Wireless Access

 View Only
Expand all | Collapse all

MAC Auth + LLDP + Phone, Problems

This thread has been viewed 13 times
  • 1.  MAC Auth + LLDP + Phone, Problems

    Posted Jul 10, 2013 10:50 AM

    I have a Polycom CX600 Lync phone that is not getting correct IP/VLAN assignments when the port is untrusted.  When trusted, LLDP works and puts the phone in the proper VLAN.  However, I have to use a form of port security, so the port must be untrusted with MAC auth used by the Polycom phones.

     

    As I said before, the phone works correctly when in untrusted mode, so I know LLDP profile and VOIP profile are configured correctly.  The only thing I've done differently is set the port to untrusted, removed the VOIP profile, added a MAC auth AAA policy with default MAC role (VOIP role that contains VOIP profile).  I've verified that the phone is passing MAC auth and obtaining the VOIP role.  However, the phone is still in the access VLAN and has an IP from that VLAN, rather than the VOIP VLAN.  Issuing the "show neighbor-devices phone" command results in a "-" being displayed under the Voice VLAN column, rather than a VLAN being displayed.  When the port was in trusted mode, it would show the voice VLAN #. 

     

    I'm not sure if I have an LLDP problem or a phone problem.  Any thoughts?



  • 2.  RE: MAC Auth + LLDP + Phone, Problems

    Posted Jul 10, 2013 02:37 PM

    I have few Cisco & Avaya phone which works fine with the configs you mentioned. But I do see issue with one of Avaya phone which some times doesn't send packets with correct vlan tag and it gets IP assigned from different vlan but reboot of the phone solves the problem.
    To trubleshoot this you may try following
    1. Reboot the phone , enable/disable the poe profile.
    2. Check Show mac-address table and show user-table verbose, shows the correct vlan. This makes sure that phone is classified under correct vlan and issue may be phone side.
    3. You can do the packet capture on the port where phone is connected and verify that where the MAS is sending correct vlan in the LLDP "Network Policy" TLV are not and after that wherether the phone is sending the DHCP request with the correct tagged vlan.

     

    Show neighbor doesn't show the Voice either to me but still phone gets IP from correct vocie vlan.

     

    BTW which AOS version you are using?



  • 3.  RE: MAC Auth + LLDP + Phone, Problems

    Posted Jul 10, 2013 03:32 PM

    I'm on 7.2.2.1.

     

     

    I was a bit confused by the MAS documentation... will VoIP auto-discovery work with non-CDP phones on untrusted ports?  If not, than I think I need to use LLDP-med and static VOIP mode for my Polycom phones.

     

    I have phone that a reboot puts the phone in the right VLAN, most of the time.  Part of that may be due to the fact that we have DHCP scope options that pass the phone its VLAN ID.  So I'm not entirely sure the switch is sending the VLAN ID in the TLV as you stated.  I'll mirror the traffic and see what I can find.

     

    I was thinking that one way to get around this would be to setup a UDR to put the phone in the VOIP VLAN right off the bat.  I'm going to give that a try and see how it pans out.



  • 4.  RE: MAC Auth + LLDP + Phone, Problems

    Posted Jul 10, 2013 03:41 PM

    Toggling the "voip-mode" knob to auto-discover is only for CDP devices and only takes affect when using "voip-profile" on a physical interface versus "voip-profile" in a user-role.

     

    The "voip-mode" knob is not to be confused with the ability to use a UDR to match on a "device-type equals phone". If using "voip-profile" on an interface or using AAA to put a phone in the right VLAN, you need to remove any DHCP scope options that may tell the phone to TAG. The switch must be responsbile for this otherwise the phone may TAG when we aren't expecting it and therefore we will not allow the traffic to pass.

     

    Can you supply your actual configuration and the outputs for "show station-table" and "show user-table verbose"?

     

    Best regards,

     

    Madani



  • 5.  RE: MAC Auth + LLDP + Phone, Problems

    Posted Jul 10, 2013 05:53 PM
      |   view attached

    I'd like to avoid sharing the config over the forums.

