This is hard to troubleshoot like this. If you can do interactive troubleshooting, it may be much easier to try a few things and see what happens. Your partner or TAC may be good to support in that.
Note that in monitor mode, ClearPass is expected to only return an Access Accept, so while it displays that it (would) return(s) a role/DUR, it does not. So not sure why you see tagged VLANs, except if that config is on the switch port already.
You may consider getting rid of tagged VLANs for your phones, and just handle them in a native VLAN. The 2930F supports multiple clients untagged on the same port but in different VLANs. Tagged voice VLANs in the past were needed to keep voice traffic in a separate VLAN, with port-access security you can handle that same in the native VLAN.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: May 22, 2024 04:59 AM
From: alexs-nd
Subject: Polycom phones on. authenticating switch multiple lockups and reboots required
Hi,
in process of rolling out 802.1x and mac auth via cleasrpass DURs to our estate.
Currently cppm running in monitor mode and generating reports so we can see what is on the network and. then create appropraite roles and enforcement policeis
Switches ( 2930s) running WC.16.111.13 firmwre and configured to use DURs. local user roels created that do an ipv4 "allow. all" and assigned to initial and critical roles
Before authentication
polycom phones connected to switch ports with an untagged vlan and a tagged voice vlan. Phones get ip of untagged vlan with dhcp option specifying a URL to get config file.Phone then drops into tagged vlan and everythnig works
With mac auth / 802.1x auth on switch port.
sh lldp inf r shows me ports with phones
sh port-acces clients shows me mac auth for phones and tagged/untagge vlans on port.
Local user roles define a reauth time of 1 hour
Looking on cppm can see phones auhenticating every hour then .....
phone start dropping out of. tagged vlan. back onto untagged vlan and back onto tagged vlan
BUT, debug on phone sees them. getting different. IP adresses on the untagged /tagged vlans and i cant see why that is happening, I'd have expected same ip address.
IP scopes on infoblox dhcp shows plenty of ip addresses in vlan pools. Lease time. 2 days
Annoyingly this config is estate wide ( lots of sites) and. we only have 1 site that is seeing these issues .. and i dont know why
Normally I'd use the DUR to pass back a tagged vlan for the phones but am in the no mans land of having to run cppm in monitor mode
Any pointers appreciated.
Was thinking of moving phone switch port to untgged vlan without the DHCP URL and then using lldp to say use this tagged vlan .
Just need a nudge in the right direction
Rgds A