xx for vlan x rejected by portsec demux. wma rejects the mac.
m8021xCtrl:Port x/xx: deleted client <client mac-address> User (null) from Client-List
MAC mWebAuth:Port x/xx MAC:<Cliend mac-address> deauthenticating all clients
MAC mWebAuth:Port x/xx MAC:<Cliend mac-address> deauthenticated all clients

In the first event, the vlan x, is not the vlan of the phone, is the default untagged vlan at this port. But previously, I have another event where I can see that this phone has been placed into the voice vlan after the authentication and after applying the user-role.

If I configure the port with the default untagged VLAN and the voice vlan tagged manually, all works fine..... Both devices remain authenticated and I can see with a "show port-access client x/xx detail" both user-roles has been applied and the tagged and untagged vlans applied with their respective user-roles..... but once I delete the tagged vlan at these port it does not work. I can reach to the phone for a few seconds but after the events detailed above... I loss connection with it.

I look forward your feedback.

Thanks in advance.

------------------------------
tech_sec
------------------------------

I don't understand your proposal. The voice traffic needs to be tagged, I have a specific voice VLAN and a specific data VLAN and the PC is connected through the phone's PC port.

------------------------------
tech_sec
------------------------------

Original Message:
Sent: Sep 01, 2021 09:03 AM
From: Herman Robers
Subject: MAC Auth - VoIP phone issue

It may be that the phone is sending out traffic both tagged and untagged. Would it be an option to remove vlan tagging from the phone and switch configuration? And just run both devices untagged? There is no real need to tag your voice traffic and it may make things just more complex.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 31, 2021 01:46 PM
From: Abraham Lopez
Subject: MAC Auth - VoIP phone issue

Hello,

I'm experiencing some problems. I'm using ArubaOS switches, local user-roles and Clearpass to authenticate end-user devices. All is working fine but I'm experiencing some problems with ports where I have connected a PC and a VoIP phone.

In the CPPM I can see how both devices are authenticated successfully, PC through 802.1x and phone through MAC auth. The problem is that once both devices have been authenticated and I can reach to both of them, the phone goes down and I lost connection to it.

I can see how roles are successfully applied with their respective vlans, untagged for PC and tagged for VoIP Phone.... I've made a debug on the ArubaOS switch and once all process has been completed I can see this event:

PSEC eDrvPoll:incoming mac <Device mac-address> on port x/xx for vlan x rejected by portsec demux. wma rejects the mac.
m8021xCtrl:Port x/xx: deleted client <client mac-address> User (null) from Client-List
MAC mWebAuth:Port x/xx MAC:<Cliend mac-address> deauthenticating all clients
MAC mWebAuth:Port x/xx MAC:<Cliend mac-address> deauthenticated all clients

In the first event, the vlan x, is not the vlan of the phone, is the default untagged vlan at this port. But previously, I have another event where I can see that this phone has been placed into the voice vlan after the authentication and after applying the user-role.

If I configure the port with the default untagged VLAN and the voice vlan tagged manually, all works fine..... Both devices remain authenticated and I can see with a "show port-access client x/xx detail" both user-roles has been applied and the tagged and untagged vlans applied with their respective user-roles..... but once I delete the tagged vlan at these port it does not work. I can reach to the phone for a few seconds but after the events detailed above... I loss connection with it.

I look forward your feedback.

Thanks in advance.

------------------------------
tech_sec
------------------------------

In many cases the voice traffic needs to be in a specific vlan, not necessarily tagged. If you connect just the phone to a switch port, if can work as a normal device, without any tagged vlans. When you connect a device behind the phone, you had in the past to move the phone to a tagged vlan, as that is the only way to separate the data and voice traffic in different vlans. With 802.1X and MAC Auth configured, and if you authenticate each device individually, you can on most switches have multiple devices on the same port, each authenticated in a different VLAN, but still both untagged. On ArubaOS switches, that is the default setting.

Here is an old video that shows a phone and 802.1X client on the same port both untagged.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Sep 02, 2021 08:22 AM
From: Abraham Lopez
Subject: MAC Auth - VoIP phone issue

I don't understand your proposal. The voice traffic needs to be tagged, I have a specific voice VLAN and a specific data VLAN and the PC is connected through the phone's PC port.

------------------------------
tech_sec

Original Message:
Sent: Sep 01, 2021 09:03 AM
From: Herman Robers
Subject: MAC Auth - VoIP phone issue

It may be that the phone is sending out traffic both tagged and untagged. Would it be an option to remove vlan tagging from the phone and switch configuration? And just run both devices untagged? There is no real need to tag your voice traffic and it may make things just more complex.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 31, 2021 01:46 PM
From: Abraham Lopez
Subject: MAC Auth - VoIP phone issue

Hello,

I'm experiencing some problems. I'm using ArubaOS switches, local user-roles and Clearpass to authenticate end-user devices. All is working fine but I'm experiencing some problems with ports where I have connected a PC and a VoIP phone.

In the CPPM I can see how both devices are authenticated successfully, PC through 802.1x and phone through MAC auth. The problem is that once both devices have been authenticated and I can reach to both of them, the phone goes down and I lost connection to it.

I can see how roles are successfully applied with their respective vlans, untagged for PC and tagged for VoIP Phone.... I've made a debug on the ArubaOS switch and once all process has been completed I can see this event:

PSEC eDrvPoll:incoming mac <Device mac-address> on port x/xx for vlan x rejected by portsec demux. wma rejects the mac.
m8021xCtrl:Port x/xx: deleted client <client mac-address> User (null) from Client-List
MAC mWebAuth:Port x/xx MAC:<Cliend mac-address> deauthenticating all clients
MAC mWebAuth:Port x/xx MAC:<Cliend mac-address> deauthenticated all clients

In the first event, the vlan x, is not the vlan of the phone, is the default untagged vlan at this port. But previously, I have another event where I can see that this phone has been placed into the voice vlan after the authentication and after applying the user-role.

If I configure the port with the default untagged VLAN and the voice vlan tagged manually, all works fine..... Both devices remain authenticated and I can see with a "show port-access client x/xx detail" both user-roles has been applied and the tagged and untagged vlans applied with their respective user-roles..... but once I delete the tagged vlan at these port it does not work. I can reach to the phone for a few seconds but after the events detailed above... I loss connection with it.

I look forward your feedback.

Thanks in advance.

------------------------------
tech_sec
------------------------------

Hello Herman,

Yes, sorry, I'd not understood that. I know that I can make this but in my scenario I need to have voice and data device on different VLANs, it's mandatory.

Thanks a lot.

------------------------------
tech_sec
------------------------------

Original Message:
Sent: Sep 02, 2021 08:39 AM
From: Herman Robers
Subject: MAC Auth - VoIP phone issue

In many cases the voice traffic needs to be in a specific vlan, not necessarily tagged. If you connect just the phone to a switch port, if can work as a normal device, without any tagged vlans. When you connect a device behind the phone, you had in the past to move the phone to a tagged vlan, as that is the only way to separate the data and voice traffic in different vlans. With 802.1X and MAC Auth configured, and if you authenticate each device individually, you can on most switches have multiple devices on the same port, each authenticated in a different VLAN, but still both untagged. On ArubaOS switches, that is the default setting.

Here is an old video that shows a phone and 802.1X client on the same port both untagged.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Sep 02, 2021 08:22 AM
From: Abraham Lopez
Subject: MAC Auth - VoIP phone issue

I don't understand your proposal. The voice traffic needs to be tagged, I have a specific voice VLAN and a specific data VLAN and the PC is connected through the phone's PC port.

------------------------------
tech_sec

Original Message:
Sent: Sep 01, 2021 09:03 AM
From: Herman Robers
Subject: MAC Auth - VoIP phone issue

It may be that the phone is sending out traffic both tagged and untagged. Would it be an option to remove vlan tagging from the phone and switch configuration? And just run both devices untagged? There is no real need to tag your voice traffic and it may make things just more complex.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 31, 2021 01:46 PM
From: Abraham Lopez
Subject: MAC Auth - VoIP phone issue

Hello,

I'm experiencing some problems. I'm using ArubaOS switches, local user-roles and Clearpass to authenticate end-user devices. All is working fine but I'm experiencing some problems with ports where I have connected a PC and a VoIP phone.