     

    Attached is the output from the commands you asked for.

     

    The phone is working right now, so the attached command output may not be helpful.  Since I can't remove the scope options, production phones are using them, I'll change the access vlan in the switch profile to a vlan that doesn't include the scope options and reset the phone to see if it comes up in the correct VLAN.  Will post back with the results.

    Attachment(s)

    txt
    mas output.txt   1 KB 1 version


  • 6.  RE: MAC Auth + LLDP + Phone, Problems

    Posted Jul 10, 2013 06:03 PM

    Yes, if you could get in the failed state, that would help.

     

    Best regards,

     

    Madani



  • 7.  RE: MAC Auth + LLDP + Phone, Problems

    Posted Jul 29, 2013 02:22 PM

    Is there any update to this? I'm running into this exact issue with an Avaya 1616. If the port is trusted, LLDP and voip-profile work great. With the port untrusted, nothing works. I see LLDP transmitting but no replys. 

     

     



  • 8.  RE: MAC Auth + LLDP + Phone, Problems

    Posted Jul 29, 2013 02:24 PM

    If you could share your configuration and topology, I can help otherwise I recommend opening a TAC case.

     

    Best regards,

     

    Madani



  • 9.  RE: MAC Auth + LLDP + Phone, Problems

    Posted Jul 29, 2013 02:33 PM

    s2500 running 7.2.2.1

    Avaya 1616d01a phone

     

    Below are the profiles that don't work when the port is set to untrusted. Let me know what else you want to see. 

     

    interface gigabitethernet "0/0/1"
    lldp-profile "lldp-factory-initial"
    aaa-profile "phone_client"
    switching-profile "VLAN 50"
    no trusted port

    ___________________________________________________________________________________

     

    LLDP Profile "lldp-factory-initial"
    -----------------------------------
    Parameter Value
    --------- -----
    LLDP pdu transmit Enabled
    LLDP protocol receive processing Enabled
    LLDP transmit interval (Secs) 30
    LLDP transmit hold multiplier 4
    LLDP fast transmit interval (Secs) 1
    LLDP fast transmit counter 4
    LLDP-MED protocol Enabled
    Control proprietary neighbor discovery Disabled

    ___________________________________________________________________________________

     

     

    AAA Profile "phone_client"
    --------------------------
    Parameter Value
    --------- -----
    Initial role logon
    MAC Authentication Profile N/A
    MAC Authentication Default Role guest
    MAC Authentication Server Group default
    802.1X Authentication Profile N/A
    802.1X Authentication Default Role guest
    802.1X Authentication Server Group N/A
    Download Role from ClearPass Enabled
    L2 Authentication Fail Through Disabled
    RADIUS Accounting Server Group N/A
    RADIUS Interim Accounting Disabled
    XML API server N/A
    AAA unreachable role N/A
    RFC 3576 server N/A
    User derivation rules phoneudr
    SIP authentication role N/A
    Enforce DHCP Disabled
    Authentication Failure Blacklist Time 3600 sec

    ___________________________________________________________________________________

    (IDF 3 - Aruba Stack) #show aaa derivation-rules user phoneudr

    User Rule Table
    ---------------
    Priority Attribute Operation Operand Action Value Total Hits New Hits Description
    -------- --------- --------- ------- ------ ----- ---------- -------- -----------
    1 device-type equals phone set role phonerole 0 0

    Rule Entries: 1

     

    ___________________________________________________________________________________

     

    user-role phonerole
    voip-profile "DASD-Secondary-VOIP"
    access-list stateless allowall-stateless

     

    ___________________________________________________________________________________

    VoIP profile "DASD-Secondary-VOIP"
    ----------------------------------
    Parameter Value
    --------- -----
    VoIP VLAN 85
    DSCP 0
    802.1p 0
    VoIP Mode static



  • 10.  RE: MAC Auth + LLDP + Phone, Problems

    Posted Jul 29, 2013 02:35 PM

    Can you add the output of "show neighbor-devices", "show station-table", "show user-table" and "show interface gigabitethernet 0/0/1 switchport extensive"?



