HPE Community
Switches, Hubs, and Modems
1752808 Members
6293 Online
108789 Solutions
New Discussion юеВ

Re: 802.1X Problem with Alcatel IP Phone

 
Hodja
New Member

тАО11-04-2010 10:03 AM

тАО11-04-2010 10:03 AM

802.1X Problem with Alcatel IP Phone

Hi,
I have Alcatel-Lucent IP Phone 4018 and a PC connected to same port on ProCurve 3500 switch.
I am using 802.1X for both IP Phone and PC. When I connect them to seperate ports on the switch, there is no prolem. They can be both authenticated and communicate. When I conect them to the same port on the switch, IP Phone can be authenticate but PC can not be authenticated. In IAS logs I can see that PC is authenticated however it says "Authentication is failed"
I have mirrored the port, the switch is sending EAP-Failure to the PC.
This is my configuration.
vlan 1
name "SERVER"
untagged 1-28
ip address 192.168.1.1 255.255.255.0
exit
vlan 10
name "VOICE"
ip address 192.168.10.1 255.255.255.0
ip helper-address 192.168.1.100
tagged 23
voice
exit
vlan 20
name "DATA"
ip address 192.168.20.1 255.255.255.0
ip helper-address 192.168.1.100
exit
vlan 30
name "KARANTINA"
ip address 192.168.30.1 255.255.255.0
ip helper-address 192.168.1.100
exit
aaa authentication port-access eap-radius
aaa accounting network start-stop radius
radius-server host 192.168.1.100 key 1234
aaa port-access authenticator 23
aaa port-access authenticator 23 unauth-vid 30
aaa port-access authenticator 23 client-limit 3
aaa port-access authenticator active

What could be the problem? Any help?
0 Kudos
6 REPLIES 6
Jeff Carrell
Honored Contributor

тАО11-04-2010 10:21 AM

тАО11-04-2010 10:21 AM

Re: 802.1X Problem with Alcatel IP Phone

Can you provide a scrn shot of the IAS log entry for the PC?

In your IAS remote policies, are you assigning a VLAN id for the phone and a different VLAN id for the PC?

Switch config looks good....what version of image are you running on switch?

What is the IAS radius-reply pkt indicate?

This will help narrow it down a bit.

Cheers...Jeff


ps, here is a link to a presentation I did at Sharkfest'10 in June, troubleshooting an 802.1X system...hth...
http://www.lovemytool.com/blog/2010/06/network-access-security-its-broken-now-what-by-jeff-carrell.html
0 Kudos
Hodja
New Member

тАО11-04-2010 06:32 PM

тАО11-04-2010 06:32 PM

Re: 802.1X Problem with Alcatel IP Phone

Hi,

IAS Log says "PCXX granted access... and the other details about it like assigned RAS Policy, NAS Port, NAS Client etc..." All of them are true. (I can not provide scr shot right now) Also the same log for the user.
Yes I am assgining diferent VLANs for PC and Phone.
Image version is 14.41.
I have tried on two different switches. One is 3500 the other is 4500 series.
0 Kudos
Jeff Carrell
Honored Contributor

тАО11-04-2010 08:32 PM

тАО11-04-2010 08:32 PM

Re: 802.1X Problem with Alcatel IP Phone

Hodja said "IAS Log says "PCXX granted access... and the other details about it like assigned RAS Policy, NAS Port, NAS Client etc..." All of them are true."

My experience has found that when this issue occurs, the switch is not "happy" with something radius (IAS) is telling it. (ok, duh!)

2 most common issues:
1) the vlan id that radius is sending back is not configured on the switch
2) the client-limit parm has not been increased from its default of 1.

Now, since you said previously that the PC will auth correctly if connected into its own switch port and the phone auth ok, but not both in the same port (PC thru the phone) this makes it harder to figure out.

Grab the "radius access-accept" and see what IAS is passing to the switch.

Also, in the ATG this is said:
Operating Rules for Voice VLANs
├в   You must statically configure voice VLANs. GVRP and dynamic VLANs do not support voice VLAN operation.
├в   Configure all ports in a voice VLAN as tagged members of the VLAN. This ensures retention of the QoS (Quality of Service) priority included in voice VLAN traffic moving through your network.
├в   If a telephone connected to a voice VLAN includes a data port used for connecting other networked devices (such as PCs) to the network, then you must configure the port as a tagged member of the voice VLAN and a
tagged or untagged member of the data VLAN you want the other networked device to use.
----
I'm wondering if the "voice" option you have in vlan 10 is causing an issue...I've never configured a switch in this exact manner, so I have no idea if this is related or not.

hth...Jeff
0 Kudos
Hodja
New Member

тАО11-04-2010 09:43 PM

тАО11-04-2010 09:43 PM

Re: 802.1X Problem with Alcatel IP Phone

├Г┬в├В You must statically configure voice VLANs. GVRP and dynamic VLANs do not support voice VLAN operation

Is that mean, I must not send VLAN information to switches for Voice VLAN. If so this is my mistake. I am sending VLAN info from RADIUS to switch for Voice VLAN. I will try it without sending Voice VLAN info.
0 Kudos
Jeff Carrell
Honored Contributor

тАО11-04-2010 10:44 PM

тАО11-04-2010 10:44 PM

Re: 802.1X Problem with Alcatel IP Phone

Hodja asked: "Is that mean, I must not send VLAN information to switches for Voice VLAN. If so this is my mistake. I am sending VLAN info from RADIUS to switch for Voice VLAN. I will try it without sending Voice VLAN info."

Basically yes, but not only because you have the "voice" definition in the vlan for voice. IAS cannot tell the switch to put a port in a VLAN -and- for it to be tagged...IAS can only send a VLAN id. (this is a "problem" for VoIP...RC4675 resolves this issue, but Microsoft doesn't support it even in W2K8-R2 [ProVision code did 2yrs ago]).

So, for VoIP devices, simply authenticate them and do not send the vlan-id from IAS to the switch. The switch will get the access-accept message and simply allow traffic for the phone (mac addr) to pass, and since the port is configured as tagged and so is the phone, all is good there.

hth...Jeff
0 Kudos
Hodja
New Member

тАО11-05-2010 12:44 AM

тАО11-05-2010 12:44 AM

Re: 802.1X Problem with Alcatel IP Phone

I have changed RAS Policy. Now IAS is not sending VLAN ID for IP Phones.
Problem solved. Now PC and IP Phone can both operate on the same switch port.
Thank you very much...
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.