Security

 View Only

  • 1.  Issue witgh polycom phones and. authentication

    Posted Jun 12, 2025 11:51 AM

    Hi,

    Got an issue with  Polycom phones,  and authentication in that phones dont pick up an ip when moved from staging area to  live area

    1). Polycom C60 and CCX505 phones running latest and greatest 9.1.x firmware

    2). Aruba OS-S 2930 switches running WC.16.11.21 firmware

    3). Clearpass 6.11.10  providing  DUR to drop phone into named tagged voice valn

    Phones identifed by custom clearpass fingerprint .

    Enforcement policy  pshes dur to switch

    Plug phone in on staging point switch to upgrade firmware register and configure phone. 

    Check phone works. 

    Unplug phone and take to. destination and plug into another  switch

    clearpass sends mac-auth from that switch/port, identifies phone and. sends DUR

    What should happen is 

    cppm places devcie in tagged voice vlan

    phone uses lldp to identify tagged voice vlan, move to it and get an ip address 

    but .....

    sh port-access client shows  mac address of phone in tagged voice vlan

    sh lldp inf r shows  switch can see phone model

    phone doesnt get an ip address,  can sit there for hours ( reauth time. 1 hour). DHCP ip lease is 2 days 

    Back at clearpass, if i force a port bounce CoA ( local one that holds port down for 30 secs ) phone  requsts and. obtains ip and off it goes

    Would have thought unplugging phone and walking. to destination would have done the same thing

    Dont want to enable profiling on the auth and force a drop after every auth as that would be dropping  interface for 12 secs every hour

    Any thoughts ?

    A



  • 2.  RE: Issue witgh polycom phones and. authentication

    Posted Jun 12, 2025 01:29 PM

    Assuming the device is being recognized properly and the connection to the network is correct, then there's nothing on the network side that should be preventing the device from requesting or receiving DHCP.  I'd recommend getting a packet capture showing what is going on between the phone and the network once you've moved to the production network.

    The closest I've seen to this is some devices that like to fire off a DHCP request as soon as they have power/link (but not necessarily a network connection) and then never again.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 3.  RE: Issue witgh polycom phones and. authentication

    Posted Jun 13, 2025 04:32 AM
    >
    >Assuming the device is being recognized properly and the connection to the network is correct, then there's nothing on the network side that should be preventing the device from requesting or receiving DHCP.
    Agreed.

    Phones use lldp to detect  presence of tagged voice vlan on switch port switch to it and  of they go. As I said, problem is cppm drops them into  voice vlan , we can see its there but  sh lldp inf r shows phone doesnt have an IP
    >
    >  I'd recommend getting a packet capture showing what is going on between the phone and the network once you've moved to the production network.
    Yeah might come to that.

    >The closest I've seen to this is some devices that like to fire off a DHCP request as soon as they have power/link (but not necessarily a network connection) and then never again.
    Yeah seen that as well.  Guess forcing a CoA reauth is slightly different in that the phone is up and breathing at that point
    A



    Original Message


  • 4.  RE: Issue witgh polycom phones and. authentication

    Posted Jun 13, 2025 09:28 AM
    Thing is, 
    If I switch auth off on the port, assign a tacked voice vlan, eveything works just fine. It's only when we have 802.1x and. Macauth enabled on the switch port
    A





    Original Message


Related Content