Wired Intelligent Edge

Hi,

I'm kinda out of ideas, So I'm hoping on some experiences from my fellow network engineers.

Situation:
Client asked to install some Mitel Phones on a new site. where we have UBT on Access switches and no vlan available on the switches. NAC with Clearpass and access devices are AOS-CX 6200

Mitel 6863i Phone does reboot multiple times (3/4 times when fresh out-of-the box)

There's an FTP server for firmware and it's getting there through SCOPE options when getting a DHCP adres.

Everything fine so far, so Phone boots, gets an IP, downloads and installs firmware

REBOOT

And now the phone is stuck in a DHCP Discover and Offer loop. Phone does not Request a DHCP adress.

After a ton of troubleshooting we can conclude Clearpass is not interfering. Phone gets authenticated, the phone gets a role and the phone keeps authenticated while rebooting.

How do I know?

After another ton of tests I disabled 802.1X configuration on the switch and the phone boots like a charm. :O.

One step closer, So I started tested with several port options:

aaa port-access onboarding-method concurrent enable

aaa authentication port-access auth-precedence mac-auth dot1x

aaa authentication port-access dot1x authenticator

eapol-timeout X

initial-auth-response-timeout X

max-eapol-requests X

max-retries X

Several different values, different combinations. But nothing seems to work

only difference with these extra options is that i can trigger some progress by manually rebooting the phone.

Have been in a call with ERT egineers from Aruba (Clearpass/switching) no solution yet.

Could it be that your phones (after fully provisioned, upgraded to latest version) attempt 802.1X authentication but fail as they have not been configured correctly, or that ClearPass is not configured to handle 802.1X for those phones (client root CA imported, trusted for EAP)?

It would help to see the show the 'show port-access clients 1/1/1 detail' (assuming phone connected on interface 1/1/1) when the issue happens to see the mac/802.1X status.

Hi,

I'm kinda out of ideas, So I'm hoping on some experiences from my fellow network engineers.

Situation:
Client asked to install some Mitel Phones on a new site. where we have UBT on Access switches and no vlan available on the switches. NAC with Clearpass and access devices are AOS-CX 6200

Mitel 6863i Phone does reboot multiple times (3/4 times when fresh out-of-the box)

There's an FTP server for firmware and it's getting there through SCOPE options when getting a DHCP adres.

Everything fine so far, so Phone boots, gets an IP, downloads and installs firmware

REBOOT

And now the phone is stuck in a DHCP Discover and Offer loop. Phone does not Request a DHCP adress.

After a ton of troubleshooting we can conclude Clearpass is not interfering. Phone gets authenticated, the phone gets a role and the phone keeps authenticated while rebooting.

How do I know?

After another ton of tests I disabled 802.1X configuration on the switch and the phone boots like a charm. :O.

One step closer, So I started tested with several port options:

aaa port-access onboarding-method concurrent enable

aaa authentication port-access auth-precedence mac-auth dot1x

aaa authentication port-access dot1x authenticator

eapol-timeout X

initial-auth-response-timeout X

max-eapol-requests X

max-retries X

Several different values, different combinations. But nothing seems to work

only difference with these extra options is that i can trigger some progress by manually rebooting the phone.

Have been in a call with ERT egineers from Aruba (Clearpass/switching) no solution yet.

Also it would  help to look into Access Tracker record. Specifically in Output section. Is it possible that you send the wrong attribute values to the switch, like vlan that do not exist on switch? Maybe spelling of vlan name (been there, lost a lot of time)?

Best, Gorazd

Could it be that your phones (after fully provisioned, upgraded to latest version) attempt 802.1X authentication but fail as they have not been configured correctly, or that ClearPass is not configured to handle 802.1X for those phones (client root CA imported, trusted for EAP)?

It would help to see the show the 'show port-access clients 1/1/1 detail' (assuming phone connected on interface 1/1/1) when the issue happens to see the mac/802.1X status.

Hi,

I'm kinda out of ideas, So I'm hoping on some experiences from my fellow network engineers.

Situation:
Client asked to install some Mitel Phones on a new site. where we have UBT on Access switches and no vlan available on the switches. NAC with Clearpass and access devices are AOS-CX 6200

Mitel 6863i Phone does reboot multiple times (3/4 times when fresh out-of-the box)

There's an FTP server for firmware and it's getting there through SCOPE options when getting a DHCP adres.

Everything fine so far, so Phone boots, gets an IP, downloads and installs firmware

REBOOT

And now the phone is stuck in a DHCP Discover and Offer loop. Phone does not Request a DHCP adress.

