Security

last person joined: 7 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Cisco wired Avaya phone problem

This thread has been viewed 2 times
  • 1.  Cisco wired Avaya phone problem

    Posted Apr 28, 2015 05:39 PM

    Dears

    Currently I am conducting a POC on clearpass and a cisco switch, we are facing some problems with authentication.

     

    We are basically doing DOT1X using AD for PCs and Mac Auth all for the IP Phones (avaya)

    we have to services one for dot1x and one for mac auth..

    We have set up the cisco switch configuration for multi-auth and mab and COA and everything looks fine..

    Also port is set to voice vlan and access vlan (Data) 

    when a PC connects he is by default in the data vlan and when he's authenticated the CPPM returns another vlan which is the internet and intranet vlan and he's authenticated..

    When a ip phone connects, it authenticates using Mac auth and the CPPM returns cisco-device-class=voice (or something like that) and the ip phone is successfully connected to the voice vlan.the problem is the phone can not get its DHCP...

    although if I configured the port without any authentication (dot1x or mac auth) and I set up the port for voice vlan and access vlan, the phone connects and gets its IP normally via dhcp.

    I have configured lldp run..

    the customer is reluctant to configure anything qos although i doubt it would cause this problem..

    The enforcement profile for the phone contains the Vlan assignment plus cisco device traffic, and i tried another one where it returns only cisco device traffic and it gave the ip phone its vlan even faster.

     

    I have rules in enforcement policies based on device category and they're all working fine and the phone and pcs are all profiled and even printers worked fine and were profiled.

     

    I have configured ip helper addresses of cource (The phone gets ip address on an unauthenticated port)

    I can't think of something that may cause this problem except some specific commands on the switch's port or a special VSA that needs to be sent from the clearpass that I can't find anywhere...

    So please, urgent help is needed and appreciated

     

    P.S. I didn't open a case because they take too long, i'm still awaiting reply since 2 days about a failure to profile a Sun thin client so I matched based on mac vendor and I still haven't received any replies..

    Cisco switch model is 3750 pd ef 48 ports..version is 15.0.2se

    clearpass is 6.5 on an evaluation VM

     



  • 2.  RE: Cisco wired Avaya phone problem

    Posted Apr 28, 2015 06:10 PM
    Are you working with an Aruba partner on the PoC?

    Thanks,
    Tim


  • 3.  RE: Cisco wired Avaya phone problem

    Posted Apr 28, 2015 06:44 PM

    Actually, we are an aruba partner..



  • 4.  RE: Cisco wired Avaya phone problem

    Posted Apr 28, 2015 10:13 PM

    What is your 802.1X timeout?

    Can you post the configuration from one of your ports?



  • 5.  RE: Cisco wired Avaya phone problem

    Posted Apr 29, 2015 03:29 AM

    interface GigabitEthernet1/0/2 //or any port that you want to be authenticated

     description HOST-PORT

     switchport access vlan 250

     switchport mode access

     switchport nonegotiate

     switchport voice vlan 109

     speed auto

     duplex full

     authentication order dot1x mab

     authentication priority dot1x mab

     authentication port-control auto

    authentication mode multi-auth

     authentication periodic

     authentication timer reauthenticate server

     mab     

     dot1x pae authenticator

     dot1x timeout server-timeout 30

     dot1x timeout tx-period 10

     dot1x max-reauth-req 3

     spanning-tree portfast

     spanning-tree bpduguard enable

    !



  • 6.  RE: Cisco wired Avaya phone problem

    Posted Apr 29, 2015 02:59 PM

    you say it connects correctly to the voice VLAN, how do you know it does when DHCP afterwards doesn't work? did you do a packetcapture on the port, do you see DHCP discovers being send?

     

    do you only send that extra =voice option? because i don't believe you can actually send the voice vlan, if you send a vlan assignment in the accept packet it will set the data vlan.



  • 7.  RE: Cisco wired Avaya phone problem

    Posted Apr 29, 2015 03:05 PM

    I know it connects to the voice vlan, because the phone says its in vlan 102 which is the voice, it starts with vlan 0 then after the CPPM sends its vlan it goes to vlan 102, i have tried sending an enforcement policy with device-traffic-class = voice + vlan assignment and just device-traffic-class=voice without vlan assignment and they both have placed it in its vlan.

    then the ip phone's lcd says its doing DHCP Requests, and it keeps increasing a counter until 60 seconds and then fails to get its IP and reboots...

