Solved: Re: 9200L switchs and Alcatel phones

AdrianDessaigne2301 · ‎09-06-2021

Hello everyone,

We are currently migrating old switches to new 9200L ones. On other places we have recent 2960X switches with working 802.1X authentication.

Before installing the 9200L switches, I'm doing a preconfiguration and testing it. I pasted our 2960X configuration into the 9200L switches and have a small issue to make it work with alcatel phones. (Note : Alcatel Phones + Computers on the same port work perfectly with the 2960X switches).

Switch version :

Switch Ports Model SW Version SW Image Mode
------ ----- ----- ---------- ---------- ----
* 1 28 C9200L-24P-4G 17.03.03 CAT9K_LITE_IOSXE INSTALL

Here is the AAA and RADIUS configuration :

dot1x system-auth-control
aaa new-model
!
aaa group server radius packetfence
server name pfnac
server name pfbackup
!
aaa authentication login default local
aaa authentication dot1x default group packetfence
aaa authorization network default group packetfence
!

radius server pfnac
address ipv4 10.X.X.X auth-port 1812 acct-port 1813
automate-tester username dummy ignore-acct-port idle-time 3
key 7 secret
!
radius server pfbackup
address ipv4 10.X.X.Y auth-port 1812 acct-port 1813
automate-tester username dummy ignore-acct-port idle-time 3
key 7 secret
!
aaa server radius dynamic-author
client 10.X.X.X server-key 7 secret
client 10.X.X.Y server-key 7 secret
port 3799
!

Then, here is the port configuration :

switchport access vlan 10
switchport mode access
switchport voice vlan 2
authentication control-direction in
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate 28800
authentication timer restart 5
authentication violation replace
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout quiet-period 50
dot1x timeout tx-period 2
dot1x max-req 4
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpduguard enable

But the phone don't work.

I've tested with many cases :

With multi-auth and multi domain
By using the trunk method
In both case, disabling 802.1X with authentication port-control force-authorized make the phone working
In our RADIUS server, I've set the device as a phone and "normal". Both have the same result.
Even if the auth session is in DATA or VOICE, the phone still don't work.

As soon I disable 802.1X, it work. I've also copy pasted the same configuration in a 2960X test switch and it work perfectly fine.

Where do you think my issue come from ? Or do I miss a new configuration ? Do you have any command to make checks ?

I can provide more infos if needed.

Thanks a lot for your answers.

AdrianDessaigne2301 · ‎09-07-2021

Thanks everyone for replying.

I did find a solution wich was a missing configuration from my RADIUS server.

Also I'd like to thanks everyone for answering my thread since it brought new configuration to make it cleaner.

If anyone is intersted in my configuration, it work with 2960X and 9200L swtich and Alcatel Lucent IP Phones with PCs behind.

Adrian.

Edit : To be more precise, I used the wrong configuration in PacketFence (RADIUS Server). Since they don't have the 9000 series model yet, I took the Cisco Standard one. But you have to use the 2960 model to make it work.

View solution in original post

balaji.bandi · ‎09-06-2021

here is the one of the tested config from my testing with Avaya phones (on cat 9300) - it is genris should work most of the time, you can add top of it. make sure you enable LLDP and CDP

interface GigabitEthernetx/x
switchport access vlan XXX <--- DHCP VLAN
switchport mode access
switchport voice vlan VVV <-- Voice VLAN
no logging event link-status
authentication host-mode multi-domain
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable
end

Test and advice.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

AdrianDessaigne2301 · ‎09-06-2021

Hi !

Thanks for your answer.

Unfortunatly, it didn't changed anything. I tryed multi-host and multi-domain but I get the same result. Phone is still unable to connect on the VLAN 2 network

Adrian.

balaji.bandi · ‎09-06-2021

The auth session tell me it succeed it and I even see the auth in the RADIUS server.

Looks for me something is missing on ISE config, Do you complete Logs in ISE Side

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Mohammed al Baqari · ‎09-06-2021

Hi,

What is happening on the phone? Is it getting powered or not? If
its getting power, then what is failing?

**** please remember to rate useful posts

AdrianDessaigne2301 · ‎09-06-2021

Hi !

The phone just don't get the DHCP and the overall connexion of the VLAN 2 network.

Without the 802.1X authentication it work. With it it don't. The auth session tell me it succeed it and I even see the auth in the RADIUS server.

Adrian.

Rob Ingram · ‎09-06-2021

@AdrianDessaigne2301

Have you configured ISE to send the Cisco vendor-specific attribute (VSA) that includes the string device-traffic-class = voice? This VSA tells the switch that the device that just authenticated is a phone and should be allowed access to the voice VLAN.

Though I'm not sure if it applies to Alcatel phones or just Cisco phones.

Refer to this post for more information:-

https://community.cisco.com/t5/network-access-control/can-you-use-ise-to-force-a-device-to-voice-vlan/td-p/3683431

Mohammed al Baqari · ‎09-06-2021

Can you try this to see if it works?

inter x/x
switchport mode trunk
switchport trunk encap dot1
switchport trunk native vlan 1
switchport trunk allowed vlan 1,2

See if this works along with dot1x configuration.

**** please remember to rate useful posts

Milos_Jovanovic · ‎09-06-2021

Hi @AdrianDessaigne2301,

I don't see you are mentioning anywhere, and I remember that I had to enable LLDP in order to be able to cascade phone and PC behind same port (on Awaya, but I believe it should be same on all non-Cisco phones which can't talk CDP). By using LLDP, phone and switch are negotiating about configured data and voice VLANs.

With authorization result that @Rob Ingram is mentioning, you are simply instructing switch to place this device in Voice VLAN. AFAIK, it is mandatory to return attribute device-traffic-class = voice if you want to cascade devices.

You can check it with 'show lldp traffic' or 'show lldp interface' to see if it is running. If not, you can enable it with global configuration command 'lldp run'

BR,

Milos

AdrianDessaigne2301 · ‎09-07-2021

Thanks everyone for replying.

I did find a solution wich was a missing configuration from my RADIUS server.

Also I'd like to thanks everyone for answering my thread since it brought new configuration to make it cleaner.

If anyone is intersted in my configuration, it work with 2960X and 9200L swtich and Alcatel Lucent IP Phones with PCs behind.

Adrian.

Edit : To be more precise, I used the wrong configuration in PacketFence (RADIUS Server). Since they don't have the 9000 series model yet, I took the Cisco Standard one. But you have to use the 2960 model to make it work.

balaji.bandi · ‎09-07-2021

Good to know it got resolve, it will be helpful other community members what was the fix ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

AdrianDessaigne2301 · ‎09-07-2021

I did an edit on my answer solution with the detail

armand.assemian · ‎03-21-2022

Can you share your configuration please