After a ton of troubleshooting we can conclude Clearpass is not interfering. Phone gets authenticated, the phone gets a role and the phone keeps authenticated while rebooting.

How do I know?

After another ton of tests I disabled 802.1X configuration on the switch and the phone boots like a charm. :O.

One step closer, So I started tested with several port options:

aaa port-access onboarding-method concurrent enable

aaa authentication port-access auth-precedence mac-auth dot1x

aaa authentication port-access dot1x authenticator

eapol-timeout X

initial-auth-response-timeout X

max-eapol-requests X

max-retries X

Several different values, different combinations. But nothing seems to work

only difference with these extra options is that i can trigger some progress by manually rebooting the phone.

Have been in a call with ERT egineers from Aruba (Clearpass/switching) no solution yet.

Also it would  help to look into Access Tracker record. Specifically in Output section. Is it possible that you send the wrong attribute values to the switch, like vlan that do not exist on switch? Maybe spelling of vlan name (been there, lost a lot of time)?

Best, Gorazd

Could it be that your phones (after fully provisioned, upgraded to latest version) attempt 802.1X authentication but fail as they have not been configured correctly, or that ClearPass is not configured to handle 802.1X for those phones (client root CA imported, trusted for EAP)?

It would help to see the show the 'show port-access clients 1/1/1 detail' (assuming phone connected on interface 1/1/1) when the issue happens to see the mac/802.1X status.

Hi,

I'm kinda out of ideas, So I'm hoping on some experiences from my fellow network engineers.

Situation:
Client asked to install some Mitel Phones on a new site. where we have UBT on Access switches and no vlan available on the switches. NAC with Clearpass and access devices are AOS-CX 6200

Mitel 6863i Phone does reboot multiple times (3/4 times when fresh out-of-the box)

There's an FTP server for firmware and it's getting there through SCOPE options when getting a DHCP adres.

Everything fine so far, so Phone boots, gets an IP, downloads and installs firmware

REBOOT

And now the phone is stuck in a DHCP Discover and Offer loop. Phone does not Request a DHCP adress.

After a ton of troubleshooting we can conclude Clearpass is not interfering. Phone gets authenticated, the phone gets a role and the phone keeps authenticated while rebooting.

How do I know?

After another ton of tests I disabled 802.1X configuration on the switch and the phone boots like a charm. :O.

One step closer, So I started tested with several port options:

aaa port-access onboarding-method concurrent enable

aaa authentication port-access auth-precedence mac-auth dot1x

aaa authentication port-access dot1x authenticator

eapol-timeout X

initial-auth-response-timeout X

max-eapol-requests X

max-retries X

Several different values, different combinations. But nothing seems to work

only difference with these extra options is that i can trigger some progress by manually rebooting the phone.

Have been in a call with ERT egineers from Aruba (Clearpass/switching) no solution yet.

Could it be that your phones (after fully provisioned, upgraded to latest version) attempt 802.1X authentication but fail as they have not been configured correctly, or that ClearPass is not configured to handle 802.1X for those phones (client root CA imported, trusted for EAP)?

It would help to see the show the 'show port-access clients 1/1/1 detail' (assuming phone connected on interface 1/1/1) when the issue happens to see the mac/802.1X status.

Hi,

I'm kinda out of ideas, So I'm hoping on some experiences from my fellow network engineers.

Situation:
Client asked to install some Mitel Phones on a new site. where we have UBT on Access switches and no vlan available on the switches. NAC with Clearpass and access devices are AOS-CX 6200

Mitel 6863i Phone does reboot multiple times (3/4 times when fresh out-of-the box)

There's an FTP server for firmware and it's getting there through SCOPE options when getting a DHCP adres.

Everything fine so far, so Phone boots, gets an IP, downloads and installs firmware

REBOOT

And now the phone is stuck in a DHCP Discover and Offer loop. Phone does not Request a DHCP adress.

After a ton of troubleshooting we can conclude Clearpass is not interfering. Phone gets authenticated, the phone gets a role and the phone keeps authenticated while rebooting.

How do I know?

After another ton of tests I disabled 802.1X configuration on the switch and the phone boots like a charm. :O.

One step closer, So I started tested with several port options:

aaa port-access onboarding-method concurrent enable

aaa authentication port-access auth-precedence mac-auth dot1x

aaa authentication port-access dot1x authenticator

eapol-timeout X

initial-auth-response-timeout X

max-eapol-requests X

max-retries X

Several different values, different combinations. But nothing seems to work

only difference with these extra options is that i can trigger some progress by manually rebooting the phone.

