Very strange... when enabling user-roles again, the VOIP-Phone will receive the config
0096:00:17:03.07 MAC mWebAuth:Port: 42 now off-line.
0096:00:17:07.17 MAC mWebAuth:Port: 42 MAC: 00809f-e981c4 new client detected
on vid: 4095.
0096:00:17:07.17 MAC mWebAuth:Port: 42 MAC: 00809f-e981c4 RADIUS CHAP
authentication started, session: 2003.
0096:00:17:07.17 MAC eDrvPoll:Port: 42 MAC: 00809f-e981c4 rejected during
demux, known unauth client.
0096:00:17:07.20 MAC mWebAuth:Port: 42 MAC: 00809f-e981c4 RADIUS Attributes,
tagged vid: 820.
0096:00:17:07.20 MAC mWebAuth:Port: 42 MAC: 00809f-e981c4 [2003] client
accepted with role 'VOIP-Phone-AOSSW'.
0096:00:17:07.20 MAC mWebAuth:Port: 42 MAC: 00809f-e981c4 client successfully
placed into vid: 0.
My VOIP policy had an class-any deny at the end and that rule blocked something I cannot descibe. When I set it to permit it worked.
Original Message:
Sent: Feb 15, 2024 05:53 AM
From: erik.boss
Subject: VoIP-Phone mac-auth issue on Aruba OS switch
HI Waldemar,
understood. I really don't want to make it difficult.
The vlan name exists on the switch.
For the test I put the switchport untagged in vlan 820. Does not work. Phone will not get config.
Putting the switch tagged in vlan 820, it works straight away.
sow I know the Phone must have a tagged vlan 820.
I add a vlan enforcement profile, to set the VOIP-Phone to vlan 820. The switch wants to apply a user-role.
0096:00:04:20.98 MAC mWebAuth:Port: 42 now off-line.
0096:00:04:25.20 MAC mWebAuth:Port: 42 MAC: 00809f-e981c4 new client detected
on vid: 4095.
0096:00:04:25.20 MAC mWebAuth:Port: 42 MAC: 00809f-e981c4 RADIUS CHAP
authentication started, session: 1995.
0096:00:04:25.20 MAC eDrvPoll:Port: 42 MAC: 00809f-e981c4 rejected during
demux, known unauth client.
0096:00:04:25.23 MAC mWebAuth:Failed to apply user role to macAuth client
00809FE981C4 on port 42: user role is invalid.
0096:00:04:25.23 MAC mWebAuth:Port: 42 MAC: 00809f-e981c4 error when processing
user-role in dcaRadiusProcessUserRole.
0096:00:04:25.23 MAC mWebAuth:Port: 42 MAC: 00809f-e981c4 [1995] assigned role
'(null)' failed, attempting to apply initial role.
0096:00:04:25.23 MAC mWebAuth:Port: 42 MAC: 00809f-e981c4 RADIUS Attributes,
vid: 82.
0096:00:04:25.24 MAC mWebAuth:Port: 42 MAC: 00809f-e981c4 [1995] client
accepted with role 'Guest'.
0096:00:04:25.24 MAC mWebAuth:Port: 42 MAC: 00809f-e981c4 client successfully
When I set no aaa authorization user-role enable, The VOIP-Phone works.
User-Role will not work is my conclusion for VOIP-phones
Original Message:
Sent: Feb 15, 2024 05:06 AM
From: lord
Subject: VoIP-Phone mac-auth issue on Aruba OS switch
Hi Eric,
the switch says it is not an authentication issue.
The client on port 42 has been authenticated since 456 seconds, the user role VOIP-Phone-AOSSW is applied.
The role uses the VLAN NLISOVOIPPHONE. Is it available on the switch?
The VLAN is defined as untagged. Does the phone also tag the traffic in the VLAN or is the traffic untagged?
