Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

VoIP-Phone mac-auth issue on Aruba OS switch

This thread has been viewed 35 times
  • 1.  VoIP-Phone mac-auth issue on Aruba OS switch

    Posted Feb 14, 2024 06:46 AM

    Hi Guys,

    i have a strange issue with VOIP-phones.

    The standard interface:

    untagged vlan X (client)

    tagged vlan 820 (voice)

    I need to put the VOIP-phones in this vlan 820 with ClearPass and mac authentication.

    Easy peasy, but the Phone cannot connect tot TFTP server.

    User-role on the switch


    aaa authorization user-role name "VOIP-Phone-AOSSW"
       policy "policy-VOIP"
       vlan-name-tagged NLISOVOIPPHONE (vlan 820)
       exit

    Debugigng on the switch

    0095:00:42:12.99 MAC  mWebAuth:Port: 42 now off-line.
    0095:00:42:16.97 MAC  mWebAuth:Port: 42 MAC: 00809f-e981c4 new client detected
       on vid: 1.
    0095:00:42:16.97 MAC  mWebAuth:Port: 42 MAC: 00809f-e981c4 RADIUS CHAP
       authentication started, session: 1963.
    0095:00:42:16.97 MAC  eDrvPoll:Port: 42 MAC: 00809f-e981c4 rejected during
       demux, known unauth client.
    0095:00:42:16.99 MAC  mWebAuth:Port: 42 MAC: 00809f-e981c4 RADIUS Attributes,
       tagged vid: 820.
    0095:00:42:17.00 MAC  mWebAuth:Port: 42 MAC: 00809f-e981c4 [1963] client
       accepted with role 'VOIP-Phone-AOSSW'.
    0095:00:42:17.00 MAC  mWebAuth:Port: 42 MAC: 00809f-e981c4 client successfully
       placed into vid: 0.

    Changing the user-role on the switch to 

    aaa authorization user-role name "VOIP-Phone-AOSSW"
       policy "policy-VOIP"
       vlan-name NLISOVOIPPHONE
       exit

    0095:00:46:30.06 MAC  mWebAuth:Port: 42 MAC: 00809f-e981c4 client
       deauthenticated from all.
    0095:00:46:30.06 MAC  mWebAuth:Port: 42 MAC: 00809f-e981c4 client
       deauthenticated.
    0095:00:46:30.06 MAC  mWebAuth:Port: 42 MAC: 00809f-e981c4 Deauthentication
       request received
    0095:00:46:30.06 MAC  mWebAuth:Port: 42 MAC: 00809f-e981c4 Deauthentication
       request received
    0095:00:46:33.14 MAC  mWebAuth:Port: 42 MAC: 00809f-e981c4 new client detected
       on vid: 820.
    0095:00:46:33.14 MAC  mWebAuth:Port: 42 MAC: 00809f-e981c4 RADIUS CHAP
       authentication started, session: 1966.
    0095:00:46:33.16 MAC  mWebAuth:Port: 42 MAC: 00809f-e981c4 RADIUS Attributes,
       vid: 820.
    0095:00:46:33.17 MAC  mWebAuth:Port: 42 MAC: 00809f-e981c4 [1966] client
       accepted with role 'VOIP-Phone-AOSSW'.
    0095:00:46:33.17 MAC  mWebAuth:Port: 42 MAC: 00809f-e981c4 client successfully
       placed into vid: 820.

    So I thought this must work. It took very long to receive an IP-address and the Phone was not able to download config.

    Also checked it with wireshark. Everything seems to be fine, no blocks

    The TFTP server is in the same vlan.

    Without authentication, the phone is up and running in 30 seconds.

    What could be the issue?

    Best regards,

    Erik



  • 2.  RE: VoIP-Phone mac-auth issue on Aruba OS switch

    Posted Feb 14, 2024 08:53 AM

    What is the switch?  What is the phone?  How does the phone know about the tagged VLAN?  LLDP?  DHCP option?  Manually configured?




  • 3.  RE: VoIP-Phone mac-auth issue on Aruba OS switch

    Posted Feb 14, 2024 10:24 AM

    HI,

    It's an Aruba 2540, receives the vlan ID from Aruba ClearPass, and there is a voice server in the voice vlan itself. Phones receives IP from a DHCP server.

    DHCP works.

    Phone knows about the tagged vlan from the local user-role on the switch itself. Yes I know this can be done by ClearPass as well, but that will cost me too much time.

    On the port with no mac auth, no lldp or device identity is configured. Only a tagged voice vlan, with the voice tag.