Have been in a call with ERT egineers from Aruba (Clearpass/switching) no solution yet.

Hi @Herman Robers

I've checked with Wireshark to confirm, but no EAPOL has ever been sent and 802.1x is not enabled on the phone. 

output: 

Could it be that your phones (after fully provisioned, upgraded to latest version) attempt 802.1X authentication but fail as they have not been configured correctly, or that ClearPass is not configured to handle 802.1X for those phones (client root CA imported, trusted for EAP)?

It would help to see the show the 'show port-access clients 1/1/1 detail' (assuming phone connected on interface 1/1/1) when the issue happens to see the mac/802.1X status.

Hi,

I'm kinda out of ideas, So I'm hoping on some experiences from my fellow network engineers.

Situation:
Client asked to install some Mitel Phones on a new site. where we have UBT on Access switches and no vlan available on the switches. NAC with Clearpass and access devices are AOS-CX 6200

Mitel 6863i Phone does reboot multiple times (3/4 times when fresh out-of-the box)

There's an FTP server for firmware and it's getting there through SCOPE options when getting a DHCP adres.

Everything fine so far, so Phone boots, gets an IP, downloads and installs firmware

REBOOT

And now the phone is stuck in a DHCP Discover and Offer loop. Phone does not Request a DHCP adress.

After a ton of troubleshooting we can conclude Clearpass is not interfering. Phone gets authenticated, the phone gets a role and the phone keeps authenticated while rebooting.

How do I know?

After another ton of tests I disabled 802.1X configuration on the switch and the phone boots like a charm. :O.

One step closer, So I started tested with several port options:

aaa port-access onboarding-method concurrent enable

aaa authentication port-access auth-precedence mac-auth dot1x

aaa authentication port-access dot1x authenticator

eapol-timeout X

initial-auth-response-timeout X

max-eapol-requests X

max-retries X

Several different values, different combinations. But nothing seems to work

only difference with these extra options is that i can trigger some progress by manually rebooting the phone.

Have been in a call with ERT egineers from Aruba (Clearpass/switching) no solution yet.

I had a similar issue and the problem was the phones were sticking on their current configuration which was originally a tagged vlan.

Phones also stuck on "discovering"

After I cleared the phone configs  - like a factory reset of sorts on the phone they worked fine.

I was moving away from tagged vlan to untagged at the time, but the tagged vlan config appeared to be "sticky" on the phones themselves.

Hi @Herman Robers

I've checked with Wireshark to confirm, but no EAPOL has ever been sent and 802.1x is not enabled on the phone. 

output: 

Could it be that your phones (after fully provisioned, upgraded to latest version) attempt 802.1X authentication but fail as they have not been configured correctly, or that ClearPass is not configured to handle 802.1X for those phones (client root CA imported, trusted for EAP)?

It would help to see the show the 'show port-access clients 1/1/1 detail' (assuming phone connected on interface 1/1/1) when the issue happens to see the mac/802.1X status.

Hi,

I'm kinda out of ideas, So I'm hoping on some experiences from my fellow network engineers.

Situation:
Client asked to install some Mitel Phones on a new site. where we have UBT on Access switches and no vlan available on the switches. NAC with Clearpass and access devices are AOS-CX 6200

Mitel 6863i Phone does reboot multiple times (3/4 times when fresh out-of-the box)

There's an FTP server for firmware and it's getting there through SCOPE options when getting a DHCP adres.

Everything fine so far, so Phone boots, gets an IP, downloads and installs firmware

REBOOT

And now the phone is stuck in a DHCP Discover and Offer loop. Phone does not Request a DHCP adress.

After a ton of troubleshooting we can conclude Clearpass is not interfering. Phone gets authenticated, the phone gets a role and the phone keeps authenticated while rebooting.

How do I know?

After another ton of tests I disabled 802.1X configuration on the switch and the phone boots like a charm. :O.

One step closer, So I started tested with several port options:

aaa port-access onboarding-method concurrent enable

aaa authentication port-access auth-precedence mac-auth dot1x

aaa authentication port-access dot1x authenticator

eapol-timeout X

initial-auth-response-timeout X

max-eapol-requests X

max-retries X

Several different values, different combinations. But nothing seems to work

only difference with these extra options is that i can trigger some progress by manually rebooting the phone.

Have been in a call with ERT egineers from Aruba (Clearpass/switching) no solution yet.

Maybe run a port-mirror and see what is is happening on the interface and if the traffic is tagged or untagged and to get a clue where the mismatch is.

I had a similar issue and the problem was the phones were sticking on their current configuration which was originally a tagged vlan.