In the CPPM I can see how both devices are authenticated successfully, PC through 802.1x and phone through MAC auth. The problem is that once both devices have been authenticated and I can reach to both of them, the phone goes down and I lost connection to it.

I can see how roles are successfully applied with their respective vlans, untagged for PC and tagged for VoIP Phone.... I've made a debug on the ArubaOS switch and once all process has been completed I can see this event:

PSEC eDrvPoll:incoming mac <Device mac-address> on port x/xx for vlan x rejected by portsec demux. wma rejects the mac.
m8021xCtrl:Port x/xx: deleted client <client mac-address> User (null) from Client-List
MAC mWebAuth:Port x/xx MAC:<Cliend mac-address> deauthenticating all clients
MAC mWebAuth:Port x/xx MAC:<Cliend mac-address> deauthenticated all clients

In the first event, the vlan x, is not the vlan of the phone, is the default untagged vlan at this port. But previously, I have another event where I can see that this phone has been placed into the voice vlan after the authentication and after applying the user-role.

If I configure the port with the default untagged VLAN and the voice vlan tagged manually, all works fine..... Both devices remain authenticated and I can see with a "show port-access client x/xx detail" both user-roles has been applied and the tagged and untagged vlans applied with their respective user-roles..... but once I delete the tagged vlan at these port it does not work. I can reach to the phone for a few seconds but after the events detailed above... I loss connection with it.

I look forward your feedback.

Thanks in advance.

------------------------------
tech_sec
------------------------------

As you can see in the video, the PC and phone ARE in different VLANs, just not using tagged traffic. Not needed.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Sep 02, 2021 10:34 AM
From: Abraham Lopez
Subject: MAC Auth - VoIP phone issue

Hello Herman,

Yes, sorry, I'd not understood that. I know that I can make this but in my scenario I need to have voice and data device on different VLANs, it's mandatory.

Thanks a lot.

------------------------------
tech_sec

Original Message:
Sent: Sep 02, 2021 08:39 AM
From: Herman Robers
Subject: MAC Auth - VoIP phone issue

In many cases the voice traffic needs to be in a specific vlan, not necessarily tagged. If you connect just the phone to a switch port, if can work as a normal device, without any tagged vlans. When you connect a device behind the phone, you had in the past to move the phone to a tagged vlan, as that is the only way to separate the data and voice traffic in different vlans. With 802.1X and MAC Auth configured, and if you authenticate each device individually, you can on most switches have multiple devices on the same port, each authenticated in a different VLAN, but still both untagged. On ArubaOS switches, that is the default setting.

Here is an old video that shows a phone and 802.1X client on the same port both untagged.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Sep 02, 2021 08:22 AM
From: Abraham Lopez
Subject: MAC Auth - VoIP phone issue

I don't understand your proposal. The voice traffic needs to be tagged, I have a specific voice VLAN and a specific data VLAN and the PC is connected through the phone's PC port.

------------------------------
tech_sec

Original Message:
Sent: Sep 01, 2021 09:03 AM
From: Herman Robers
Subject: MAC Auth - VoIP phone issue

It may be that the phone is sending out traffic both tagged and untagged. Would it be an option to remove vlan tagging from the phone and switch configuration? And just run both devices untagged? There is no real need to tag your voice traffic and it may make things just more complex.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 31, 2021 01:46 PM
From: Abraham Lopez
Subject: MAC Auth - VoIP phone issue

Hello,

I'm experiencing some problems. I'm using ArubaOS switches, local user-roles and Clearpass to authenticate end-user devices. All is working fine but I'm experiencing some problems with ports where I have connected a PC and a VoIP phone.

In the CPPM I can see how both devices are authenticated successfully, PC through 802.1x and phone through MAC auth. The problem is that once both devices have been authenticated and I can reach to both of them, the phone goes down and I lost connection to it.

I can see how roles are successfully applied with their respective vlans, untagged for PC and tagged for VoIP Phone.... I've made a debug on the ArubaOS switch and once all process has been completed I can see this event:

PSEC eDrvPoll:incoming mac <Device mac-address> on port x/xx for vlan x rejected by portsec demux. wma rejects the mac.
m8021xCtrl:Port x/xx: deleted client <client mac-address> User (null) from Client-List
MAC mWebAuth:Port x/xx MAC:<Cliend mac-address> deauthenticating all clients
MAC mWebAuth:Port x/xx MAC:<Cliend mac-address> deauthenticated all clients

In the first event, the vlan x, is not the vlan of the phone, is the default untagged vlan at this port. But previously, I have another event where I can see that this phone has been placed into the voice vlan after the authentication and after applying the user-role.

If I configure the port with the default untagged VLAN and the voice vlan tagged manually, all works fine..... Both devices remain authenticated and I can see with a "show port-access client x/xx detail" both user-roles has been applied and the tagged and untagged vlans applied with their respective user-roles..... but once I delete the tagged vlan at these port it does not work. I can reach to the phone for a few seconds but after the events detailed above... I loss connection with it.

I look forward your feedback.

Thanks in advance.

------------------------------
tech_sec
------------------------------

Ok, I got it. I'll try it, but, do you know what could be the root cause of my problem? I've made this before with another vendors (Phones and switches) without any problem. What could see the root cause of this behavior? 

As you've said, all ip phones send traffic through both vlans when they are booting. But I've allowed up to 4 address and clients..... There is something weird... usually when I've authenticated a PC through a phone in the past (other vendors), the PC was not authenticated until the phone was in service..... but  in this case the PC is authenticated before the phone.....

------------------------------
tech_sec
------------------------------

Original Message:
Sent: Sep 02, 2021 10:37 AM
From: Herman Robers
Subject: MAC Auth - VoIP phone issue

As you can see in the video, the PC and phone ARE in different VLANs, just not using tagged traffic. Not needed.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Sep 02, 2021 10:34 AM
From: Abraham Lopez
Subject: MAC Auth - VoIP phone issue

Hello Herman,

Yes, sorry, I'd not understood that. I know that I can make this but in my scenario I need to have voice and data device on different VLANs, it's mandatory.

Thanks a lot.

------------------------------
tech_sec

Original Message:
Sent: Sep 02, 2021 08:39 AM
From: Herman Robers
Subject: MAC Auth - VoIP phone issue

In many cases the voice traffic needs to be in a specific vlan, not necessarily tagged. If you connect just the phone to a switch port, if can work as a normal device, without any tagged vlans. When you connect a device behind the phone, you had in the past to move the phone to a tagged vlan, as that is the only way to separate the data and voice traffic in different vlans. With 802.1X and MAC Auth configured, and if you authenticate each device individually, you can on most switches have multiple devices on the same port, each authenticated in a different VLAN, but still both untagged. On ArubaOS switches, that is the default setting.

Here is an old video that shows a phone and 802.1X client on the same port both untagged.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Sep 02, 2021 08:22 AM
From: Abraham Lopez
Subject: MAC Auth - VoIP phone issue

I don't understand your proposal. The voice traffic needs to be tagged, I have a specific voice VLAN and a specific data VLAN and the PC is connected through the phone's PC port.

------------------------------
tech_sec

Original Message:
Sent: Sep 01, 2021 09:03 AM
From: Herman Robers
Subject: MAC Auth - VoIP phone issue

It may be that the phone is sending out traffic both tagged and untagged. Would it be an option to remove vlan tagging from the phone and switch configuration? And just run both devices untagged? There is no real need to tag your voice traffic and it may make things just more complex.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 31, 2021 01:46 PM
From: Abraham Lopez
Subject: MAC Auth - VoIP phone issue

Hello,

I'm experiencing some problems. I'm using ArubaOS switches, local user-roles and Clearpass to authenticate end-user devices. All is working fine but I'm experiencing some problems with ports where I have connected a PC and a VoIP phone.

In the CPPM I can see how both devices are authenticated successfully, PC through 802.1x and phone through MAC auth. The problem is that once both devices have been authenticated and I can reach to both of them, the phone goes down and I lost connection to it.