    Phones are from Alcatel Lucent

    Is that enough info?




  • 4.  RE: VoIP-Phone mac-auth issue on Aruba OS switch

    EMPLOYEE
    Posted Feb 15, 2024 04:13 AM

    You can make your life easier by getting rid of the voice vlan tagging, just keep all devices in an untagged VLAN. Tagged voice VLANs in the past were needed to have two devices in different VLANs on the same port, but with port-security you can have that without tagging.

    After authentication, the command 'show port-access clients 42 detail' will give you additional information about the applied policy. What I have seen a few times, for example if a (named) VLAN does not exist, or if you return both a user role and VLAN in the RADIUS response, you will see something like No VLAN, which indicates an error in either the RADIUS responses, or local (role) config on the switch.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 5.  RE: VoIP-Phone mac-auth issue on Aruba OS switch

    Posted Feb 15, 2024 04:30 AM

    Hello Eric,
    please post the following command output:
    show port-access config
    sh port-access clients detailed 42

    Post the ClearPass enforcement profiles.


    Are you sending Raidus attributes for VLAN tagging and arula-user-role at the same time?

    Use either VLAN attributes or aruba-user-role attributes in the enforcement.

    Is the VoIP phone already provisioned and tagged its traffic?
    Or is it trying to download its configuration from the TFTP server and the traffic is not tagged yet?



    ------------------------------
    Regards,

    Waldemar
    ACCX # 1377, ACEP, ACX - Network Security
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 6.  RE: VoIP-Phone mac-auth issue on Aruba OS switch

    Posted Feb 15, 2024 04:41 AM

    Hi Waldemar,

    I thought I found the issue. TFTP was not added in a policy. to be sure, testing the with a class-any action permit, also not working

    show port-access config

     Port Access Status Summary

      Port-access authenticator activated [No] : Yes
      Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No
      Use LLDP data to authenticate [No] : No
      Dot1X EAP Identifier Compliance [Disabled] : Disabled
      Allow incremental EAP identifier only [Disabled] : Disabled

            802.1X  802.1X   Web      Mac      LMA   Cntrl Mixed    Speed
      Port  Supp    Auth     Auth     Auth     Auth  Dir   Mode     VSA   MBV

     42    No      No       No       Yes      No    in    No       No    Yes

     sh port-access clients detailed 42

     Port Access Client Status Detail

      Client Base Details :
       Port            : 42                    Authentication Type : mac-based
       Client Status   : authenticated         Session Time        : 456 seconds
       Client Name     : 00809fe981c4          Session Timeout     : 0 seconds
       MAC Address     : 00809f-e981c4
       IP              : 172.21.244.15

       Auth Order      : 8021x, Mac-Auth
       Auth Priority   : Mac-Auth, 8021x
       LMA Fallback    : Disabled


     User Role Information

       Name                              : VOIP-Phone-AOSSW
       Type                              : local
       Reauthentication Period (seconds) : 0
       Cached Reauth Period (seconds)    : 0
       Untagged VLAN                     : 820
       Tagged VLANs                      :
       Captive Portal Profile            :
       Policy                            : policy-VOIP

    Statements for policy "policy-VOIP"
    policy user "policy-VOIP"
         10 class ipv4 "class-any" action permit
       exit


    Statements for class IPv4 "class-any"
    class ipv4 "class-any"
         10 match ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
       exit

       Device Attributes                 : Disabled
         Client-Limit Mac-based          :
         Client-Limit Dot1x              :

    From ClearPass I only sent this role to the switch

    with no further VSA

    Aruba-User-role does not work, receiving a failed message in the log.

    show user-role VOIP-Phone-AOSSW

     User Role Information

       Name                              : VOIP-Phone-AOSSW
       Type                              : local
       Reauthentication Period (seconds) : 0
       Cached Reauth Period (seconds)    : 0
       Untagged VLAN                     : NLISOVOIPPHONE
       Tagged VLAN                       :
       Captive Portal Profile            :
       Policy                            : policy-VOIP
       Device Attributes                 : Disabled
         Client-Limit Mac-based          :
         Client-Limit Dot1x              :

    The phone is not provisioned. I can see in the Wireshark trace to phone is trying to download config and settings from TFTP server every time the phone boots up.




  • 7.  RE: VoIP-Phone mac-auth issue on Aruba OS switch

    Posted Feb 15, 2024 05:06 AM

    Hi Eric,

    the switch says it is not an authentication issue.

