Security

Reply
Occasional Contributor II

Re: Cisco wired Avaya phone problem

I am already debugging radius as I had a problem with redirection and I clearly notice all the debug messages, everything looked normal and authentication is successful..

The domain part is just for PCs using dot1x, IP phones are all accepted based on a mac auth all until we collect all ip phones then we will start to restrict a bit.

 

I am suspecting something, maybe the ip phones in the live working environment aren't using COS, but when the clearpass returns a device-traffic-class=voice, the ip phone sends a dhcp request tagged with a dot1p class of service  = 5, so the dhcp server doesn't respond to the request as its not configured for it, 

this could be this or the complete opposite, the dhcp server is expecting dot1p and the ip phone is sending without it, thats the guess i have in my mind..

 

New Contributor

Re: Cisco wired Avaya phone problem

Hi Waleed,

 

We are having the same issue as yours. Did you find any solution for this ?

New Contributor

Re: Cisco wired Avaya phone problem

Hi Waleed,

 

We are having the same issue, did you find any solution for this ?

New Contributor

Re: Cisco wired Avaya phone problem

We are having the same issue, did you find any solution for this ?

New Contributor

Re: Cisco wired Avaya phone problem

We had this issue with NEC phones when connected to Clearpass. What we did was change the RX Waiting time under lldp settings on the phone to 30 seconds instead of the default 15 seconds. This added about 5 seconds give or take between initializing and log in than we would have on a non 802.1x interface.

New Contributor

Re: Cisco wired Avaya phone problem

We ran into the same issue with the Cisco 2960x models.

The fix is outlined in this Bug detail:

 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvb22409

 

basically authorization over the voice vlan fails when certain av-pairs are present on the attributes,

 

“If one of the attributes is missing and/or dynamic vlan assignment is NOT required but the at least one of av-pair is present in the Radius access-accept the switch will fail authorization for the Voice Vlan on the port.”

 

from the capture we can see that “Tunnel-Type” and “Tunnel-Medium-Type” are present.

 

 

I removed those attributes and am good on the 2960x MAB is successful with phones not having DHCP issues.



HOWEVER,

we are now seeing similar symptoms with a Cisco 4500 chassis and Avaya phones.

Phones authenticate with healthy logs on CPPM and the switch logs, but the phones do NOT receive a DHCP address.

Strangely, there are ARP entries present for the phone..

Please help!!

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: