Wireless Access

Reply
Contributor II

Avaya 802.1X VoIP Phone with Aruba Switch and CPPM

Hi, what is the best practice for an 802.1X environment where the PC receives the network of an Avaya IP phone which I am interested in having the phone by MAC-Auth to assign its Voice Vlan, it is necessary to install the certificate on the telephone switch or on the phones? or is it not necessary? Clearpass if it authenticates me and assigns the Role only "Offline" because it does not have an IP Voice Network, in the Switch it appears as "W 09/27/18 12:15:29 05204 dca: ST1-CMDR: Failed to apply user role to macAuth
             client 6CA84988233B on port 1/15: user role is invalid. "
The pc works well for me in 802.1X.

Thank you.

Re: Avaya 802.1X VoIP Phone with Aruba Switch and CPPM

Hi,

I am also interested to this subject. I also have Aruba switchs (2930F), CCPM and Avaya ip phone (9608). PCs are in 802.1X and are attached to Avaya ip phones. I'm also looking to make 802.1x on ip phone Avaya and I'm looking for the best solution.

Thanks for your help.

Highlighted
Guest Blogger

Re: Avaya 802.1X VoIP Phone with Aruba Switch and CPPM

Hello,

 

There are multiple ways to authenticate the VoIP phone. I did this by using certificates or username/password (EAP-PEAP) combination. It depends on the 802.1x authentication methods the phone supports. I don't know the specifics from Avaya and/or if you can use a central management platform to push the authentication parameters.

 

Are you using downloadable user-roles on the switches with ClearPass, or do you configure the user-roles locally on the switch? Could you maybe provide some configuration snippets from the switch regarding AAA and the enforcement profiles on CPPM.

 

"Normally" you need to configure a role which places the VoIP phone in a tagged VLAN on the switch port and the client in an untagged VLAN. The user-role needs to be available on the switch if you use local user-roles or you push the user-role via ClearPass (downloadable user-role) to the switch.

 

I recently wrote a blog post on a "problem" with downloadable user-role and time sync. Maybe this helps you already with the AAA part of the configuration on the switch.

@rene_booches | AMFX #26, ACMX #438, ACCX #725, ACDX #760, CCNP R&S, CEH | Co-owner/Solution Specialist@4IP / blog owner@booches.nl
Occasional Contributor I

Re: Avaya 802.1X VoIP Phone with Aruba Switch and CPPM

Hey!

"W 09/27/18 12:15:29 05204 dca: ST1-CMDR: Failed to apply user role to macAuth
             client 6CA84988233B on port 1/15: user role is invalid. "

This message leads me to believe you use downloadable roles, correct?

When you get user role invalid, usually I have seen that when the user role contains some kind of error, in that case could you show us how this enforcement profile looks like?

When using mac-auth, you don't need any certificate on the phones. The switch will send a radius request based on recieved mac-adress on the interface. 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: