Wired Intelligent Edge

Dear AirHeads team,

I would ask for help with switch Aruba 2530 (16.06.0006 firmware) and IP Phone Aastra with connected PC. When the IP Phone is connected to non-auth port, all works fine with untagged and tagged vlans, but customer need 802.1x authentication for PC connected to the IP Phone.

I tried this config, but with no luck:

interface 1
   tagged vlan 100
   untagged vlan 110
   aaa port-access authenticator
   aaa port-access authenticator client-limit 2
   aaa port-access controlled-direction in
   aaa port-access mixed
   exit

PC is working but the phone is not connected to the voice vlan 100. 

I have another switches (Comware) where this scenario working well with this config:

 

interface GigabitEthernet1/0/1

port link-type hybrid

undo port hybrid vlan 1

port hybrid vlan 110 untagged

port hybrid pvid vlan 110

voice vlan 100 enable

poe enable

stp edged-port enable

undo dot1x handshake

dot1x port-method portbased

dot1x

 

Can someone help me please.

 

Thanks and best regards

 

Vaclav

Hi,

 

it will be a good idea to upgrade to 16.08

 

what your RADIUS server ?

Hi, thanks for replay. Oki I'll recommend to customer the firmware update. Do you think it will help with that config or do you recommend to use some new features of 16.08 ?

 

Radius is Microsoft NPS.

 

V.

Have you enabled voice within VLAN 100?

vlan 100
voice
exit

Please also check if the device is placed in the correct VLAN if authentication is disabled.

show mac-address 1

Has the Aastra phone LLDP-MED enabled?

Yes, voice vlan is enabled. Without authentication it works fine. When auth is enabled the phone is not working.

 

V.

But is the IP phone placed in the voice VLAN?
Please try to increase the client limit to 3. This because most IP Phone will first send some traffic in the untagged VLAN and later in the data VLAN.

Is the IP Phone doing 802.1x or are you using MAC auth?

Customer wants to authenticate only PC, as it works on Comware. But I'm afraid about that it is not possible on Aruba. There will have to be another authentication for the phone, right ?

V:

debug dest session

debug security port-access authenticator include port X

 

This will show you if you are getting at least the .1x however I am thinking that you may need to auth via MACAUTH for the phone

 

If you need to auth via macauth add it to your config and that should fix your issue.

 

You may also need to add the mac-oui to the radius server OR add it via the local mac authentication database.

 

oki, I'll try it, thanks

 

V.

In the 16.08 code for the 2930/3810 and 5400 there is a new option to bypass authentication for VOIP phones.
However, it looks like this feature is not available at the 2530 platform.

Also, mac auth and NPS is a no go.
There is an option for local-mac but I never tried this feature.
Please see the documentation for more info.
http://h22208.www2.hpe.com/eginfolib/Aruba/16.08/5200-5483/index.html#v25173620.html

Thank you very much. Local-MAC auth helps.

 

V.