cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
910
Views
5
Helpful
3
Replies
magnum629
Enthusiast

8831 802.1x Issues with 10.3(1)sr3 firmware

CUCM: 10.5.2

Device: 8831

Device Firmware: 10.3(1)SR3

Common Phone Profile: 802.1x Authentication field = Enabled

We have 802.1x enabled in our environment and our phones have LSC installed on them in order to authenticate on the network.  We upgraded our 8831 to the SR3 firmware because we were running into a bug related to the the 10.3(1) version we were on.  We have to install new LSC to the phones, we have had no issues doing this process with any other model of phone we have and I have tested this process with other 8831 firmware versions and this is happening on the SR3 firmware only (and any ES versions built from SR3). 

Phone is plugged into NAC port

in CUCM > CAPF operation = Install/Upgrade, 2048, future date > Save > Apply config on device

Other device models and other 8831 firmware versions > phone resets and install the LSC

The 8831 on the SR3 and ES6 firmware I tested, this is what happens:

On the device itself under security setup > 802.1x > device authentication becomes disabled and there is no edit button 

In order to get the device re-registered with CUCM, I found this convoluted way to get the device re-registered but the CAPF operation never completes and the new LSC is never installed.  During all my testing, I found if I change the Common Phone Profile 802.1x authentication to 'User Controlled' instead of 'Enabled' and try again, it seems to be successful and the new LSC is installed.

I have a TAC case open about this and need to collect the logs but has anyone ever seen something related to this?  All of our other devices use the same CPP where 802.1x is enabled, and sit on NAC ports and none of them have this problem.  Same with any other version of 8831 firmware version, the CAPF operation is successful with the setting of 'Enabled' for for the SR3 and ES6 version, it seems to have an issue performing CAPF operations when the CPP 802.1x setting is set to "Enabled"

1 ACCEPTED SOLUTION

Accepted Solutions

Hi Kevin
It is a bug in the FW and I also found the bug in the SR4 FW. I have informed Cisco TAC of the bug but they are not doing much with it. They wanted me to spend more time collecting more logs and basically doing all the testing and work I already did for the previous FW versions. So I would not expect TAC to address this issue anytime soon. Plus the bug they originally opened for this, no longer exists.
The same work around works. Either you have to plug the phone into a non-NAC port and complete the the LSC (CAPF Operation) Install -OR- if the phone is plugged into a NAC port and if you check the Common Phone Profile settings on the device and have the 802.1x set to 'User Controlled' and then push the CAPF operation, it is successful.

View solution in original post

3 REPLIES 3
Schpice
Beginner

Hello,

 

I have exactly the issue with 10.3(1)sr4 firmware.

You told that you had opened a TAC case. Did you have an answer ?

 

From my site, I have found another workarround to make the LSC update on the phone. You have to disable 802.1x on the port of the switch, update LSC on the phone and re-enable the 802.1x on the swicth.

 

Regards

Kevin

Hi Kevin
It is a bug in the FW and I also found the bug in the SR4 FW. I have informed Cisco TAC of the bug but they are not doing much with it. They wanted me to spend more time collecting more logs and basically doing all the testing and work I already did for the previous FW versions. So I would not expect TAC to address this issue anytime soon. Plus the bug they originally opened for this, no longer exists.
The same work around works. Either you have to plug the phone into a non-NAC port and complete the the LSC (CAPF Operation) Install -OR- if the phone is plugged into a NAC port and if you check the Common Phone Profile settings on the device and have the 802.1x set to 'User Controlled' and then push the CAPF operation, it is successful.

Hello,

 

thanks for this answer. I have open a ticket with Cisco TAC as well. I'm still waiting for their analyses.

I can keep you up to date if I have some more info.

 

Kevin

Create
Recognize Your Peers
Content for Community-Ad