  • 11.  RE: MAC Auth + LLDP + Phone, Problems

    Posted Jul 29, 2013 02:39 PM

    See below. The phone currently is displaying "Bad Router?"

     

     

     

    (IDF 3 - Aruba Stack) #show neighbor-devices

    Capability codes: (R)Router, (B)Bridge, (A)Access Point, (P)Phone, (S)Station
    (r)Repeater, (O)Other
    Neighbor Devices Information
    ----------------------------
    Local Intf Chassis ID Protocol Capability Remote Intf Expiry (Secs) System Name
    ---------- ---------- -------- ---------- ----------- ------------- -----------
    GE0/0/47 00:1f:28:58:5d:c0 LLDP B 19 119 AD-NETOFF-2510

    Number of neighbors: 1

     

     

     

    (IDF 3 - Aruba Stack) #show station-table

    Station Entry
    -------------
    MAC Name Role Age(d:h:m) Auth AP name Essid Phy Remote Profile
    ------------ ------ ---- ---------- ---- ------- ----- --- ------ -------

    Station Entries: 0

     

     

     

    (IDF 3 - Aruba Stack) #show user-table

    Users
    -----
    IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile Forward mode Type
    ---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- ------- ------------ ----

    User Entries: 0/0

     

     

     

     

    (IDF 3 - Aruba Stack) #show interface gigabitethernet 0/0/1 switchport extensive

    GE0/0/1
    Link is Up
    Flags: Access, Untrusted

    VLAN membership:

    VLAN tag Tagness STP-State
    -------- -------- ---------
    50 Untagged FWD

     

     



  • 12.  RE: MAC Auth + LLDP + Phone, Problems

    Posted Jul 29, 2013 02:42 PM

    Hmm, so the phone isn't even showing up in the neighbor table. What version of code is this? There was an issue we resolved in 7.2.2.1 involving Avaya phones and LLDP. If you can, I would try that release to see if there is a different behavior otherwise definitly open a TAC case.



  • 13.  RE: MAC Auth + LLDP + Phone, Problems

    Posted Jul 29, 2013 02:45 PM

    Already on 7.2.2.1

     

    (IDF 3 - Aruba Stack) #show ver

    Aruba Operating System Software.
    ArubaOS (MODEL: ArubaS2500-48P-US), Version 7.2.2.1
    Website: http://www.arubanetworks.com
    Copyright (c) 2002-2013, Aruba Networks, Inc.
    Compiled on 2013-06-19 at 07:05:29 PDT (build 38712) by p4build
    ROM: System Bootstrap, Version CPBoot 1.0.35.0 (build 33583)
    Built: 2012-05-08 00:37:08
    Built by: p4build@re_client_33583
    Switch uptime is 4 hours 34 minutes 21 seconds
    Reboot Cause: Power cycle/failure.
    Processor XLS 208 (revision A1) with 1023M bytes of memory.
    955M bytes of System flash



  • 14.  RE: MAC Auth + LLDP + Phone, Problems

    Posted Jul 29, 2013 02:49 PM

    So I set a (0/0/2) port to trusted with the lldp-factory-default and a standard voip-profile. Phone works and comes online. Curios that the MAC isn't showing in the station table still. 