Don't make your life unnecessarily complicated. As Herman has written, the tagged VLANs on the switch port are no longer needed. During 802.1X authentication, corresponding VLANs can be assigned dynamically. If a PC is connected behind the phone, it will get its own VLAN from ClearPass. The switch will start a separate radius session for the PC and place the traffic in the assigned VLAN.
Just try to set the VLAN in ClearPass instead of the user role - tagged or untagged - depending on how the phone needs it.
------------------------------
Regards,
Waldemar
ACCX # 1377, ACEP, ACX - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution
Original Message:
Sent: Feb 15, 2024 04:40 AM
From: erik.boss
Subject: VoIP-Phone mac-auth issue on Aruba OS switch
Hi Waldemar,
I thought I found the issue. TFTP was not added in a policy. to be sure, testing the with a class-any action permit, also not working
show port-access config
Port Access Status Summary
Port-access authenticator activated [No] : Yes
Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No
Use LLDP data to authenticate [No] : No
Dot1X EAP Identifier Compliance [Disabled] : Disabled
Allow incremental EAP identifier only [Disabled] : Disabled
802.1X 802.1X Web Mac LMA Cntrl Mixed Speed
Port Supp Auth Auth Auth Auth Dir Mode VSA MBV
42 No No No Yes No in No No Yes
sh port-access clients detailed 42
Port Access Client Status Detail
Client Base Details :
Port : 42 Authentication Type : mac-based
Client Status : authenticated Session Time : 456 seconds
Client Name : 00809fe981c4 Session Timeout : 0 seconds
MAC Address : 00809f-e981c4
IP : 172.21.244.15
Auth Order : 8021x, Mac-Auth
Auth Priority : Mac-Auth, 8021x
LMA Fallback : Disabled
User Role Information
Name : VOIP-Phone-AOSSW
Type : local
Reauthentication Period (seconds) : 0
Cached Reauth Period (seconds) : 0
Untagged VLAN : 820
Tagged VLANs :
Captive Portal Profile :
Policy : policy-VOIP
Statements for policy "policy-VOIP"
policy user "policy-VOIP"
10 class ipv4 "class-any" action permit
exit
Statements for class IPv4 "class-any"
class ipv4 "class-any"
10 match ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
Device Attributes : Disabled
Client-Limit Mac-based :
Client-Limit Dot1x :
From ClearPass I only sent this role to the switch
with no further VSA
Aruba-User-role does not work, receiving a failed message in the log.
show user-role VOIP-Phone-AOSSW
User Role Information
Name : VOIP-Phone-AOSSW
Type : local
Reauthentication Period (seconds) : 0
Cached Reauth Period (seconds) : 0
Untagged VLAN : NLISOVOIPPHONE
Tagged VLAN :
Captive Portal Profile :
Policy : policy-VOIP
Device Attributes : Disabled
Client-Limit Mac-based :
Client-Limit Dot1x :
The phone is not provisioned. I can see in the Wireshark trace to phone is trying to download config and settings from TFTP server every time the phone boots up.
Original Message:
Sent: Feb 15, 2024 04:30 AM
From: lord
Subject: VoIP-Phone mac-auth issue on Aruba OS switch
Hello Eric,
please post the following command output:
show port-access config
sh port-access clients detailed 42
Post the ClearPass enforcement profiles.
Are you sending Raidus attributes for VLAN tagging and arula-user-role at the same time?
Use either VLAN attributes or aruba-user-role attributes in the enforcement.
Is the VoIP phone already provisioned and tagged its traffic?
Or is it trying to download its configuration from the TFTP server and the traffic is not tagged yet?
------------------------------
Regards,
Waldemar
ACCX # 1377, ACEP, ACX - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution
Original Message:
Sent: Feb 14, 2024 10:24 AM
From: erik.boss
Subject: VoIP-Phone mac-auth issue on Aruba OS switch
HI,
It's an Aruba 2540, receives the vlan ID from Aruba ClearPass, and there is a voice server in the voice vlan itself. Phones receives IP from a DHCP server.
DHCP works.
