Comware

 View Only

  • 1.  802.1X Problem with Alcatel IP Phone

    Posted Nov 04, 2010 01:04 PM
    Hi,
    I have Alcatel-Lucent IP Phone 4018 and a PC connected to same port on ProCurve 3500 switch.
    I am using 802.1X for both IP Phone and PC. When I connect them to seperate ports on the switch, there is no prolem. They can be both authenticated and communicate. When I conect them to the same port on the switch, IP Phone can be authenticate but PC can not be authenticated. In IAS logs I can see that PC is authenticated however it says "Authentication is failed"
    I have mirrored the port, the switch is sending EAP-Failure to the PC.
    This is my configuration.
    vlan 1
    name "SERVER"
    untagged 1-28
    ip address 192.168.1.1 255.255.255.0
    exit
    vlan 10
    name "VOICE"
    ip address 192.168.10.1 255.255.255.0
    ip helper-address 192.168.1.100
    tagged 23
    voice
    exit
    vlan 20
    name "DATA"
    ip address 192.168.20.1 255.255.255.0
    ip helper-address 192.168.1.100
    exit
    vlan 30
    name "KARANTINA"
    ip address 192.168.30.1 255.255.255.0
    ip helper-address 192.168.1.100
    exit
    aaa authentication port-access eap-radius
    aaa accounting network start-stop radius
    radius-server host 192.168.1.100 key 1234
    aaa port-access authenticator 23
    aaa port-access authenticator 23 unauth-vid 30
    aaa port-access authenticator 23 client-limit 3
    aaa port-access authenticator active

    What could be the problem? Any help?


  • 2.  RE: 802.1X Problem with Alcatel IP Phone

    Posted Nov 04, 2010 01:22 PM
    Can you provide a scrn shot of the IAS log entry for the PC?

    In your IAS remote policies, are you assigning a VLAN id for the phone and a different VLAN id for the PC?

    Switch config looks good....what version of image are you running on switch?

    What is the IAS radius-reply pkt indicate?

    This will help narrow it down a bit.

    Cheers...Jeff


    ps, here is a link to a presentation I did at Sharkfest'10 in June, troubleshooting an 802.1X system...hth...
    http://www.lovemytool.com/blog/2010/06/network-access-security-its-broken-now-what-by-jeff-carrell.html


  • 3.  RE: 802.1X Problem with Alcatel IP Phone

    Posted Nov 04, 2010 09:32 PM
    Hi,

    IAS Log says "PCXX granted access... and the other details about it like assigned RAS Policy, NAS Port, NAS Client etc..." All of them are true. (I can not provide scr shot right now) Also the same log for the user.
    Yes I am assgining diferent VLANs for PC and Phone.
    Image version is 14.41.
    I have tried on two different switches. One is 3500 the other is 4500 series.


  • 4.  RE: 802.1X Problem with Alcatel IP Phone

    Posted Nov 04, 2010 11:33 PM
    Hodja said "IAS Log says "PCXX granted access... and the other details about it like assigned RAS Policy, NAS Port, NAS Client etc..." All of them are true."

    My experience has found that when this issue occurs, the switch is not "happy" with something radius (IAS) is telling it. (ok, duh!)

    2 most common issues:
    1) the vlan id that radius is sending back is not configured on the switch
    2) the client-limit parm has not been increased from its default of 1.

    Now, since you said previously that the PC will auth correctly if connected into its own switch port and the phone auth ok, but not both in the same port (PC thru the phone) this makes it harder to figure out.

    Grab the "radius access-accept" and see what IAS is passing to the switch.

    Also, in the ATG this is said:
    Operating Rules for Voice VLANs
    â   You must statically configure voice VLANs. GVRP and dynamic VLANs do not support voice VLAN operation.
    â   Configure all ports in a voice VLAN as tagged members of the VLAN. This ensures retention of the QoS (Quality of Service) priority included in voice VLAN traffic moving through your network.
    â   If a telephone connected to a voice VLAN includes a data port used for connecting other networked devices (such as PCs) to the network, then you must configure the port as a tagged member of the voice VLAN and a
    tagged or untagged member of the data VLAN you want the other networked device to use.
    ----
    I'm wondering if the "voice" option you have in vlan 10 is causing an issue...I've never configured a switch in this exact manner, so I have no idea if this is related or not.

    hth...Jeff


  • 5.  RE: 802.1X Problem with Alcatel IP Phone

    Posted Nov 05, 2010 12:44 AM
    â You must statically configure voice VLANs. GVRP and dynamic VLANs do not support voice VLAN operation

    Is that mean, I must not send VLAN information to switches for Voice VLAN. If so this is my mistake. I am sending VLAN info from RADIUS to switch for Voice VLAN. I will try it without sending Voice VLAN info.


  • 6.  RE: 802.1X Problem with Alcatel IP Phone

    Posted Nov 05, 2010 01:44 AM
    Hodja asked: "Is that mean, I must not send VLAN information to switches for Voice VLAN. If so this is my mistake. I am sending VLAN info from RADIUS to switch for Voice VLAN. I will try it without sending Voice VLAN info."

    Basically yes, but not only because you have the "voice" definition in the vlan for voice. IAS cannot tell the switch to put a port in a VLAN -and- for it to be tagged...IAS can only send a VLAN id. (this is a "problem" for VoIP...RC4675 resolves this issue, but Microsoft doesn't support it even in W2K8-R2 [ProVision code did 2yrs ago]).

    So, for VoIP devices, simply authenticate them and do not send the vlan-id from IAS to the switch. The switch will get the access-accept message and simply allow traffic for the phone (mac addr) to pass, and since the port is configured as tagged and so is the phone, all is good there.

    hth...Jeff


  • 7.  RE: 802.1X Problem with Alcatel IP Phone

    Posted Nov 05, 2010 03:44 AM
    I have changed RAS Policy. Now IAS is not sending VLAN ID for IP Phones.
    Problem solved. Now PC and IP Phone can both operate on the same switch port.
    Thank you very much...


Related Content