Wired Intelligent Edge

 View Only
last person joined: yesterday 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Expand all | Collapse all

Polycom phones on. authenticating switch multiple lockups and reboots required

This thread has been viewed 6 times
  • 1.  Polycom phones on. authenticating switch multiple lockups and reboots required

    MVP EXPERT
    Posted 24 days ago

    Hi,

    in process of rolling out  802.1x and  mac auth via cleasrpass DURs to our estate.

    Currently cppm running in monitor mode  and generating reports so we can see what is on the network and. then create appropraite  roles and enforcement  policeis

    Switches ( 2930s) running WC.16.111.13 firmwre and configured to use DURs.  local user roels created that do an  ipv4 "allow. all" and assigned to initial and critical roles

    Before authentication 

     polycom phones connected to switch ports   with an  untagged vlan and a tagged voice vlan. Phones get ip of untagged vlan with dhcp option specifying a URL to get config file.Phone then drops into tagged vlan and everythnig works

    With mac auth / 802.1x auth on switch port. 

    sh lldp inf r shows me ports with phones

    sh port-acces clients shows me mac auth for phones and tagged/untagge vlans on port.

    Local user roles define a reauth time of 1 hour

    Looking on  cppm can see phones  auhenticating every hour  then .....

    phone start dropping out of. tagged vlan. back onto untagged vlan and back onto tagged vlan

    BUT,  debug on phone sees them. getting different. IP adresses on the untagged /tagged vlans and i cant see why that is happening, I'd have expected  same ip address.

    IP scopes on  infoblox dhcp shows plenty of ip addresses in vlan pools. Lease time. 2 days

    Annoyingly this config is estate wide ( lots of sites) and. we only have 1 site that is seeing these issues .. and i dont know why

    Normally I'd use the DUR to pass back a tagged vlan for the phones but am in the no mans land of having to run cppm in monitor mode

    Any pointers appreciated.

    Was thinking of moving phone switch port to untgged vlan without the DHCP URL and then using lldp to say use this tagged vlan .

    Just need a nudge in the right direction

    Rgds A



  • 2.  RE: Polycom phones on. authenticating switch multiple lockups and reboots required

    EMPLOYEE
    Posted 18 days ago

    This is hard to troubleshoot like this. If you can do interactive troubleshooting, it may be much easier to try a few things and see what happens. Your partner or TAC may be good to support in that.

    Note that in monitor mode, ClearPass is expected to only return an Access Accept, so while it displays that it (would) return(s) a role/DUR, it does not. So not sure why you see tagged VLANs, except if that config is on the switch port already.

    You may consider getting rid of tagged VLANs for your phones, and just handle them in a native VLAN. The 2930F supports multiple clients untagged on the same port but in different VLANs. Tagged voice VLANs in the past were needed to keep voice traffic in a separate VLAN, with port-access security you can handle that same in the native VLAN.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------