Wired Intelligent Edge

 View Only
Expand all | Collapse all

Polycom phones on. authenticating switch multiple lockups and reboots required

This thread has been viewed 6 times
  • 1.  Polycom phones on. authenticating switch multiple lockups and reboots required

    Posted May 22, 2024 04:59 AM

    Hi,

    in process of rolling out  802.1x and  mac auth via cleasrpass DURs to our estate.

    Currently cppm running in monitor mode  and generating reports so we can see what is on the network and. then create appropraite  roles and enforcement  policeis

    Switches ( 2930s) running WC.16.111.13 firmwre and configured to use DURs.  local user roels created that do an  ipv4 "allow. all" and assigned to initial and critical roles

    Before authentication 

     polycom phones connected to switch ports   with an  untagged vlan and a tagged voice vlan. Phones get ip of untagged vlan with dhcp option specifying a URL to get config file.Phone then drops into tagged vlan and everythnig works

    With mac auth / 802.1x auth on switch port. 

    sh lldp inf r shows me ports with phones

    sh port-acces clients shows me mac auth for phones and tagged/untagge vlans on port.

    Local user roles define a reauth time of 1 hour

    Looking on  cppm can see phones  auhenticating every hour  then .....

    phone start dropping out of. tagged vlan. back onto untagged vlan and back onto tagged vlan

    BUT,  debug on phone sees them. getting different. IP adresses on the untagged /tagged vlans and i cant see why that is happening, I'd have expected  same ip address.

    IP scopes on  infoblox dhcp shows plenty of ip addresses in vlan pools. Lease time. 2 days

    Annoyingly this config is estate wide ( lots of sites) and. we only have 1 site that is seeing these issues .. and i dont know why

    Normally I'd use the DUR to pass back a tagged vlan for the phones but am in the no mans land of having to run cppm in monitor mode

    Any pointers appreciated.

    Was thinking of moving phone switch port to untgged vlan without the DHCP URL and then using lldp to say use this tagged vlan .

    Just need a nudge in the right direction

    Rgds A



  • 2.  RE: Polycom phones on. authenticating switch multiple lockups and reboots required

    Posted May 28, 2024 08:25 AM

    This is hard to troubleshoot like this. If you can do interactive troubleshooting, it may be much easier to try a few things and see what happens. Your partner or TAC may be good to support in that.

    Note that in monitor mode, ClearPass is expected to only return an Access Accept, so while it displays that it (would) return(s) a role/DUR, it does not. So not sure why you see tagged VLANs, except if that config is on the switch port already.

    You may consider getting rid of tagged VLANs for your phones, and just handle them in a native VLAN. The 2930F supports multiple clients untagged on the same port but in different VLANs. Tagged voice VLANs in the past were needed to keep voice traffic in a separate VLAN, with port-access security you can handle that same in the native VLAN.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------