I can see how roles are successfully applied with their respective vlans, untagged for PC and tagged for VoIP Phone.... I've made a debug on the ArubaOS switch and once all process has been completed I can see this event:

PSEC eDrvPoll:incoming mac <Device mac-address> on port x/xx for vlan x rejected by portsec demux. wma rejects the mac.
m8021xCtrl:Port x/xx: deleted client <client mac-address> User (null) from Client-List
MAC mWebAuth:Port x/xx MAC:<Cliend mac-address> deauthenticating all clients
MAC mWebAuth:Port x/xx MAC:<Cliend mac-address> deauthenticated all clients

In the first event, the vlan x, is not the vlan of the phone, is the default untagged vlan at this port. But previously, I have another event where I can see that this phone has been placed into the voice vlan after the authentication and after applying the user-role.

If I configure the port with the default untagged VLAN and the voice vlan tagged manually, all works fine..... Both devices remain authenticated and I can see with a "show port-access client x/xx detail" both user-roles has been applied and the tagged and untagged vlans applied with their respective user-roles..... but once I delete the tagged vlan at these port it does not work. I can reach to the phone for a few seconds but after the events detailed above... I loss connection with it.

I look forward your feedback.

Thanks in advance.

------------------------------
tech_sec
------------------------------

Hello tech_sec,

We have a config like yours. We have also the voice vlan tagged and workstation vlan untagged.
We also use ArubaOS switches (2930F). We have got this working. Maybe you can share some information about how your enforcement policy is configured and we can go from there and look what is going wrong.

------------------------------
Henk-Jan Dennenberg
------------------------------

Original Message:
Sent: Sep 02, 2021 12:47 PM
From: Abraham Lopez
Subject: MAC Auth - VoIP phone issue

Ok, I got it. I'll try it, but, do you know what could be the root cause of my problem? I've made this before with another vendors (Phones and switches) without any problem. What could see the root cause of this behavior? 

As you've said, all ip phones send traffic through both vlans when they are booting. But I've allowed up to 4 address and clients..... There is something weird... usually when I've authenticated a PC through a phone in the past (other vendors), the PC was not authenticated until the phone was in service..... but  in this case the PC is authenticated before the phone.....

------------------------------
tech_sec

Original Message:
Sent: Sep 02, 2021 10:37 AM
From: Herman Robers
Subject: MAC Auth - VoIP phone issue

As you can see in the video, the PC and phone ARE in different VLANs, just not using tagged traffic. Not needed.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Sep 02, 2021 10:34 AM
From: Abraham Lopez
Subject: MAC Auth - VoIP phone issue

Hello Herman,

Yes, sorry, I'd not understood that. I know that I can make this but in my scenario I need to have voice and data device on different VLANs, it's mandatory.

Thanks a lot.

------------------------------
tech_sec

Original Message:
Sent: Sep 02, 2021 08:39 AM
From: Herman Robers
Subject: MAC Auth - VoIP phone issue

In many cases the voice traffic needs to be in a specific vlan, not necessarily tagged. If you connect just the phone to a switch port, if can work as a normal device, without any tagged vlans. When you connect a device behind the phone, you had in the past to move the phone to a tagged vlan, as that is the only way to separate the data and voice traffic in different vlans. With 802.1X and MAC Auth configured, and if you authenticate each device individually, you can on most switches have multiple devices on the same port, each authenticated in a different VLAN, but still both untagged. On ArubaOS switches, that is the default setting.

Here is an old video that shows a phone and 802.1X client on the same port both untagged.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Sep 02, 2021 08:22 AM
From: Abraham Lopez
Subject: MAC Auth - VoIP phone issue

I don't understand your proposal. The voice traffic needs to be tagged, I have a specific voice VLAN and a specific data VLAN and the PC is connected through the phone's PC port.

------------------------------
tech_sec

Original Message:
Sent: Sep 01, 2021 09:03 AM
From: Herman Robers
Subject: MAC Auth - VoIP phone issue

It may be that the phone is sending out traffic both tagged and untagged. Would it be an option to remove vlan tagging from the phone and switch configuration? And just run both devices untagged? There is no real need to tag your voice traffic and it may make things just more complex.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 31, 2021 01:46 PM
From: Abraham Lopez
Subject: MAC Auth - VoIP phone issue

Hello,

I'm experiencing some problems. I'm using ArubaOS switches, local user-roles and Clearpass to authenticate end-user devices. All is working fine but I'm experiencing some problems with ports where I have connected a PC and a VoIP phone.

In the CPPM I can see how both devices are authenticated successfully, PC through 802.1x and phone through MAC auth. The problem is that once both devices have been authenticated and I can reach to both of them, the phone goes down and I lost connection to it.

I can see how roles are successfully applied with their respective vlans, untagged for PC and tagged for VoIP Phone.... I've made a debug on the ArubaOS switch and once all process has been completed I can see this event:

PSEC eDrvPoll:incoming mac <Device mac-address> on port x/xx for vlan x rejected by portsec demux. wma rejects the mac.
m8021xCtrl:Port x/xx: deleted client <client mac-address> User (null) from Client-List
MAC mWebAuth:Port x/xx MAC:<Cliend mac-address> deauthenticating all clients
MAC mWebAuth:Port x/xx MAC:<Cliend mac-address> deauthenticated all clients

In the first event, the vlan x, is not the vlan of the phone, is the default untagged vlan at this port. But previously, I have another event where I can see that this phone has been placed into the voice vlan after the authentication and after applying the user-role.

If I configure the port with the default untagged VLAN and the voice vlan tagged manually, all works fine..... Both devices remain authenticated and I can see with a "show port-access client x/xx detail" both user-roles has been applied and the tagged and untagged vlans applied with their respective user-roles..... but once I delete the tagged vlan at these port it does not work. I can reach to the phone for a few seconds but after the events detailed above... I loss connection with it.

I look forward your feedback.

Thanks in advance.

------------------------------
tech_sec
------------------------------

Hello Henk-Jan,

Thank you very much. Yes, it is very simple.... my enforcement policy only provides the role to the switch and I have configured the local user-roles in the switch.  The user-role for PCs has configured a specific untagged vlan and the user-role for VoIP phones has configured a specific tagged vlan.

Thanks in advance.

------------------------------
tech_sec
------------------------------

Original Message:
Sent: Sep 03, 2021 02:24 AM
From: Henk-Jan Dennenberg
Subject: MAC Auth - VoIP phone issue

Hello tech_sec,

We have a config like yours. We have also the voice vlan tagged and workstation vlan untagged.
We also use ArubaOS switches (2930F). We have got this working. Maybe you can share some information about how your enforcement policy is configured and we can go from there and look what is going wrong.

------------------------------
Henk-Jan Dennenberg

Original Message:
Sent: Sep 02, 2021 12:47 PM
From: Abraham Lopez
Subject: MAC Auth - VoIP phone issue

Ok, I got it. I'll try it, but, do you know what could be the root cause of my problem? I've made this before with another vendors (Phones and switches) without any problem. What could see the root cause of this behavior? 

As you've said, all ip phones send traffic through both vlans when they are booting. But I've allowed up to 4 address and clients..... There is something weird... usually when I've authenticated a PC through a phone in the past (other vendors), the PC was not authenticated until the phone was in service..... but  in this case the PC is authenticated before the phone.....

------------------------------
tech_sec

Original Message:
Sent: Sep 02, 2021 10:37 AM
From: Herman Robers
Subject: MAC Auth - VoIP phone issue

As you can see in the video, the PC and phone ARE in different VLANs, just not using tagged traffic. Not needed.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Sep 02, 2021 10:34 AM
From: Abraham Lopez
Subject: MAC Auth - VoIP phone issue

Hello Herman,

Yes, sorry, I'd not understood that. I know that I can make this but in my scenario I need to have voice and data device on different VLANs, it's mandatory.

Thanks a lot.

------------------------------
tech_sec

Original Message:
Sent: Sep 02, 2021 08:39 AM
From: Herman Robers
Subject: MAC Auth - VoIP phone issue

In many cases the voice traffic needs to be in a specific vlan, not necessarily tagged. If you connect just the phone to a switch port, if can work as a normal device, without any tagged vlans. When you connect a device behind the phone, you had in the past to move the phone to a tagged vlan, as that is the only way to separate the data and voice traffic in different vlans. With 802.1X and MAC Auth configured, and if you authenticate each device individually, you can on most switches have multiple devices on the same port, each authenticated in a different VLAN, but still both untagged. On ArubaOS switches, that is the default setting.