Phone knows about the tagged vlan from the local user-role on the switch itself. Yes I know this can be done by ClearPass as well, but that will cost me too much time.
On the port with no mac auth, no lldp or device identity is configured. Only a tagged voice vlan, with the voice tag.
Phones are from Alcatel Lucent
Is that enough info?
Original Message:
Sent: Feb 14, 2024 08:52 AM
From: ahollifield
Subject: VoIP-Phone mac-auth issue on Aruba OS switch
What is the switch? What is the phone? How does the phone know about the tagged VLAN? LLDP? DHCP option? Manually configured?
Original Message:
Sent: Feb 14, 2024 06:45 AM
From: erik.boss
Subject: VoIP-Phone mac-auth issue on Aruba OS switch
Hi Guys,
i have a strange issue with VOIP-phones.
The standard interface:
untagged vlan X (client)
tagged vlan 820 (voice)
I need to put the VOIP-phones in this vlan 820 with ClearPass and mac authentication.
Easy peasy, but the Phone cannot connect tot TFTP server.
User-role on the switch
aaa authorization user-role name "VOIP-Phone-AOSSW"
policy "policy-VOIP"
vlan-name-tagged NLISOVOIPPHONE (vlan 820)
exit
Debugigng on the switch
0095:00:42:12.99 MAC mWebAuth:Port: 42 now off-line.
0095:00:42:16.97 MAC mWebAuth:Port: 42 MAC: 00809f-e981c4 new client detected
on vid: 1.
0095:00:42:16.97 MAC mWebAuth:Port: 42 MAC: 00809f-e981c4 RADIUS CHAP
authentication started, session: 1963.
0095:00:42:16.97 MAC eDrvPoll:Port: 42 MAC: 00809f-e981c4 rejected during
demux, known unauth client.
0095:00:42:16.99 MAC mWebAuth:Port: 42 MAC: 00809f-e981c4 RADIUS Attributes,
tagged vid: 820.
0095:00:42:17.00 MAC mWebAuth:Port: 42 MAC: 00809f-e981c4 [1963] client
accepted with role 'VOIP-Phone-AOSSW'.
0095:00:42:17.00 MAC mWebAuth:Port: 42 MAC: 00809f-e981c4 client successfully
placed into vid: 0.
Changing the user-role on the switch to
aaa authorization user-role name "VOIP-Phone-AOSSW"
policy "policy-VOIP"
vlan-name NLISOVOIPPHONE
exit
0095:00:46:30.06 MAC mWebAuth:Port: 42 MAC: 00809f-e981c4 client
deauthenticated from all.
0095:00:46:30.06 MAC mWebAuth:Port: 42 MAC: 00809f-e981c4 client
deauthenticated.
0095:00:46:30.06 MAC mWebAuth:Port: 42 MAC: 00809f-e981c4 Deauthentication
request received
0095:00:46:30.06 MAC mWebAuth:Port: 42 MAC: 00809f-e981c4 Deauthentication
request received
0095:00:46:33.14 MAC mWebAuth:Port: 42 MAC: 00809f-e981c4 new client detected
on vid: 820.
0095:00:46:33.14 MAC mWebAuth:Port: 42 MAC: 00809f-e981c4 RADIUS CHAP
authentication started, session: 1966.
0095:00:46:33.16 MAC mWebAuth:Port: 42 MAC: 00809f-e981c4 RADIUS Attributes,
vid: 820.
0095:00:46:33.17 MAC mWebAuth:Port: 42 MAC: 00809f-e981c4 [1966] client
accepted with role 'VOIP-Phone-AOSSW'.
0095:00:46:33.17 MAC mWebAuth:Port: 42 MAC: 00809f-e981c4 client successfully
placed into vid: 820.
So I thought this must work. It took very long to receive an IP-address and the Phone was not able to download config.
Also checked it with wireshark. Everything seems to be fine, no blocks
The TFTP server is in the same vlan.
Without authentication, the phone is up and running in 30 seconds.
What could be the issue?
Best regards,
Erik