cancel
Showing results for 
Search instead for 
Did you mean: 

Issue for Dynamic Vlan for TOIP

KevAktea33
New Contributor

Hi dear community, 

I need your help ^^

I have implement Dynamic Vlan Assignement on our infrastructure. With some ICX 7250 (SPS08030e) and Aruba ClearPass for Authentication Server. 

I have an issue when i try to authenticate Phone-IP (mac-auth). 
The Phone-IP are AASTRA 6731i. 

When i connect he Phone-IP alone on the switch port. It dont get an IP and stay in the state (network initialize). But when i connect a computer(dot1x) behind the Phone-IP (on state initalize). The phone-IP WORKKKK !! And the cherry on the cake (french expression), When i connect the phone on the switch  with the PC already on the phone, they both DON'T WORK. 

Of course the authentication for computer alone work well. 

This is my config : 

authentication
auth-default-vlan 60
no filter-strict-security enable
auth-vlan-mode multiple-untagged
disable-aging denied-mac-only
dot1x enable
dot1x enable ethe 1/1/10
mac-authentication enable
mac-authentication enable ethe 1/1/10

 

interface ethernet 1/1/10
dot1x port-control auto
inline power
voice-vlan 8

lldp med network-policy application voice tagged vlan 8 priority 6 dscp 6 ports ethe 1/1/10
lldp run

I hope someone can help me for this case 🙂 

Thank you very much. 

Kevin.

2 REPLIES 2

KevAktea33
New Contributor

Maybe, i must give another infomation.

The Vlan assignement is push by clearpass with RADIUS:IETF Atribute in a Enforcement Profiles in clearpass (work well for other type of device)

KevAktea33_0-1701781813407.png

 

And the auth-default-vlan 60 in the ICX config is an empty vlan which exist only on the switch with nothing behind.

jdryan
Moderator
Moderator

Hi Kevin, 

Based on the details shared, Could you check once with only mac-auth for the IP-Phone and let us know. 
if with only Mac-auth for the Ip-phone works as expected , then try by adding the below statement : 

auth-order mac-auth dot1x

under authentication, and check once more, here we would be allowing the system to undergo mac-auth first and then dot1x. 

Do let us know, how that goes.