    The client on port 42 has been authenticated since 456 seconds, the user role VOIP-Phone-AOSSW is applied.

    The role uses the VLAN NLISOVOIPPHONE. Is it available on the switch?

    The VLAN is defined as untagged. Does the phone also tag the traffic in the VLAN or is the traffic untagged?

    Don't make your life unnecessarily complicated. As Herman has written, the tagged VLANs on the switch port are no longer needed. During 802.1X authentication, corresponding VLANs can be assigned dynamically. If a PC is connected behind the phone, it will get its own VLAN from ClearPass. The switch will start a separate radius session for the PC and place the traffic in the assigned VLAN.

    Just try to set the VLAN in ClearPass instead of the user role - tagged or untagged - depending on how the phone needs it.



    ------------------------------
    Regards,

    Waldemar
    ACCX # 1377, ACEP, ACX - Network Security
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 8.  RE: VoIP-Phone mac-auth issue on Aruba OS switch

    Posted Feb 15, 2024 05:54 AM

    HI Waldemar,

    understood. I really don't want to make it difficult.

    The vlan name exists on the switch.

    For the test I put the switchport untagged in vlan 820. Does not work. Phone will not get config.

    Putting the switch tagged in vlan 820, it works straight away.

    sow I know the Phone must have a tagged vlan 820.

    I add a vlan enforcement profile, to set the VOIP-Phone to vlan 820. The switch wants to apply a user-role. 

    0096:00:04:20.98 MAC  mWebAuth:Port: 42 now off-line.
    0096:00:04:25.20 MAC  mWebAuth:Port: 42 MAC: 00809f-e981c4 new client detected
       on vid: 4095.
    0096:00:04:25.20 MAC  mWebAuth:Port: 42 MAC: 00809f-e981c4 RADIUS CHAP
       authentication started, session: 1995.
    0096:00:04:25.20 MAC  eDrvPoll:Port: 42 MAC: 00809f-e981c4 rejected during
       demux, known unauth client.
    0096:00:04:25.23 MAC  mWebAuth:Failed to apply user role  to macAuth client
       00809FE981C4 on port 42: user role is invalid.
    0096:00:04:25.23 MAC  mWebAuth:Port: 42 MAC: 00809f-e981c4 error when processing
       user-role in dcaRadiusProcessUserRole.
    0096:00:04:25.23 MAC  mWebAuth:Port: 42 MAC: 00809f-e981c4 [1995] assigned role
       '(null)' failed, attempting to apply initial role.
    0096:00:04:25.23 MAC  mWebAuth:Port: 42 MAC: 00809f-e981c4 RADIUS Attributes,
       vid: 82.
    0096:00:04:25.24 MAC  mWebAuth:Port: 42 MAC: 00809f-e981c4 [1995] client
       accepted with role 'Guest'.
    0096:00:04:25.24 MAC  mWebAuth:Port: 42 MAC: 00809f-e981c4 client successfully

    When I set no aaa authorization user-role enable, The VOIP-Phone works.

    User-Role will not work is my conclusion for VOIP-phones




  • 9.  RE: VoIP-Phone mac-auth issue on Aruba OS switch
    Best Answer

    Posted Feb 15, 2024 06:00 AM

    Very strange... when enabling user-roles again, the VOIP-Phone will receive the config

    0096:00:17:03.07 MAC  mWebAuth:Port: 42 now off-line.
    0096:00:17:07.17 MAC  mWebAuth:Port: 42 MAC: 00809f-e981c4 new client detected
       on vid: 4095.
    0096:00:17:07.17 MAC  mWebAuth:Port: 42 MAC: 00809f-e981c4 RADIUS CHAP
       authentication started, session: 2003.
    0096:00:17:07.17 MAC  eDrvPoll:Port: 42 MAC: 00809f-e981c4 rejected during
       demux, known unauth client.
    0096:00:17:07.20 MAC  mWebAuth:Port: 42 MAC: 00809f-e981c4 RADIUS Attributes,
       tagged vid: 820.
    0096:00:17:07.20 MAC  mWebAuth:Port: 42 MAC: 00809f-e981c4 [2003] client
       accepted with role 'VOIP-Phone-AOSSW'.
    0096:00:17:07.20 MAC  mWebAuth:Port: 42 MAC: 00809f-e981c4 client successfully
       placed into vid: 0.

    I changed back to the first role based enforcement policy

    My VOIP policy had an class-any deny at the end and that rule blocked something I cannot descibe. When I set it to permit it worked.