Here is an old video that shows a phone and 802.1X client on the same port both untagged.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Sep 02, 2021 08:22 AM
From: Abraham Lopez
Subject: MAC Auth - VoIP phone issue

I don't understand your proposal. The voice traffic needs to be tagged, I have a specific voice VLAN and a specific data VLAN and the PC is connected through the phone's PC port.

------------------------------
tech_sec

Original Message:
Sent: Sep 01, 2021 09:03 AM
From: Herman Robers
Subject: MAC Auth - VoIP phone issue

It may be that the phone is sending out traffic both tagged and untagged. Would it be an option to remove vlan tagging from the phone and switch configuration? And just run both devices untagged? There is no real need to tag your voice traffic and it may make things just more complex.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 31, 2021 01:46 PM
From: Abraham Lopez
Subject: MAC Auth - VoIP phone issue

Hello,

I'm experiencing some problems. I'm using ArubaOS switches, local user-roles and Clearpass to authenticate end-user devices. All is working fine but I'm experiencing some problems with ports where I have connected a PC and a VoIP phone.

In the CPPM I can see how both devices are authenticated successfully, PC through 802.1x and phone through MAC auth. The problem is that once both devices have been authenticated and I can reach to both of them, the phone goes down and I lost connection to it.

I can see how roles are successfully applied with their respective vlans, untagged for PC and tagged for VoIP Phone.... I've made a debug on the ArubaOS switch and once all process has been completed I can see this event:

PSEC eDrvPoll:incoming mac <Device mac-address> on port x/xx for vlan x rejected by portsec demux. wma rejects the mac.
m8021xCtrl:Port x/xx: deleted client <client mac-address> User (null) from Client-List
MAC mWebAuth:Port x/xx MAC:<Cliend mac-address> deauthenticating all clients
MAC mWebAuth:Port x/xx MAC:<Cliend mac-address> deauthenticated all clients

In the first event, the vlan x, is not the vlan of the phone, is the default untagged vlan at this port. But previously, I have another event where I can see that this phone has been placed into the voice vlan after the authentication and after applying the user-role.

If I configure the port with the default untagged VLAN and the voice vlan tagged manually, all works fine..... Both devices remain authenticated and I can see with a "show port-access client x/xx detail" both user-roles has been applied and the tagged and untagged vlans applied with their respective user-roles..... but once I delete the tagged vlan at these port it does not work. I can reach to the phone for a few seconds but after the events detailed above... I loss connection with it.

I look forward your feedback.

Thanks in advance.

------------------------------
tech_sec
------------------------------

You said your phone is doing an mac auth and your pc do a radius auth on clearpass.
So you have to configure a enforcement policy to apply the settings to a port on a switch if I am right. (I only work a year with ClearPass now and I don't know all the in and outs).

Our Aruba partner did advise us to do it this way and it works good for us. In the attachment you find how it is configured in our environment. Below here you find a link to a post about egress-VLANID, with a post from @Herman Robers about how it works. I hope this will help you.
Egress-VLANID | Security (arubanetworks.com)

​

------------------------------
Henk-Jan Dennenberg
------------------------------

Original Message:
Sent: Sep 03, 2021 04:27 AM
From: Abraham Lopez
Subject: MAC Auth - VoIP phone issue

Hello Henk-Jan,

Thank you very much. Yes, it is very simple.... my enforcement policy only provides the role to the switch and I have configured the local user-roles in the switch.  The user-role for PCs has configured a specific untagged vlan and the user-role for VoIP phones has configured a specific tagged vlan.

Thanks in advance.

------------------------------
tech_sec

Original Message:
Sent: Sep 03, 2021 02:24 AM
From: Henk-Jan Dennenberg
Subject: MAC Auth - VoIP phone issue

Hello tech_sec,

We have a config like yours. We have also the voice vlan tagged and workstation vlan untagged.
We also use ArubaOS switches (2930F). We have got this working. Maybe you can share some information about how your enforcement policy is configured and we can go from there and look what is going wrong.

------------------------------
Henk-Jan Dennenberg

Original Message:
Sent: Sep 02, 2021 12:47 PM
From: Abraham Lopez
Subject: MAC Auth - VoIP phone issue

Ok, I got it. I'll try it, but, do you know what could be the root cause of my problem? I've made this before with another vendors (Phones and switches) without any problem. What could see the root cause of this behavior? 

As you've said, all ip phones send traffic through both vlans when they are booting. But I've allowed up to 4 address and clients..... There is something weird... usually when I've authenticated a PC through a phone in the past (other vendors), the PC was not authenticated until the phone was in service..... but  in this case the PC is authenticated before the phone.....

------------------------------
tech_sec

Original Message:
Sent: Sep 02, 2021 10:37 AM
From: Herman Robers
Subject: MAC Auth - VoIP phone issue

As you can see in the video, the PC and phone ARE in different VLANs, just not using tagged traffic. Not needed.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Sep 02, 2021 10:34 AM
From: Abraham Lopez
Subject: MAC Auth - VoIP phone issue

Hello Herman,

Yes, sorry, I'd not understood that. I know that I can make this but in my scenario I need to have voice and data device on different VLANs, it's mandatory.

Thanks a lot.

------------------------------
tech_sec

Original Message:
Sent: Sep 02, 2021 08:39 AM
From: Herman Robers
Subject: MAC Auth - VoIP phone issue

In many cases the voice traffic needs to be in a specific vlan, not necessarily tagged. If you connect just the phone to a switch port, if can work as a normal device, without any tagged vlans. When you connect a device behind the phone, you had in the past to move the phone to a tagged vlan, as that is the only way to separate the data and voice traffic in different vlans. With 802.1X and MAC Auth configured, and if you authenticate each device individually, you can on most switches have multiple devices on the same port, each authenticated in a different VLAN, but still both untagged. On ArubaOS switches, that is the default setting.

Here is an old video that shows a phone and 802.1X client on the same port both untagged.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Sep 02, 2021 08:22 AM
From: Abraham Lopez
Subject: MAC Auth - VoIP phone issue

I don't understand your proposal. The voice traffic needs to be tagged, I have a specific voice VLAN and a specific data VLAN and the PC is connected through the phone's PC port.

------------------------------
tech_sec

Original Message:
Sent: Sep 01, 2021 09:03 AM
From: Herman Robers
Subject: MAC Auth - VoIP phone issue

It may be that the phone is sending out traffic both tagged and untagged. Would it be an option to remove vlan tagging from the phone and switch configuration? And just run both devices untagged? There is no real need to tag your voice traffic and it may make things just more complex.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 31, 2021 01:46 PM
From: Abraham Lopez
Subject: MAC Auth - VoIP phone issue

Hello,

I'm experiencing some problems. I'm using ArubaOS switches, local user-roles and Clearpass to authenticate end-user devices. All is working fine but I'm experiencing some problems with ports where I have connected a PC and a VoIP phone.

In the CPPM I can see how both devices are authenticated successfully, PC through 802.1x and phone through MAC auth. The problem is that once both devices have been authenticated and I can reach to both of them, the phone goes down and I lost connection to it.

I can see how roles are successfully applied with their respective vlans, untagged for PC and tagged for VoIP Phone.... I've made a debug on the ArubaOS switch and once all process has been completed I can see this event:

PSEC eDrvPoll:incoming mac <Device mac-address> on port x/xx for vlan x rejected by portsec demux. wma rejects the mac.
m8021xCtrl:Port x/xx: deleted client <client mac-address> User (null) from Client-List
MAC mWebAuth:Port x/xx MAC:<Cliend mac-address> deauthenticating all clients
MAC mWebAuth:Port x/xx MAC:<Cliend mac-address> deauthenticated all clients

In the first event, the vlan x, is not the vlan of the phone, is the default untagged vlan at this port. But previously, I have another event where I can see that this phone has been placed into the voice vlan after the authentication and after applying the user-role.

