AOS-Switch and Cisco IP Phones PoC - Testing CDP, Voice VLAN, QoS, and 802.1X
05-29-2019 05:26 PM - edited 05-29-2019 05:34 PM
Hello Airheads community
I had the opportunity to work in a PoC to demonstrate that Aruba AOS-switches fully support a Cisco telephony solution; here are the 5 tasks requested by End Customer and the results achieved (below).
I also attached the PoC-guide.pdf to this post that shows configurations made in 2930F Switch, Clearpass and CUCM, debugs, show commands, and Access Tracker.
Task No 1: Turn on Cisco phone 7960. These Cisco phones are very old (currently are EoS/EoL), they have the singularity of supporting the Cisco Pre-standard PoE and CDP (they do not support standard PoE, nor LLDP).
Result: Aruba 2930F was able to turn on the Cisco Phone 7960, assign the voice VLAN via CDP (Image 2).
Aruba switches supports these type of phones by entering two commands:
2930F-8(config)# cdp mode pre-standard-voice
2930F-8(config)# power-over-ethernet pre-std-detect ports 1-8
Task No 2: Register Cisco Phone 7960 (SCCP) and Cisco Phone 7821 (SIP) phones to CUCM.
Result: Both phones were able to connect and register to CUCM (Image 3).
Configuring voice VLANs separates voice traffic from data traffic. You must configure the port as a tagged member of the voice VLAN.
2930F-8(config)# vlan 50
2930F-8(vlan-50)# name "Voice"
2930F-8(vlan-50)# tagged 1
2930F-8(vlan-50)# ip address 10.10.0.1 255.255.255.0.
Per Cisco requirements, you may need to enable DHCP Option 150 so that in the DHCP broadcasts, phones see a list of all TFTP (CUCM) servers that are connected to the network.
2930F-8(config)#dhcp-server pool "VOICE"
2930F-8(VOICE)#network 10.10.0.0 255.255.255.0
2930F-8(VOICE)#option 150 ip "172.16.0.90"
2930F-8(VOICE)#range 10.10.0.5 10.10.0.20
Task No 3: Authenticate old phones that dont include a Manufacturing Installed Certificate (MIC), such as the 7960, via MAC-AUTH process, and authenticate the most recent phones, such as the 7821, via EAP-TLS using the MIC.
Result: Both phones were authenticated (Image 5).
Import Cisco Root certificates to Clearpass in order to execute 802.1X EAP-TLS Authentication Method.
Phones were authenticated via MAC-AUTH (7960) and 802.1X EAP-TLS (7821) and received the VOICE-ROLE:
Task No 4: Assign differentiated network access policies: restrictive access policy to Cisco IP Phones (VOICE-ROLE) and unrestricted access to employees (EMPLOYEE-ROLE).
Result: Phones and End Users were authenticated, differentiated network access policies were assigned using roles on 2930F switch (image 6).
Task No 5: Clear the session when the device (PC) is disconnected from the Phone's switch port .
Result: If the device unplugs from behind the phone, the switch cannot rely on link state to know when to clear the session. Proxy EAPoL-Logoff enables the phone to transmit an EAPoL-Logoff message on behalf of the data device when the phone detects that an 802.1X device has unplugged from behind the phone. AOS-Switch processed the EAPoL-Logoff message and cleared the session. (image 7).
Task No 6: Assign QoS to voice traffic: tag RTP packects.
Result: Packet capture showed RTP packets tagged with CoS 5 and DSCP 46 (Image 8).
Re: AOS-Switch and Cisco IP Phones PoC - Testing CDP, Voice VLAN, QoS, and 802.1X
08-08-2019 10:06 AM
802.1X CR_0000250258 Symptom: User role changes to mac-auth initial role even though the user is not reachable. Scenario: When authenticating a user through 802.1X, if auth-order and auth-priority are configured as authenticator mac-based, the user role changes to mac-auth initial role even after disconnecting the user.