Security

Hello, I need some help from the experts.

Here is my problem with an Aruba 6300m switch.

I connect a Snom phone to a port with the dot1x configuration.

I then connect a computer via this phone's internal switch, but the computer won't let me get a connection on the phone. I've tried lots of things, but nothing works. I'm stuck. Here's how the dot1x and MAC address authentication are configured.

aaa group server radius OOOO
    server XX.XX.XX.XX 
    server XX.XX.XX.XX
    server XX.XX.XX.XX
aaa accounting port-access stop-only group OOOO

vlan 239
    name Voice_test1
    voice
vlan 259
    name DATA_8021X

mac-group SNOM
     seq 10 match mac-oui 00:04:13
port-access role PHONE
    vlan trunk allowed 239
port-access device-profile LMA
    enable
    associate role PHONE
    associate mac-group SNOM
aaa authentication port-access dot1x authenticator
    radius server-group OOOO
    enable
aaa authentication port-access mac-auth
    enable

Interface 1/1/1  
description Port User
    no shutdown
    speed auto 10m 100m
    no routing
    vlan access 999
    loop-protect
    aaa authentication port-access client-limit 2
    aaa authentication port-access auth-role PHONE
    aaa authentication port-access dot1x authenticator
        enable
    aaa authentication port-access mac-auth
        enable

Thank you in advance.

Have a great day, everyone!

-------------------------------------------

your device-profile role that is PHONE should have the native VLAN as 259 

port-access role PHONE
    vlan trunk native 259
    vlan trunk allowed 259,239

are you getting the phone in the correct user-role? 

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
------------------------------

Hello, thank you for your feedback.

I don't have access to the user role phone, so I can't see if it's correctly assigned.

I tried a lot of things this morning related to what you told me, but unfortunately, it didn't work for me.

-------------------------------------------

Original Message:
Sent: Oct 14, 2025 12:11 AM
From: ariyap
Subject: dot1x + toip authent

your device-profile role that is PHONE should have the native VLAN as 259 

port-access role PHONE
    vlan trunk native 259
    vlan trunk allowed 259,239

are you getting the phone in the correct user-role? 

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
------------------------------

I meant checking on the CX switch to see if the phone gets the correct user-role, the commands you can use are

sh port-access client 

sh port-access clients detail

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
------------------------------

Original Message:
Sent: Oct 15, 2025 02:28 AM
From: Q.V
Subject: dot1x + toip authent

Hello, thank you for your feedback.

I don't have access to the user role phone, so I can't see if it's correctly assigned.

I tried a lot of things this morning related to what you told me, but unfortunately, it didn't work for me.

Hello, here is the result of your request

TEST-Switch# sh port-access clients detail

Device-Profile Client Status Details:

  Port 1/1/11, Neighbor-Mac  00:04:13:XX:XX:XX
    Profile Name:           : LMA
    LLDP Group:             :
    CDP Group:              :
    MAC Group:              : SNOM
    Role:                   : PHONE
    State:                  : applied
    Failure Reason:         :

Role Information:

Name  : PHONE
Type  : local
----------------------------------------------
    Allowed Trunk VLANs                 : 139,159

-------------------------------------------

Original Message:
Sent: Oct 16, 2025 12:37 AM
From: ariyap
Subject: dot1x + toip authent

I meant checking on the CX switch to see if the phone gets the correct user-role, the commands you can use are

sh port-access client 

sh port-access clients detail

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
------------------------------


Original Message:
Sent: Oct 15, 2025 02:28 AM
From: Q.V
Subject: dot1x + toip authent

Hello, thank you for your feedback.

I don't have access to the user role phone, so I can't see if it's correctly assigned.

I tried a lot of things this morning related to what you told me, but unfortunately, it didn't work for me.

Original Message:
Sent: Oct 14, 2025 12:11 AM
From: ariyap
Subject: dot1x + toip authent

your device-profile role that is PHONE should have the native VLAN as 259 

port-access role PHONE
    vlan trunk native 259
    vlan trunk allowed 259,239

are you getting the phone in the correct user-role? 

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

the phone gets a user role but it doe snot show the IP address, also the PC behind itr does not get a use role. So check the output of "sh event -r"  for any clues.

perhaps it is best to open a TAC case

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
------------------------------

Original Message:
Sent: Oct 16, 2025 02:27 AM
From: Q.V
Subject: dot1x + toip authent

Hello, here is the result of your request

TEST-Switch# sh port-access clients detail

Device-Profile Client Status Details:

  Port 1/1/11, Neighbor-Mac  00:04:13:XX:XX:XX
    Profile Name:           : LMA
    LLDP Group:             :
    CDP Group:              :
    MAC Group:              : SNOM
    Role:                   : PHONE
    State:                  : applied
    Failure Reason:         :

Role Information:

Name  : PHONE
Type  : local
----------------------------------------------
    Allowed Trunk VLANs                 : 139,159

Original Message:
Sent: Oct 16, 2025 12:37 AM
From: ariyap
Subject: dot1x + toip authent

I meant checking on the CX switch to see if the phone gets the correct user-role, the commands you can use are

sh port-access client 

sh port-access clients detail

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.


Original Message:
Sent: Oct 15, 2025 02:28 AM
From: Q.V
Subject: dot1x + toip authent

Hello, thank you for your feedback.

I don't have access to the user role phone, so I can't see if it's correctly assigned.

I tried a lot of things this morning related to what you told me, but unfortunately, it didn't work for me.