If I configure the port with the default untagged VLAN and the voice vlan tagged manually, all works fine..... Both devices remain authenticated and I can see with a "show port-access client x/xx detail" both user-roles has been applied and the tagged and untagged vlans applied with their respective user-roles..... but once I delete the tagged vlan at these port it does not work. I can reach to the phone for a few seconds but after the events detailed above... I loss connection with it.

I look forward your feedback.

Thanks in advance.

------------------------------
tech_sec
------------------------------

Hello Henk,

Yes, this is the way which I've used in the past. But right now I need to work with local-user roles.... I'd prefer to enforce the vlan thorugh CPPM.

Best regards,

------------------------------
tech_sec
------------------------------

Original Message:
Sent: Sep 03, 2021 07:34 AM
From: Henk-Jan Dennenberg
Subject: MAC Auth - VoIP phone issue

You said your phone is doing an mac auth and your pc do a radius auth on clearpass.
So you have to configure a enforcement policy to apply the settings to a port on a switch if I am right. (I only work a year with ClearPass now and I don't know all the in and outs).

Our Aruba partner did advise us to do it this way and it works good for us. In the attachment you find how it is configured in our environment. Below here you find a link to a post about egress-VLANID, with a post from @Herman Robers about how it works. I hope this will help you.
Egress-VLANID | Security (arubanetworks.com)

​

------------------------------
Henk-Jan Dennenberg

Original Message:
Sent: Sep 03, 2021 04:27 AM
From: Abraham Lopez
Subject: MAC Auth - VoIP phone issue

Hello Henk-Jan,

Thank you very much. Yes, it is very simple.... my enforcement policy only provides the role to the switch and I have configured the local user-roles in the switch.  The user-role for PCs has configured a specific untagged vlan and the user-role for VoIP phones has configured a specific tagged vlan.

Thanks in advance.

------------------------------
tech_sec

Original Message:
Sent: Sep 03, 2021 02:24 AM
From: Henk-Jan Dennenberg
Subject: MAC Auth - VoIP phone issue

Hello tech_sec,

We have a config like yours. We have also the voice vlan tagged and workstation vlan untagged.
We also use ArubaOS switches (2930F). We have got this working. Maybe you can share some information about how your enforcement policy is configured and we can go from there and look what is going wrong.

------------------------------
Henk-Jan Dennenberg

Original Message:
Sent: Sep 02, 2021 12:47 PM
From: Abraham Lopez
Subject: MAC Auth - VoIP phone issue

Ok, I got it. I'll try it, but, do you know what could be the root cause of my problem? I've made this before with another vendors (Phones and switches) without any problem. What could see the root cause of this behavior? 

As you've said, all ip phones send traffic through both vlans when they are booting. But I've allowed up to 4 address and clients..... There is something weird... usually when I've authenticated a PC through a phone in the past (other vendors), the PC was not authenticated until the phone was in service..... but  in this case the PC is authenticated before the phone.....

------------------------------
tech_sec

Original Message:
Sent: Sep 02, 2021 10:37 AM
From: Herman Robers
Subject: MAC Auth - VoIP phone issue

As you can see in the video, the PC and phone ARE in different VLANs, just not using tagged traffic. Not needed.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Sep 02, 2021 10:34 AM
From: Abraham Lopez
Subject: MAC Auth - VoIP phone issue

Hello Herman,

Yes, sorry, I'd not understood that. I know that I can make this but in my scenario I need to have voice and data device on different VLANs, it's mandatory.

Thanks a lot.

------------------------------
tech_sec

Original Message:
Sent: Sep 02, 2021 08:39 AM
From: Herman Robers
Subject: MAC Auth - VoIP phone issue

In many cases the voice traffic needs to be in a specific vlan, not necessarily tagged. If you connect just the phone to a switch port, if can work as a normal device, without any tagged vlans. When you connect a device behind the phone, you had in the past to move the phone to a tagged vlan, as that is the only way to separate the data and voice traffic in different vlans. With 802.1X and MAC Auth configured, and if you authenticate each device individually, you can on most switches have multiple devices on the same port, each authenticated in a different VLAN, but still both untagged. On ArubaOS switches, that is the default setting.

Here is an old video that shows a phone and 802.1X client on the same port both untagged.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Sep 02, 2021 08:22 AM
From: Abraham Lopez
Subject: MAC Auth - VoIP phone issue

I don't understand your proposal. The voice traffic needs to be tagged, I have a specific voice VLAN and a specific data VLAN and the PC is connected through the phone's PC port.

------------------------------
tech_sec

Original Message:
Sent: Sep 01, 2021 09:03 AM
From: Herman Robers
Subject: MAC Auth - VoIP phone issue

It may be that the phone is sending out traffic both tagged and untagged. Would it be an option to remove vlan tagging from the phone and switch configuration? And just run both devices untagged? There is no real need to tag your voice traffic and it may make things just more complex.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 31, 2021 01:46 PM
From: Abraham Lopez
Subject: MAC Auth - VoIP phone issue

Hello,

I'm experiencing some problems. I'm using ArubaOS switches, local user-roles and Clearpass to authenticate end-user devices. All is working fine but I'm experiencing some problems with ports where I have connected a PC and a VoIP phone.

In the CPPM I can see how both devices are authenticated successfully, PC through 802.1x and phone through MAC auth. The problem is that once both devices have been authenticated and I can reach to both of them, the phone goes down and I lost connection to it.

I can see how roles are successfully applied with their respective vlans, untagged for PC and tagged for VoIP Phone.... I've made a debug on the ArubaOS switch and once all process has been completed I can see this event:

PSEC eDrvPoll:incoming mac <Device mac-address> on port x/xx for vlan x rejected by portsec demux. wma rejects the mac.
m8021xCtrl:Port x/xx: deleted client <client mac-address> User (null) from Client-List
MAC mWebAuth:Port x/xx MAC:<Cliend mac-address> deauthenticating all clients
MAC mWebAuth:Port x/xx MAC:<Cliend mac-address> deauthenticated all clients

In the first event, the vlan x, is not the vlan of the phone, is the default untagged vlan at this port. But previously, I have another event where I can see that this phone has been placed into the voice vlan after the authentication and after applying the user-role.

If I configure the port with the default untagged VLAN and the voice vlan tagged manually, all works fine..... Both devices remain authenticated and I can see with a "show port-access client x/xx detail" both user-roles has been applied and the tagged and untagged vlans applied with their respective user-roles..... but once I delete the tagged vlan at these port it does not work. I can reach to the phone for a few seconds but after the events detailed above... I loss connection with it.

I look forward your feedback.

Thanks in advance.

------------------------------
tech_sec
------------------------------

For the root cause, the logs suggest that your phone is sending out traffic untagged. Can you do a port-mirror and capture the actual traffic, including VLAN tags?

I agree that it should work with tagged voice vlan as well. Just suggested that if you have issues, you could try without that. It is at the end mostly dependent on the phone and switch.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Sep 02, 2021 12:47 PM
From: Abraham Lopez
Subject: MAC Auth - VoIP phone issue

Ok, I got it. I'll try it, but, do you know what could be the root cause of my problem? I've made this before with another vendors (Phones and switches) without any problem. What could see the root cause of this behavior? 

As you've said, all ip phones send traffic through both vlans when they are booting. But I've allowed up to 4 address and clients..... There is something weird... usually when I've authenticated a PC through a phone in the past (other vendors), the PC was not authenticated until the phone was in service..... but  in this case the PC is authenticated before the phone.....

------------------------------
tech_sec

Original Message:
Sent: Sep 02, 2021 10:37 AM
From: Herman Robers
Subject: MAC Auth - VoIP phone issue

As you can see in the video, the PC and phone ARE in different VLANs, just not using tagged traffic. Not needed.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Sep 02, 2021 10:34 AM
From: Abraham Lopez
Subject: MAC Auth - VoIP phone issue

Hello Herman,

Yes, sorry, I'd not understood that. I know that I can make this but in my scenario I need to have voice and data device on different VLANs, it's mandatory.

Thanks a lot.

