Our site uses 802.1x w/MAC Address Bypass List for port authentication. This has not been a problem for the past 2 years. A couple weeks ago our Network Team lead implemented an auto configuration on the ports with ISE where the device gets plugged in, gets power and vlan, DHCP and Option 150 to the TFTP servers. And the devices Authenticate after ~15 seconds when the three 5-second attempts time out and it goes to MAB. The devices come up and work fine for about 2,000 phones on site.
Problems began when this autoconfiguration came into play, and a port config looks like this on our 3750-x switches:
! interface GigabitEthernet2/0/23 switchport access vlan 333 switchport mode access switchport nonegotiate switchport voice vlan 334 switchport port-security maximum 10 switchport port-security authentication event fail action next-method authentication host-mode multi-auth authentication order dot1x mab authentication priority dot1x mab authentication port-control auto authentication violation restrict mab dot1x pae authenticator dot1x timeout tx-period 5 no mdix auto storm-control broadcast level 10.00 storm-control multicast level 10.00 storm-control action shutdown storm-control action trap spanning-tree portfast edge
Now, we have a few sporadic instances where phones are up and working, then they just drop registration to the CUCM. Show interface on the port shows UP UP (connected) Show Auth Session on the port shows Auth MAB, I can get to the device interface if I click on the IP of the device in CUCM, BUT the device will not register, When I do a show IP arp | i <MAC add> it is not arp'ing to the core.
Bouncing the port does not really work, physically unplugging the device does not really work, BUT moving the cable from one port to another free port on the switch almost always works.
Our network team is looking into something with cached credentials on the ISE servers, as the devices seem to be re-authing a lot, but the Servers are set up to Auth once and be done.
Is there anything I can look into on the CUCM (11.5.1) or the Devices (7841, 7811, 8861, 8865, 7960) that could be causing loss of registration?