Phones also stuck on "discovering"

After I cleared the phone configs  - like a factory reset of sorts on the phone they worked fine.

I was moving away from tagged vlan to untagged at the time, but the tagged vlan config appeared to be "sticky" on the phones themselves.

Hi @Herman Robers

I've checked with Wireshark to confirm, but no EAPOL has ever been sent and 802.1x is not enabled on the phone. 

output: 

Could it be that your phones (after fully provisioned, upgraded to latest version) attempt 802.1X authentication but fail as they have not been configured correctly, or that ClearPass is not configured to handle 802.1X for those phones (client root CA imported, trusted for EAP)?

It would help to see the show the 'show port-access clients 1/1/1 detail' (assuming phone connected on interface 1/1/1) when the issue happens to see the mac/802.1X status.

Hi,

I'm kinda out of ideas, So I'm hoping on some experiences from my fellow network engineers.

Situation:
Client asked to install some Mitel Phones on a new site. where we have UBT on Access switches and no vlan available on the switches. NAC with Clearpass and access devices are AOS-CX 6200

Mitel 6863i Phone does reboot multiple times (3/4 times when fresh out-of-the box)

There's an FTP server for firmware and it's getting there through SCOPE options when getting a DHCP adres.

Everything fine so far, so Phone boots, gets an IP, downloads and installs firmware

REBOOT

And now the phone is stuck in a DHCP Discover and Offer loop. Phone does not Request a DHCP adress.

After a ton of troubleshooting we can conclude Clearpass is not interfering. Phone gets authenticated, the phone gets a role and the phone keeps authenticated while rebooting.

How do I know?

After another ton of tests I disabled 802.1X configuration on the switch and the phone boots like a charm. :O.

One step closer, So I started tested with several port options:

aaa port-access onboarding-method concurrent enable

aaa authentication port-access auth-precedence mac-auth dot1x

aaa authentication port-access dot1x authenticator

eapol-timeout X

initial-auth-response-timeout X

max-eapol-requests X

max-retries X

Several different values, different combinations. But nothing seems to work

only difference with these extra options is that i can trigger some progress by manually rebooting the phone.

Have been in a call with ERT egineers from Aruba (Clearpass/switching) no solution yet.

I had a similar issue and the problem was the phones were sticking on their current configuration which was originally a tagged vlan.

Phones also stuck on "discovering"

After I cleared the phone configs  - like a factory reset of sorts on the phone they worked fine.

I was moving away from tagged vlan to untagged at the time, but the tagged vlan config appeared to be "sticky" on the phones themselves.

Hi @Herman Robers

I've checked with Wireshark to confirm, but no EAPOL has ever been sent and 802.1x is not enabled on the phone. 

output: 

Could it be that your phones (after fully provisioned, upgraded to latest version) attempt 802.1X authentication but fail as they have not been configured correctly, or that ClearPass is not configured to handle 802.1X for those phones (client root CA imported, trusted for EAP)?

It would help to see the show the 'show port-access clients 1/1/1 detail' (assuming phone connected on interface 1/1/1) when the issue happens to see the mac/802.1X status.

Hi,

I'm kinda out of ideas, So I'm hoping on some experiences from my fellow network engineers.

Situation:
Client asked to install some Mitel Phones on a new site. where we have UBT on Access switches and no vlan available on the switches. NAC with Clearpass and access devices are AOS-CX 6200

Mitel 6863i Phone does reboot multiple times (3/4 times when fresh out-of-the box)

There's an FTP server for firmware and it's getting there through SCOPE options when getting a DHCP adres.

Everything fine so far, so Phone boots, gets an IP, downloads and installs firmware

REBOOT

And now the phone is stuck in a DHCP Discover and Offer loop. Phone does not Request a DHCP adress.

After a ton of troubleshooting we can conclude Clearpass is not interfering. Phone gets authenticated, the phone gets a role and the phone keeps authenticated while rebooting.

How do I know?

After another ton of tests I disabled 802.1X configuration on the switch and the phone boots like a charm. :O.

One step closer, So I started tested with several port options:

aaa port-access onboarding-method concurrent enable

aaa authentication port-access auth-precedence mac-auth dot1x

aaa authentication port-access dot1x authenticator

eapol-timeout X

initial-auth-response-timeout X

max-eapol-requests X

max-retries X

Several different values, different combinations. But nothing seems to work

only difference with these extra options is that i can trigger some progress by manually rebooting the phone.

Have been in a call with ERT egineers from Aruba (Clearpass/switching) no solution yet.