------------------------------
tech_sec

Original Message:
Sent: Sep 02, 2021 08:39 AM
From: Herman Robers
Subject: MAC Auth - VoIP phone issue

In many cases the voice traffic needs to be in a specific vlan, not necessarily tagged. If you connect just the phone to a switch port, if can work as a normal device, without any tagged vlans. When you connect a device behind the phone, you had in the past to move the phone to a tagged vlan, as that is the only way to separate the data and voice traffic in different vlans. With 802.1X and MAC Auth configured, and if you authenticate each device individually, you can on most switches have multiple devices on the same port, each authenticated in a different VLAN, but still both untagged. On ArubaOS switches, that is the default setting.

Here is an old video that shows a phone and 802.1X client on the same port both untagged.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Sep 02, 2021 08:22 AM
From: Abraham Lopez
Subject: MAC Auth - VoIP phone issue

I don't understand your proposal. The voice traffic needs to be tagged, I have a specific voice VLAN and a specific data VLAN and the PC is connected through the phone's PC port.

------------------------------
tech_sec

Original Message:
Sent: Sep 01, 2021 09:03 AM
From: Herman Robers
Subject: MAC Auth - VoIP phone issue

It may be that the phone is sending out traffic both tagged and untagged. Would it be an option to remove vlan tagging from the phone and switch configuration? And just run both devices untagged? There is no real need to tag your voice traffic and it may make things just more complex.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 31, 2021 01:46 PM
From: Abraham Lopez
Subject: MAC Auth - VoIP phone issue

Hello,

I'm experiencing some problems. I'm using ArubaOS switches, local user-roles and Clearpass to authenticate end-user devices. All is working fine but I'm experiencing some problems with ports where I have connected a PC and a VoIP phone.

In the CPPM I can see how both devices are authenticated successfully, PC through 802.1x and phone through MAC auth. The problem is that once both devices have been authenticated and I can reach to both of them, the phone goes down and I lost connection to it.

I can see how roles are successfully applied with their respective vlans, untagged for PC and tagged for VoIP Phone.... I've made a debug on the ArubaOS switch and once all process has been completed I can see this event:

PSEC eDrvPoll:incoming mac <Device mac-address> on port x/xx for vlan x rejected by portsec demux. wma rejects the mac.
m8021xCtrl:Port x/xx: deleted client <client mac-address> User (null) from Client-List
MAC mWebAuth:Port x/xx MAC:<Cliend mac-address> deauthenticating all clients
MAC mWebAuth:Port x/xx MAC:<Cliend mac-address> deauthenticated all clients

In the first event, the vlan x, is not the vlan of the phone, is the default untagged vlan at this port. But previously, I have another event where I can see that this phone has been placed into the voice vlan after the authentication and after applying the user-role.

If I configure the port with the default untagged VLAN and the voice vlan tagged manually, all works fine..... Both devices remain authenticated and I can see with a "show port-access client x/xx detail" both user-roles has been applied and the tagged and untagged vlans applied with their respective user-roles..... but once I delete the tagged vlan at these port it does not work. I can reach to the phone for a few seconds but after the events detailed above... I loss connection with it.

I look forward your feedback.

Thanks in advance.

------------------------------
tech_sec
------------------------------

Yes, thanks a lot Herman, any idea is good and it's worth trying it. I've tested but I have the same result authenticating both devices without any vlan tagged..... It's weird, I've never seen something similar before.

------------------------------
tech_sec
------------------------------

Original Message:
Sent: Sep 03, 2021 05:51 AM
From: Herman Robers
Subject: MAC Auth - VoIP phone issue

For the root cause, the logs suggest that your phone is sending out traffic untagged. Can you do a port-mirror and capture the actual traffic, including VLAN tags?

I agree that it should work with tagged voice vlan as well. Just suggested that if you have issues, you could try without that. It is at the end mostly dependent on the phone and switch.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Sep 02, 2021 12:47 PM
From: Abraham Lopez
Subject: MAC Auth - VoIP phone issue

Ok, I got it. I'll try it, but, do you know what could be the root cause of my problem? I've made this before with another vendors (Phones and switches) without any problem. What could see the root cause of this behavior? 

As you've said, all ip phones send traffic through both vlans when they are booting. But I've allowed up to 4 address and clients..... There is something weird... usually when I've authenticated a PC through a phone in the past (other vendors), the PC was not authenticated until the phone was in service..... but  in this case the PC is authenticated before the phone.....

------------------------------
tech_sec

Original Message:
Sent: Sep 02, 2021 10:37 AM
From: Herman Robers
Subject: MAC Auth - VoIP phone issue

As you can see in the video, the PC and phone ARE in different VLANs, just not using tagged traffic. Not needed.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Sep 02, 2021 10:34 AM
From: Abraham Lopez
Subject: MAC Auth - VoIP phone issue

Hello Herman,

Yes, sorry, I'd not understood that. I know that I can make this but in my scenario I need to have voice and data device on different VLANs, it's mandatory.

Thanks a lot.

------------------------------
tech_sec

Original Message:
Sent: Sep 02, 2021 08:39 AM
From: Herman Robers
Subject: MAC Auth - VoIP phone issue

In many cases the voice traffic needs to be in a specific vlan, not necessarily tagged. If you connect just the phone to a switch port, if can work as a normal device, without any tagged vlans. When you connect a device behind the phone, you had in the past to move the phone to a tagged vlan, as that is the only way to separate the data and voice traffic in different vlans. With 802.1X and MAC Auth configured, and if you authenticate each device individually, you can on most switches have multiple devices on the same port, each authenticated in a different VLAN, but still both untagged. On ArubaOS switches, that is the default setting.

Here is an old video that shows a phone and 802.1X client on the same port both untagged.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Sep 02, 2021 08:22 AM
From: Abraham Lopez
Subject: MAC Auth - VoIP phone issue

I don't understand your proposal. The voice traffic needs to be tagged, I have a specific voice VLAN and a specific data VLAN and the PC is connected through the phone's PC port.

------------------------------
tech_sec

Original Message:
Sent: Sep 01, 2021 09:03 AM
From: Herman Robers
Subject: MAC Auth - VoIP phone issue

It may be that the phone is sending out traffic both tagged and untagged. Would it be an option to remove vlan tagging from the phone and switch configuration? And just run both devices untagged? There is no real need to tag your voice traffic and it may make things just more complex.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 31, 2021 01:46 PM
From: Abraham Lopez
Subject: MAC Auth - VoIP phone issue

Hello,

I'm experiencing some problems. I'm using ArubaOS switches, local user-roles and Clearpass to authenticate end-user devices. All is working fine but I'm experiencing some problems with ports where I have connected a PC and a VoIP phone.

In the CPPM I can see how both devices are authenticated successfully, PC through 802.1x and phone through MAC auth. The problem is that once both devices have been authenticated and I can reach to both of them, the phone goes down and I lost connection to it.

I can see how roles are successfully applied with their respective vlans, untagged for PC and tagged for VoIP Phone.... I've made a debug on the ArubaOS switch and once all process has been completed I can see this event:

PSEC eDrvPoll:incoming mac <Device mac-address> on port x/xx for vlan x rejected by portsec demux. wma rejects the mac.
m8021xCtrl:Port x/xx: deleted client <client mac-address> User (null) from Client-List
MAC mWebAuth:Port x/xx MAC:<Cliend mac-address> deauthenticating all clients
MAC mWebAuth:Port x/xx MAC:<Cliend mac-address> deauthenticated all clients

In the first event, the vlan x, is not the vlan of the phone, is the default untagged vlan at this port. But previously, I have another event where I can see that this phone has been placed into the voice vlan after the authentication and after applying the user-role.

If I configure the port with the default untagged VLAN and the voice vlan tagged manually, all works fine..... Both devices remain authenticated and I can see with a "show port-access client x/xx detail" both user-roles has been applied and the tagged and untagged vlans applied with their respective user-roles..... but once I delete the tagged vlan at these port it does not work. I can reach to the phone for a few seconds but after the events detailed above... I loss connection with it.

I look forward your feedback.

Thanks in advance.

