Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
933
Views
0
Helpful
2
Replies

Cisco IP Phone 7942-G EAP-TLS Issue

john.dejesus
Level 1
Level 1

‎05-09-2018 06:45 AM - edited ‎03-17-2019 12:46 PM

Hi,

 

I was trying to troubleshoot 802.1x issues with 7942-G IP Phones (sccp version 9.4.2ES22) . What happened was the ip phone will suddenly go to "Configuring IP". This IP Phone was previously authenticated through 802.1x using EAP-TLS. When I did the packet capture on the port, I noticed that the phone is not replying to EAP-Request and eventually will timed out with EAP Failure Code 4. Our NAC server shows (Request time out, client did not complete eap transaction).

 

It will only normalize after I bounced the switchport or do a hard reset on the phone. But the issue will keep occurring randomly. There is no specific time interval as well, so its kind of hard to pinpoint the issue. I have attached the wireshark packet capture for reference.

 

Below is the summary of events based from the packet capture file. So between 16:23.16 and 16:26:56.62 no EAP packets found. I bounced the switch port at16:27:10.19, then phone will start the authentication process.

 

16:23:16 - The phone is "Configuring IP" and Sends DHCP Discover
16:26:56.62 - EAP Failure (CPPM Logs: Request time out, client did not complete eap transaction)
16:27:10.15 - Cisco Sends LLDP Untagged Packets
16:27:10.19 - EAPOL START from Cisco IP Phone (After port bounced)
16:27:10.23 - Alcatel send EAP Request; Type: Identity
16:27:10.29 - Cisco Send EAP Response; Type: Identity
16:27:10.47 - Alcatel send EAP Request; Type: EAP-TLS
16:27:10.54 - Cisco Send TLS Client Hello
16:27:10.63 - Alcatel Send Server Hello, Cert, Cert Req
16:27:11.29 - Alcatel send EAP-TLS
16:27:14.02 - Cisco Send Cert Client Key Exchange
16:27:14.11 - Alcaltel Send Change Cipher Spec
16:27:14.12 - Cisco Send Response EAP-TLS
16:27:14.33 - Alcatel Send EAP Auth Success
16:27:24.97 - Cisco DHCP Discover
16:27:29.96 - DHCP Offer
16:27:30.086 - DHCP Request
16:27:30.087 - DHCP ACK
16:27:30.59 - Cisco sends LLDP Tagged Packet Voice Vlan 354

 

The phone is connected to a non-cisco switch (Alcatel 6860E) and non-cisco NAC server (Aruba Clearpass Policy Manager). I post this issue here because may be I could find similar issues integrating the Cisco IP Phones to non-cisco switch and NAC server.

 

Thank you in advanced for your support.

1 person had this problem
Labels:
D029.pcapng
0 Helpful
2 Replies 2

R0g22
Cisco Employee
Cisco Employee

‎05-09-2018 06:53 AM

Can you take a console log from the phone during the event ? The pcaps start at when you have Configuring IP. The phone should not drop registration in the first place.
Also, have you tested this with a Cisco switch ?

0 Helpful

john.dejesus
Level 1
Level 1
In response to R0g22

‎05-09-2018 07:57 AM

Hi,

 I will get the console logs and get back to you. Unfortunately, they
don't have Cisco Switch.

Thanks,
John
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents