Security

Hi,

Got an issue with  Polycom phones,  and authentication in that phones dont pick up an ip when moved from staging area to  live area

1). Polycom C60 and CCX505 phones running latest and greatest 9.1.x firmware

2). Aruba OS-S 2930 switches running WC.16.11.21 firmware

3). Clearpass 6.11.10  providing  DUR to drop phone into named tagged voice valn

Phones identifed by custom clearpass fingerprint .

Enforcement policy  pshes dur to switch

Plug phone in on staging point switch to upgrade firmware register and configure phone. 

Check phone works. 

Unplug phone and take to. destination and plug into another  switch

clearpass sends mac-auth from that switch/port, identifies phone and. sends DUR

What should happen is 

cppm places devcie in tagged voice vlan

phone uses lldp to identify tagged voice vlan, move to it and get an ip address 

but .....

sh port-access client shows  mac address of phone in tagged voice vlan

sh lldp inf r shows  switch can see phone model

phone doesnt get an ip address,  can sit there for hours ( reauth time. 1 hour). DHCP ip lease is 2 days 

Back at clearpass, if i force a port bounce CoA ( local one that holds port down for 30 secs ) phone  requsts and. obtains ip and off it goes

Would have thought unplugging phone and walking. to destination would have done the same thing

Dont want to enable profiling on the auth and force a drop after every auth as that would be dropping  interface for 12 secs every hour

Any thoughts ?

A

Assuming the device is being recognized properly and the connection to the network is correct, then there's nothing on the network side that should be preventing the device from requesting or receiving DHCP.  I'd recommend getting a packet capture showing what is going on between the phone and the network once you've moved to the production network.

The closest I've seen to this is some devices that like to fire off a DHCP request as soon as they have power/link (but not necessarily a network connection) and then never again.

Hi,

Got an issue with  Polycom phones,  and authentication in that phones dont pick up an ip when moved from staging area to  live area

1). Polycom C60 and CCX505 phones running latest and greatest 9.1.x firmware

2). Aruba OS-S 2930 switches running WC.16.11.21 firmware

3). Clearpass 6.11.10  providing  DUR to drop phone into named tagged voice valn

Phones identifed by custom clearpass fingerprint .

Enforcement policy  pshes dur to switch

Plug phone in on staging point switch to upgrade firmware register and configure phone. 

Check phone works. 

Unplug phone and take to. destination and plug into another  switch

clearpass sends mac-auth from that switch/port, identifies phone and. sends DUR

What should happen is 

cppm places devcie in tagged voice vlan

phone uses lldp to identify tagged voice vlan, move to it and get an ip address 

but .....

sh port-access client shows  mac address of phone in tagged voice vlan

sh lldp inf r shows  switch can see phone model

phone doesnt get an ip address,  can sit there for hours ( reauth time. 1 hour). DHCP ip lease is 2 days 

Back at clearpass, if i force a port bounce CoA ( local one that holds port down for 30 secs ) phone  requsts and. obtains ip and off it goes

Would have thought unplugging phone and walking. to destination would have done the same thing

Dont want to enable profiling on the auth and force a drop after every auth as that would be dropping  interface for 12 secs every hour

Any thoughts ?

A

Assuming the device is being recognized properly and the connection to the network is correct, then there's nothing on the network side that should be preventing the device from requesting or receiving DHCP.  I'd recommend getting a packet capture showing what is going on between the phone and the network once you've moved to the production network.

The closest I've seen to this is some devices that like to fire off a DHCP request as soon as they have power/link (but not necessarily a network connection) and then never again.

Hi,

Got an issue with  Polycom phones,  and authentication in that phones dont pick up an ip when moved from staging area to  live area

1). Polycom C60 and CCX505 phones running latest and greatest 9.1.x firmware

2). Aruba OS-S 2930 switches running WC.16.11.21 firmware

3). Clearpass 6.11.10  providing  DUR to drop phone into named tagged voice valn

Phones identifed by custom clearpass fingerprint .

Enforcement policy  pshes dur to switch

Plug phone in on staging point switch to upgrade firmware register and configure phone. 

Check phone works. 

Unplug phone and take to. destination and plug into another  switch

clearpass sends mac-auth from that switch/port, identifies phone and. sends DUR

What should happen is 

cppm places devcie in tagged voice vlan

phone uses lldp to identify tagged voice vlan, move to it and get an ip address 

but .....

sh port-access client shows  mac address of phone in tagged voice vlan

sh lldp inf r shows  switch can see phone model

phone doesnt get an ip address,  can sit there for hours ( reauth time. 1 hour). DHCP ip lease is 2 days 

Back at clearpass, if i force a port bounce CoA ( local one that holds port down for 30 secs ) phone  requsts and. obtains ip and off it goes

Would have thought unplugging phone and walking. to destination would have done the same thing

Dont want to enable profiling on the auth and force a drop after every auth as that would be dropping  interface for 12 secs every hour

Any thoughts ?

A