This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
RUCKUS Self Help |   ASK the Pack
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Issue for Dynamic Vlan for TOIP

KevAktea33
New Contributor

‎12-05-2023 05:06 AM

Hi dear community, 

I need your help ^^

I have implement Dynamic Vlan Assignement on our infrastructure. With some ICX 7250 (SPS08030e) and Aruba ClearPass for Authentication Server. 

I have an issue when i try to authenticate Phone-IP (mac-auth). 
The Phone-IP are AASTRA 6731i. 

When i connect he Phone-IP alone on the switch port. It dont get an IP and stay in the state (network initialize). But when i connect a computer(dot1x) behind the Phone-IP (on state initalize). The phone-IP WORKKKK !! And the cherry on the cake (french expression), When i connect the phone on the switch  with the PC already on the phone, they both DON'T WORK. 

Of course the authentication for computer alone work well. 

This is my config : 

authentication
auth-default-vlan 60
no filter-strict-security enable
auth-vlan-mode multiple-untagged
disable-aging denied-mac-only
dot1x enable
dot1x enable ethe 1/1/10
mac-authentication enable
mac-authentication enable ethe 1/1/10

 

interface ethernet 1/1/10
dot1x port-control auto
inline power
voice-vlan 8

lldp med network-policy application voice tagged vlan 8 priority 6 dscp 6 ports ethe 1/1/10
lldp run

I hope someone can help me for this case 🙂 

Thank you very much. 

Kevin.

0 Kudos
2 REPLIES 2

KevAktea33
New Contributor

‎12-05-2023 05:10 AM

Maybe, i must give another infomation.

The Vlan assignement is push by clearpass with RADIUS:IETF Atribute in a Enforcement Profiles in clearpass (work well for other type of device)

KevAktea33_0-1701781813407.png

 

And the auth-default-vlan 60 in the ICX config is an empty vlan which exist only on the switch with nothing behind.

0 Kudos

jdryan
Moderator
Moderator

‎12-06-2023 07:04 AM - edited ‎12-06-2023 07:05 AM

Hi Kevin, 

Based on the details shared, Could you check once with only mac-auth for the IP-Phone and let us know. 
if with only Mac-auth for the Ip-phone works as expected , then try by adding the below statement : 

auth-order mac-auth dot1x

under authentication, and check once more, here we would be allowing the system to undergo mac-auth first and then dot1x. 

Do let us know, how that goes. 

0 Kudos
Copyright © 2024 Khoros, LLC