     

    (IDF 3 - Aruba Stack) #show neighbor-devices

    Capability codes: (R)Router, (B)Bridge, (A)Access Point, (P)Phone, (S)Station
    (r)Repeater, (O)Other
    Neighbor Devices Information
    ----------------------------
    Local Intf Chassis ID Protocol Capability Remote Intf Expiry (Secs) System Name
    ---------- ---------- -------- ---------- ----------- ------------- -----------
    GE0/0/2 172.16.128.12 LLDP B:P Not received 94 AVX396E9B
    GE0/0/47 00:1f:28:58:5d:c0 LLDP B 19 105 AD-NETOFF-2510

    Number of neighbors: 2

    (IDF 3 - Aruba Stack) #show station-table

    Station Entry
    -------------
    MAC Name Role Age(d:h:m) Auth AP name Essid Phy Remote Profile
    ------------ ------ ---- ---------- ---- ------- ----- --- ------ -------

    Station Entries: 0

    (IDF 3 - Aruba Stack) #show user-table

    Users
    -----
    IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile Forward mode Type
    ---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- ------- ------------ ----

    User Entries: 0/0

     

    (IDF 3 - Aruba Stack) #show interface gigabitethernet 0/0/2 switchport extensive

    GE0/0/2
    Link is Up
    Flags: Access, Trusted

    VLAN membership:

    VLAN tag Tagness STP-State
    -------- -------- ---------
    50 Untagged FWD
    85 Tagged FWD

     



  • 15.  RE: MAC Auth + LLDP + Phone, Problems

    Posted Jul 29, 2013 02:51 PM

    Station-table is used by AAA so it not appearing is expected.

     

    When you put it back on 0/0/1, can you get into its menu and verify that it isn't tagging?



  • 16.  RE: MAC Auth + LLDP + Phone, Problems

    Posted Jul 29, 2013 02:53 PM

    I'm told that you can only program an IP from the phone menu. 

     

    The ultimate goal here is to set the port to untrusted, and use ClearPass to control auth but this piece is the sticking point. 



  • 17.  RE: MAC Auth + LLDP + Phone, Problems

    Posted Jul 29, 2013 02:56 PM

    Typically from the phone menu you can also see if it is hard set to send 802.1q tags in addition to IP information. If it is sending tags, that would explain the lack of station entry because we need to see an untagged packet first before we can run through authentication.



  • 18.  RE: MAC Auth + LLDP + Phone, Problems

    Posted Jul 29, 2013 03:01 PM

    When the phone comes up in port 0/0/2, I can get into the menu and 802.1Q is set to "AUTO".

     

    With the phone in 0/0/1, the phone doesn't come up and the menu button is locked out and you can only program an IP. 



  • 19.  RE: MAC Auth + LLDP + Phone, Problems

    Posted Jul 29, 2013 03:03 PM

    Can you set it to "none" or similar and see if there is any difference in behavior on 0/0/1



  • 20.  RE: MAC Auth + LLDP + Phone, Problems

    Posted Jul 29, 2013 03:19 PM

    I set it to 0.0.0.0 which let me get further into the 802.1Q settings, which are still set for AUTO. However, it appears to be caching the voice vlan 85 from previous configs. 



  • 21.  RE: MAC Auth + LLDP + Phone, Problems

    Posted Jul 29, 2013 03:23 PM

    So it went through 2 minutes of DHCP'ing, now it's online and my AAA derivation rules are working correctly. Odd but appears to be functioning normally. I'm going to add the AAA derivation rules to my MAC auth and 802.1x AAA profiles and see if that is good too. 



  • 22.  RE: MAC Auth + LLDP + Phone, Problems

    Posted Jul 29, 2013 03:24 PM

    So just letting it sit there corrected the issue?



  • 23.  RE: MAC Auth + LLDP + Phone, Problems

    Posted Jul 29, 2013 03:26 PM

    I think it was caching all the previous settings from being connected before and not actually DHCP'ing but trying to use all the same settings. I'm verifying. 



  • 24.  RE: MAC Auth + LLDP + Phone, Problems

    Posted Jul 29, 2013 03:45 PM

    I verified it's working now - MAB auth to clearpass too. Plus 802.1x on a computer behind the phone. 



  • 25.  RE: MAC Auth + LLDP + Phone, Problems

    Posted Jul 29, 2013 03:48 PM

    Awesome!



  • 26.  RE: MAC Auth + LLDP + Phone, Problems

    Posted Jul 29, 2013 04:38 PM

    Yes! Thanks for your help.