    When i connect the phone in a normal port with just this config

    switchport access vlan 2

    switchport voice vlan 102

    switchport mode access

    the ip phone gets its ip in just 3 seconds as well as the vlan.

    I haen't done a packet capture yet

    also when I "show vlan" on the cisco switch I see the Phone's port in both the voice vlan and data vlan(PC is also connected)

     



  • 8.  RE: Cisco wired Avaya phone problem

    Posted Apr 29, 2015 03:48 PM

    what do you get when you do: show authentication sessions

     

    you are a running a new version so it might be different, but with the 12.x versions im quite sure that you can't set the voice VLAN and if you earlier posted config is correct and you set the voice VLAN there then that is what is going to be used i believe.



  • 9.  RE: Cisco wired Avaya phone problem

    Posted Apr 29, 2015 03:50 PM

    I don't have the output with me right now but it shows success or authenticated

    also on the access tracker I get success and no alerts and everything is just as it should except the ip phone got no IP Address



  • 10.  RE: Cisco wired Avaya phone problem

    Posted Apr 29, 2015 03:59 PM

    the domain part is what interests me.

     

    ClearPass will show a success when authentication passes and it is able to send the accept to the switch. it doesn't check if the things you send to the switch make sense to the switch or not.

     

    this is something you will have to debug on the switch side. look up the dot1x debug commands and see if the switch mentions it doesn't like something you send.



  • 11.  RE: Cisco wired Avaya phone problem

    Posted Apr 29, 2015 04:04 PM

    I am already debugging radius as I had a problem with redirection and I clearly notice all the debug messages, everything looked normal and authentication is successful..

    The domain part is just for PCs using dot1x, IP phones are all accepted based on a mac auth all until we collect all ip phones then we will start to restrict a bit.

     

    I am suspecting something, maybe the ip phones in the live working environment aren't using COS, but when the clearpass returns a device-traffic-class=voice, the ip phone sends a dhcp request tagged with a dot1p class of service  = 5, so the dhcp server doesn't respond to the request as its not configured for it, 

    this could be this or the complete opposite, the dhcp server is expecting dot1p and the ip phone is sending without it, thats the guess i have in my mind..

     



  • 12.  RE: Cisco wired Avaya phone problem

    Posted Nov 15, 2016 01:44 PM

    Hi Waleed,

     

    We are having the same issue as yours. Did you find any solution for this ?



  • 13.  RE: Cisco wired Avaya phone problem

    Posted Nov 15, 2016 01:48 PM

    Hi Waleed,

     

    We are having the same issue, did you find any solution for this ?



  • 14.  RE: Cisco wired Avaya phone problem

    Posted Nov 15, 2016 01:50 PM

    We are having the same issue, did you find any solution for this ?



  • 15.  RE: Cisco wired Avaya phone problem

    Posted Jan 25, 2017 12:20 PM

    We had this issue with NEC phones when connected to Clearpass. What we did was change the RX Waiting time under lldp settings on the phone to 30 seconds instead of the default 15 seconds. This added about 5 seconds give or take between initializing and log in than we would have on a non 802.1x interface.



  • 16.  RE: Cisco wired Avaya phone problem

    Posted May 08, 2019 04:17 PM

    We ran into the same issue with the Cisco 2960x models.

    The fix is outlined in this Bug detail:

     

    https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvb22409

     

    basically authorization over the voice vlan fails when certain av-pairs are present on the attributes,

     

    “If one of the attributes is missing and/or dynamic vlan assignment is NOT required but the at least one of av-pair is present in the Radius access-accept the switch will fail authorization for the Voice Vlan on the port.”

     

    from the capture we can see that “Tunnel-Type” and “Tunnel-Medium-Type” are present.

     

     

    I removed those attributes and am good on the 2960x MAB is successful with phones not having DHCP issues.



    HOWEVER,

    we are now seeing similar symptoms with a Cisco 4500 chassis and Avaya phones.

    Phones authenticate with healthy logs on CPPM and the switch logs, but the phones do NOT receive a DHCP address.

    Strangely, there are ARP entries present for the phone..

    Please help!!