Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Avaya 802.1X VoIP Phone with Aruba Switch and CPPM

This thread has been viewed 14 times

  • 1.  Avaya 802.1X VoIP Phone with Aruba Switch and CPPM

    Posted Sep 27, 2018 01:38 PM

    Hi, what is the best practice for an 802.1X environment where the PC receives the network of an Avaya IP phone which I am interested in having the phone by MAC-Auth to assign its Voice Vlan, it is necessary to install the certificate on the telephone switch or on the phones? or is it not necessary? Clearpass if it authenticates me and assigns the Role only "Offline" because it does not have an IP Voice Network, in the Switch it appears as "W 09/27/18 12:15:29 05204 dca: ST1-CMDR: Failed to apply user role to macAuth
                 client 6CA84988233B on port 1/15: user role is invalid. "
    The pc works well for me in 802.1X.

    Thank you.



  • 2.  RE: Avaya 802.1X VoIP Phone with Aruba Switch and CPPM

    Posted Feb 26, 2019 10:04 AM

    Hi,

    I am also interested to this subject. I also have Aruba switchs (2930F), CCPM and Avaya ip phone (9608). PCs are in 802.1X and are attached to Avaya ip phones. I'm also looking to make 802.1x on ip phone Avaya and I'm looking for the best solution.

    Thanks for your help.



  • 3.  RE: Avaya 802.1X VoIP Phone with Aruba Switch and CPPM

    Posted Feb 26, 2019 10:35 AM

    Hello,

     

    There are multiple ways to authenticate the VoIP phone. I did this by using certificates or username/password (EAP-PEAP) combination. It depends on the 802.1x authentication methods the phone supports. I don't know the specifics from Avaya and/or if you can use a central management platform to push the authentication parameters.

     

    Are you using downloadable user-roles on the switches with ClearPass, or do you configure the user-roles locally on the switch? Could you maybe provide some configuration snippets from the switch regarding AAA and the enforcement profiles on CPPM.

     

    "Normally" you need to configure a role which places the VoIP phone in a tagged VLAN on the switch port and the client in an untagged VLAN. The user-role needs to be available on the switch if you use local user-roles or you push the user-role via ClearPass (downloadable user-role) to the switch.

     

    I recently wrote a blog post on a "problem" with downloadable user-role and time sync. Maybe this helps you already with the AAA part of the configuration on the switch.



  • 4.  RE: Avaya 802.1X VoIP Phone with Aruba Switch and CPPM

    Posted Aug 02, 2019 09:15 AM

    Hey!

    "W 09/27/18 12:15:29 05204 dca: ST1-CMDR: Failed to apply user role to macAuth
                 client 6CA84988233B on port 1/15: user role is invalid. "

    This message leads me to believe you use downloadable roles, correct?

    When you get user role invalid, usually I have seen that when the user role contains some kind of error, in that case could you show us how this enforcement profile looks like?

    When using mac-auth, you don't need any certificate on the phones. The switch will send a radius request based on recieved mac-adress on the interface.