topic Re: Mitel - DHCP Discovery in Network Access Control

Mitel - DHCP Discovery

alliasneo1 — Tue, 23 Apr 2024 11:28:29 GMT

Hi, I have a Mitel 5312 phone plugged into a switchport configured for ISE but when it boots up it gets stuck on DHCP Discovery. If I put the port to authentication open then it goes through and boots up as normal.

The logs all look ok but I can't see why it's not getting an ip address.

This is for MAB.

Any ideas? thanks

Re: Mitel - DHCP Discovery

Rob Ingram — Tue, 23 Apr 2024 11:40:47 GMT

@alliasneo1 when the switch is in closed mode, is the phone actually successfully authenticated and authorised in ISE?

Are you pushing down the voice domain permission as well? https://www.ciscopress.com/articles/article.asp?p=2091952&seqNum=4

Re: Mitel - DHCP Discovery

MHM Cisco World — Tue, 23 Apr 2024 11:49:31 GMT

you need to use low-impact mode

MHM

Re: Mitel - DHCP Discovery

Aref Alsouqi — Tue, 23 Apr 2024 12:27:47 GMT

I ran into similar issues a few times with my customers and the issue was caused by the delay between switching from dot1x to MAB. The fix in my cases was to flip the order by making MAB first and then dot1x leaving the priority to be dot1x first and then MAB. Not sure if this is the case in your scenario.

Re: Mitel - DHCP Discovery

alliasneo1 — Tue, 23 Apr 2024 12:36:54 GMT

Hi,

Thank you for your response, I tried reversing the order but keeping the priority the same but this didn't work.

Re: Mitel - DHCP Discovery

alliasneo1 — Tue, 23 Apr 2024 12:42:06 GMT

Hi,

Low impact mode would completly change the port config though wouldn't it?

At the moment I have this as the config:

interface GigabitEthernet1/0/23
description 'PHONE'
switchport access vlan xx
switchport mode access
switchport voice vlan xx
device-tracking attach-policy IPDT_POLICY
authentication control-direction in
authentication event fail action next-method
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate 65535
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast

But as I understand Low impact mode it would change it to be more like this:

interface gx/x/x

authentication host-mode multi-auth

authentication open

authentication port-control auto

mab

dot1x ape authenticator

ip access-group default-ACL in

exit

ip access-list extended default-ACL

permit udp any any log

deny ip any any log

Re: Mitel - DHCP Discovery

Aref Alsouqi — Tue, 23 Apr 2024 12:50:33 GMT

You're welcome. I would suggest you try to remove dot1x from a switch port config leaving only MAB and test, if that works, then the issue would most likely be the timer of falling back from dot1x to MAB. In that case you can try to reduce the timers gradually until you find the right value that allows the phone to get their IP address.

Re: Mitel - DHCP Discovery

alliasneo1 — Tue, 23 Apr 2024 12:54:54 GMT

Hi,

Yes the phone has succesfully authenticated and it is authorised.

The switch is currently in closed mode, this is the port config:

interface GigabitEthernet1/0/23
description 'PHONE'
switchport access vlan xx
switchport mode access
switchport voice vlan xx
device-tracking attach-policy IPDT_POLICY
authentication control-direction in
authentication event fail action next-method
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate 65535
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast

Re: Mitel - DHCP Discovery

alliasneo1 — Tue, 23 Apr 2024 13:02:48 GMT

Hi,

I'm not sure if I've done this correctly but I stripped back the config to this:

interface GigabitEthernet1/0/23
description 'PHONE'
switchport access vlan xx
switchport mode access
switchport voice vlan xx
device-tracking attach-policy IPDT_POLICY
authentication control-direction in
authentication event fail action next-method
authentication host-mode multi-auth
authentication port-control auto
authentication periodic
authentication violation restrict
mab
spanning-tree portfast

But it still fails. As soon as I add authentication open to this, it works.

Re: Mitel - DHCP Discovery

Rob Ingram — Tue, 23 Apr 2024 13:06:26 GMT

@alliasneo1

What about the voice-domain permission pushed down to the NAD?

Your dot1x tx-period is not excessively long, so I would not expect the endpoint to time out waiting for a DHCP request. I've a customer with also with mitel phones and tx-period of 10 seconds, they work fine.

FYI the recommended dot1x timer values are:

c9300-Sw(config-if)#dot1x timeout tx-period 7
c9300-Sw(config-if)#dot1x max-reauth-req 3

https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

Enable RADIUS/AAA debugs, test and provide the output for review.

Re: Mitel - DHCP Discovery

alliasneo1 — Tue, 23 Apr 2024 13:17:26 GMT

When you say, What about the voice-domain permission pushed down to the NAD?

I have the 'Authorisation Profile' with 'Voice Domain Permission' ticked under common tasks. - Is that all I need?

Re: Mitel - DHCP Discovery

Aref Alsouqi — Tue, 23 Apr 2024 13:29:55 GMT

Yeah you got it right. Could you please share the output of the command "show authentication sessions interface < the interface where a phone is connected > details" for review? the command should be issued while the port is configured in closed mode please.

Re: Mitel - DHCP Discovery

alliasneo1 — Tue, 23 Apr 2024 13:30:54 GMT

I just pasted the config back onto the port and removed authentication open and the phone is working now. I can see the ip address in ISE. How strange.

Re: Mitel - DHCP Discovery

alliasneo1 — Tue, 23 Apr 2024 13:40:56 GMT

It appears to be working now. I put the port config back on and removed authentiation open. rebooted the phone and now it's booted up correctly and I can see the ip address in ISE.

Re: Mitel - DHCP Discovery

Aref Alsouqi — Tue, 23 Apr 2024 14:39:20 GMT

Glad it worked. If you see some inconsistent behaviour, probably worth checking with the vendor if there is any known issues with the firmware release they are running and maybe there is an updated firmware version.

Re: Mitel - DHCP Discovery

MHM Cisco World — Tue, 23 Apr 2024 14:42:41 GMT

Yes, but if you move the 802.1x and it work then there is issue in order, let me check it
update you tonight

MHM

Re: Mitel - DHCP Discovery

MHM Cisco World — Wed, 24 Apr 2024 09:15:39 GMT

authentication event fail action next-method <- only remove this and keep your port config as it

MHM