------------------------------
tech_sec
------------------------------

Hi,

Have you tried to use HPE-Egress-VLAN-ID on clearpass enforcement profile on mac auth , this way clearpass will construct the switch to tag the related voice vlan after mac auth.  below is the example I used to use vlan 122 as tagged for voice. Check out the url below to see how HPE-Egress-VLAN-ID calculated. 

https://community.arubanetworks.com/browse/articles/blogviewer?blogkey=d53cbcba-9e46-4cbe-864e-6e4d056771a4


Regards

------------------------------
Mehmet Sahin
------------------------------

Original Message:
Sent: Sep 03, 2021 09:48 AM
From: Abraham Lopez
Subject: MAC Auth - VoIP phone issue

Yes, thanks a lot Herman, any idea is good and it's worth trying it. I've tested but I have the same result authenticating both devices without any vlan tagged..... It's weird, I've never seen something similar before.

------------------------------
tech_sec

Original Message:
Sent: Sep 03, 2021 05:51 AM
From: Herman Robers
Subject: MAC Auth - VoIP phone issue

For the root cause, the logs suggest that your phone is sending out traffic untagged. Can you do a port-mirror and capture the actual traffic, including VLAN tags?

I agree that it should work with tagged voice vlan as well. Just suggested that if you have issues, you could try without that. It is at the end mostly dependent on the phone and switch.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Sep 02, 2021 12:47 PM
From: Abraham Lopez
Subject: MAC Auth - VoIP phone issue

Ok, I got it. I'll try it, but, do you know what could be the root cause of my problem? I've made this before with another vendors (Phones and switches) without any problem. What could see the root cause of this behavior? 

As you've said, all ip phones send traffic through both vlans when they are booting. But I've allowed up to 4 address and clients..... There is something weird... usually when I've authenticated a PC through a phone in the past (other vendors), the PC was not authenticated until the phone was in service..... but  in this case the PC is authenticated before the phone.....

------------------------------
tech_sec

Original Message:
Sent: Sep 02, 2021 10:37 AM
From: Herman Robers
Subject: MAC Auth - VoIP phone issue

As you can see in the video, the PC and phone ARE in different VLANs, just not using tagged traffic. Not needed.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Sep 02, 2021 10:34 AM
From: Abraham Lopez
Subject: MAC Auth - VoIP phone issue

Hello Herman,

Yes, sorry, I'd not understood that. I know that I can make this but in my scenario I need to have voice and data device on different VLANs, it's mandatory.

Thanks a lot.

------------------------------
tech_sec

Original Message:
Sent: Sep 02, 2021 08:39 AM
From: Herman Robers
Subject: MAC Auth - VoIP phone issue

In many cases the voice traffic needs to be in a specific vlan, not necessarily tagged. If you connect just the phone to a switch port, if can work as a normal device, without any tagged vlans. When you connect a device behind the phone, you had in the past to move the phone to a tagged vlan, as that is the only way to separate the data and voice traffic in different vlans. With 802.1X and MAC Auth configured, and if you authenticate each device individually, you can on most switches have multiple devices on the same port, each authenticated in a different VLAN, but still both untagged. On ArubaOS switches, that is the default setting.

Here is an old video that shows a phone and 802.1X client on the same port both untagged.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Sep 02, 2021 08:22 AM
From: Abraham Lopez
Subject: MAC Auth - VoIP phone issue

I don't understand your proposal. The voice traffic needs to be tagged, I have a specific voice VLAN and a specific data VLAN and the PC is connected through the phone's PC port.

------------------------------
tech_sec

Original Message:
Sent: Sep 01, 2021 09:03 AM
From: Herman Robers
Subject: MAC Auth - VoIP phone issue

It may be that the phone is sending out traffic both tagged and untagged. Would it be an option to remove vlan tagging from the phone and switch configuration? And just run both devices untagged? There is no real need to tag your voice traffic and it may make things just more complex.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 31, 2021 01:46 PM
From: Abraham Lopez
Subject: MAC Auth - VoIP phone issue

Hello,

I'm experiencing some problems. I'm using ArubaOS switches, local user-roles and Clearpass to authenticate end-user devices. All is working fine but I'm experiencing some problems with ports where I have connected a PC and a VoIP phone.

In the CPPM I can see how both devices are authenticated successfully, PC through 802.1x and phone through MAC auth. The problem is that once both devices have been authenticated and I can reach to both of them, the phone goes down and I lost connection to it.

I can see how roles are successfully applied with their respective vlans, untagged for PC and tagged for VoIP Phone.... I've made a debug on the ArubaOS switch and once all process has been completed I can see this event:

PSEC eDrvPoll:incoming mac <Device mac-address> on port x/xx for vlan x rejected by portsec demux. wma rejects the mac.
m8021xCtrl:Port x/xx: deleted client <client mac-address> User (null) from Client-List
MAC mWebAuth:Port x/xx MAC:<Cliend mac-address> deauthenticating all clients
MAC mWebAuth:Port x/xx MAC:<Cliend mac-address> deauthenticated all clients

In the first event, the vlan x, is not the vlan of the phone, is the default untagged vlan at this port. But previously, I have another event where I can see that this phone has been placed into the voice vlan after the authentication and after applying the user-role.

If I configure the port with the default untagged VLAN and the voice vlan tagged manually, all works fine..... Both devices remain authenticated and I can see with a "show port-access client x/xx detail" both user-roles has been applied and the tagged and untagged vlans applied with their respective user-roles..... but once I delete the tagged vlan at these port it does not work. I can reach to the phone for a few seconds but after the events detailed above... I loss connection with it.

I look forward your feedback.

Thanks in advance.

------------------------------
tech_sec
------------------------------

Hello Mehmet,

It's not valid in my scenario, but I've tested it and I have the same issue.

thanks

------------------------------
tech_sec
------------------------------

Original Message:
Sent: Sep 07, 2021 08:02 AM
From: Mehmet Sahin
Subject: MAC Auth - VoIP phone issue

Hi,

Have you tried to use HPE-Egress-VLAN-ID on clearpass enforcement profile on mac auth , this way clearpass will construct the switch to tag the related voice vlan after mac auth.  below is the example I used to use vlan 122 as tagged for voice. Check out the url below to see how HPE-Egress-VLAN-ID calculated. 

https://community.arubanetworks.com/browse/articles/blogviewer?blogkey=d53cbcba-9e46-4cbe-864e-6e4d056771a4


Regards

------------------------------
Mehmet Sahin

Original Message:
Sent: Sep 03, 2021 09:48 AM
From: Abraham Lopez
Subject: MAC Auth - VoIP phone issue

Yes, thanks a lot Herman, any idea is good and it's worth trying it. I've tested but I have the same result authenticating both devices without any vlan tagged..... It's weird, I've never seen something similar before.

------------------------------
tech_sec

Original Message:
Sent: Sep 03, 2021 05:51 AM
From: Herman Robers
Subject: MAC Auth - VoIP phone issue

For the root cause, the logs suggest that your phone is sending out traffic untagged. Can you do a port-mirror and capture the actual traffic, including VLAN tags?

I agree that it should work with tagged voice vlan as well. Just suggested that if you have issues, you could try without that. It is at the end mostly dependent on the phone and switch.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Sep 02, 2021 12:47 PM
From: Abraham Lopez
Subject: MAC Auth - VoIP phone issue

Ok, I got it. I'll try it, but, do you know what could be the root cause of my problem? I've made this before with another vendors (Phones and switches) without any problem. What could see the root cause of this behavior? 

As you've said, all ip phones send traffic through both vlans when they are booting. But I've allowed up to 4 address and clients..... There is something weird... usually when I've authenticated a PC through a phone in the past (other vendors), the PC was not authenticated until the phone was in service..... but  in this case the PC is authenticated before the phone.....

------------------------------
tech_sec

Original Message:
Sent: Sep 02, 2021 10:37 AM
From: Herman Robers
Subject: MAC Auth - VoIP phone issue

As you can see in the video, the PC and phone ARE in different VLANs, just not using tagged traffic. Not needed.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Sep 02, 2021 10:34 AM
From: Abraham Lopez
Subject: MAC Auth - VoIP phone issue

Hello Herman,

Yes, sorry, I'd not understood that. I know that I can make this but in my scenario I need to have voice and data device on different VLANs, it's mandatory.

Thanks a lot.

------------------------------
tech_sec

Original Message:
Sent: Sep 02, 2021 08:39 AM
From: Herman Robers
Subject: MAC Auth - VoIP phone issue

In many cases the voice traffic needs to be in a specific vlan, not necessarily tagged. If you connect just the phone to a switch port, if can work as a normal device, without any tagged vlans. When you connect a device behind the phone, you had in the past to move the phone to a tagged vlan, as that is the only way to separate the data and voice traffic in different vlans. With 802.1X and MAC Auth configured, and if you authenticate each device individually, you can on most switches have multiple devices on the same port, each authenticated in a different VLAN, but still both untagged. On ArubaOS switches, that is the default setting.

Here is an old video that shows a phone and 802.1X client on the same port both untagged.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Sep 02, 2021 08:22 AM
From: Abraham Lopez
Subject: MAC Auth - VoIP phone issue

I don't understand your proposal. The voice traffic needs to be tagged, I have a specific voice VLAN and a specific data VLAN and the PC is connected through the phone's PC port.

------------------------------
tech_sec

Original Message:
Sent: Sep 01, 2021 09:03 AM
From: Herman Robers
Subject: MAC Auth - VoIP phone issue

It may be that the phone is sending out traffic both tagged and untagged. Would it be an option to remove vlan tagging from the phone and switch configuration? And just run both devices untagged? There is no real need to tag your voice traffic and it may make things just more complex.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 31, 2021 01:46 PM
From: Abraham Lopez
Subject: MAC Auth - VoIP phone issue

Hello,

I'm experiencing some problems. I'm using ArubaOS switches, local user-roles and Clearpass to authenticate end-user devices. All is working fine but I'm experiencing some problems with ports where I have connected a PC and a VoIP phone.

In the CPPM I can see how both devices are authenticated successfully, PC through 802.1x and phone through MAC auth. The problem is that once both devices have been authenticated and I can reach to both of them, the phone goes down and I lost connection to it.

I can see how roles are successfully applied with their respective vlans, untagged for PC and tagged for VoIP Phone.... I've made a debug on the ArubaOS switch and once all process has been completed I can see this event:

PSEC eDrvPoll:incoming mac <Device mac-address> on port x/xx for vlan x rejected by portsec demux. wma rejects the mac.
m8021xCtrl:Port x/xx: deleted client <client mac-address> User (null) from Client-List
MAC mWebAuth:Port x/xx MAC:<Cliend mac-address> deauthenticating all clients
MAC mWebAuth:Port x/xx MAC:<Cliend mac-address> deauthenticated all clients

In the first event, the vlan x, is not the vlan of the phone, is the default untagged vlan at this port. But previously, I have another event where I can see that this phone has been placed into the voice vlan after the authentication and after applying the user-role.

If I configure the port with the default untagged VLAN and the voice vlan tagged manually, all works fine..... Both devices remain authenticated and I can see with a "show port-access client x/xx detail" both user-roles has been applied and the tagged and untagged vlans applied with their respective user-roles..... but once I delete the tagged vlan at these port it does not work. I can reach to the phone for a few seconds but after the events detailed above... I loss connection with it.

I look forward your feedback.

Thanks in advance.

------------------------------
tech_sec
------------------------------

Hello Herman,

I have a question about this feature, Is this feature supported by HPE switches or only ArubaOS switches?

Thanks in advance

------------------------------
tech_sec
------------------------------

Original Message:
Sent: Sep 01, 2021 09:03 AM
From: Herman Robers
Subject: MAC Auth - VoIP phone issue

It may be that the phone is sending out traffic both tagged and untagged. Would it be an option to remove vlan tagging from the phone and switch configuration? And just run both devices untagged? There is no real need to tag your voice traffic and it may make things just more complex.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 31, 2021 01:46 PM
From: Abraham Lopez
Subject: MAC Auth - VoIP phone issue

Hello,

I'm experiencing some problems. I'm using ArubaOS switches, local user-roles and Clearpass to authenticate end-user devices. All is working fine but I'm experiencing some problems with ports where I have connected a PC and a VoIP phone.

In the CPPM I can see how both devices are authenticated successfully, PC through 802.1x and phone through MAC auth. The problem is that once both devices have been authenticated and I can reach to both of them, the phone goes down and I lost connection to it.

I can see how roles are successfully applied with their respective vlans, untagged for PC and tagged for VoIP Phone.... I've made a debug on the ArubaOS switch and once all process has been completed I can see this event:

PSEC eDrvPoll:incoming mac <Device mac-address> on port x/xx for vlan x rejected by portsec demux. wma rejects the mac.
m8021xCtrl:Port x/xx: deleted client <client mac-address> User (null) from Client-List
MAC mWebAuth:Port x/xx MAC:<Cliend mac-address> deauthenticating all clients
MAC mWebAuth:Port x/xx MAC:<Cliend mac-address> deauthenticated all clients

In the first event, the vlan x, is not the vlan of the phone, is the default untagged vlan at this port. But previously, I have another event where I can see that this phone has been placed into the voice vlan after the authentication and after applying the user-role.

If I configure the port with the default untagged VLAN and the voice vlan tagged manually, all works fine..... Both devices remain authenticated and I can see with a "show port-access client x/xx detail" both user-roles has been applied and the tagged and untagged vlans applied with their respective user-roles..... but once I delete the tagged vlan at these port it does not work. I can reach to the phone for a few seconds but after the events detailed above... I loss connection with it.

I look forward your feedback.

Thanks in advance.

------------------------------
tech_sec
------------------------------

I'm pretty sure HPE Comware supports that as well, multiple devices on the same port authenticated to different untagged VLANs. I have not tested every switch available, but don't remember switches that don't support it, although some switches (either by configuration, or product features) will just authenticate the first device. Search of multi-host/multi-domain/multi-auth on this forum or the internet to learn more about that.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Sep 16, 2021 03:48 AM
From: Abraham Lopez
Subject: MAC Auth - VoIP phone issue

Hello Herman,

I have a question about this feature, Is this feature supported by HPE switches or only ArubaOS switches?

Thanks in advance

------------------------------
tech_sec

Original Message:
Sent: Sep 01, 2021 09:03 AM
From: Herman Robers
Subject: MAC Auth - VoIP phone issue

It may be that the phone is sending out traffic both tagged and untagged. Would it be an option to remove vlan tagging from the phone and switch configuration? And just run both devices untagged? There is no real need to tag your voice traffic and it may make things just more complex.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 31, 2021 01:46 PM
From: Abraham Lopez
Subject: MAC Auth - VoIP phone issue

Hello,

I'm experiencing some problems. I'm using ArubaOS switches, local user-roles and Clearpass to authenticate end-user devices. All is working fine but I'm experiencing some problems with ports where I have connected a PC and a VoIP phone.

In the CPPM I can see how both devices are authenticated successfully, PC through 802.1x and phone through MAC auth. The problem is that once both devices have been authenticated and I can reach to both of them, the phone goes down and I lost connection to it.

I can see how roles are successfully applied with their respective vlans, untagged for PC and tagged for VoIP Phone.... I've made a debug on the ArubaOS switch and once all process has been completed I can see this event:

PSEC eDrvPoll:incoming mac <Device mac-address> on port x/xx for vlan x rejected by portsec demux. wma rejects the mac.
m8021xCtrl:Port x/xx: deleted client <client mac-address> User (null) from Client-List
MAC mWebAuth:Port x/xx MAC:<Cliend mac-address> deauthenticating all clients
MAC mWebAuth:Port x/xx MAC:<Cliend mac-address> deauthenticated all clients

In the first event, the vlan x, is not the vlan of the phone, is the default untagged vlan at this port. But previously, I have another event where I can see that this phone has been placed into the voice vlan after the authentication and after applying the user-role.

If I configure the port with the default untagged VLAN and the voice vlan tagged manually, all works fine..... Both devices remain authenticated and I can see with a "show port-access client x/xx detail" both user-roles has been applied and the tagged and untagged vlans applied with their respective user-roles..... but once I delete the tagged vlan at these port it does not work. I can reach to the phone for a few seconds but after the events detailed above... I loss connection with it.

I look forward your feedback.

Thanks in advance.

------------------------------
tech_sec
------------------------------