cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

3284
Views
7
Helpful
8
Replies
Highlighted
Cisco Employee

authentication session does not change on multi-auth port behind Polycom phones

Hello,

How does the switch detect link status for endpoints when they are disconnected behind IP-Phones on a multi-auth port ?

We have an issue where an endpoint is moved from one multi-auth port to another multi-auth port (both behind Polycom phones) but the authentication session still remains on the old port. The MAC-Address table however is updated.

Issue is faced on CAT 6K and CAT 4K switches only for Polycom phones. No issue is seen for Cisco IP Phones.

After clearing authentication session on both the interfaces the authentication session is correctly applied.

Is this a known issue on Polycomm Phones ?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Thomas/Tim,

Thanks for the response

On going through Polycom documentation it is mentioned that Polyom phones too send CDP packets

Polycom phones can also send proxy EAPoL on behalf of the machine.

However it seems both these are not enabled by default and we need to make changes to the XML configuration file.

Please check the link below

Configuration Parameters | documents.polycom.com

View solution in original post

8 REPLIES 8
Highlighted
Cisco Employee

Utkarsh,

The switch detects new endpoints on a switchport by MAC address. I suspect the polycom phones are not telling the switch about the disconnection when the endpoint moves.  This would explain why the session remains but the MAC address table is being updated.

Regards,

-Tim

Highlighted
Cisco Employee

Cisco IP Phones have a special feature called CDP 2nd Port Disconnect which tells the switch when the endpoint behind it is Disconnected. Polycoms don't have this feature.

Highlighted

Thomas/Tim,

Thanks for the response

On going through Polycom documentation it is mentioned that Polyom phones too send CDP packets

Polycom phones can also send proxy EAPoL on behalf of the machine.

However it seems both these are not enabled by default and we need to make changes to the XML configuration file.

Please check the link below

Configuration Parameters | documents.polycom.com

View solution in original post

Highlighted

Thank you for the followup on this, Utkarsh!

Glad to hear they do have the capability so it will work for you!

Highlighted
Cisco Employee

Another common option is to enable the inactivity timer on the port: Wired 802.1X Deployment Guide - Cisco.

That will remove authenticated MAC addresses that don't transmit any data over a certain period of minutes.

Additionally, you can allow MAC addresses to move between ports using this command: authentication mac-move permit. This command will remove a MAC address session if the same MAC address pops up on another port.

Thanks

Highlighted

Thanks Viktor

I tried to capture this behaviour for Cisco IP phone 9971 (running 1.9.4) but could not find any CDP disconnect packet.

However I did find proxy EAPoL as below although with an frame check sequence incorrect error.

I am sure this is the expected behaviour. I think the error is due to checksum offloading explained as Ethernet Frame Check Sequence set to 0x00000000 | VMware Communities


Highlighted

Maybe these phones don't support CDP second port notification. This is what I see on my 9971. EAPOL Logoff would accomplish the same thing though.

Device ID: SEPD0C282D00906

Entry address(es):

  IP address: 10.118.97.3

Platform: Cisco IP Phone 9971,  Capabilities: Host Phone Two-port Mac Relay

Interface: GigabitEthernet0,  Port ID (outgoing port): Port 1

Holdtime : 153 sec

Second Port Status: Unknown

Version :

sip9971.9-4-2SR2-2

advertisement version: 2

Duplex: full

Power drawn: 12.804 Watts

Power request id: 1547, Power management id: 2

Power request levels are:12804 0 0 0 0

Highlighted

I was able to get the Polycom Phone working with EAPoL proxy logoff.

Adding the line <sec.dot1x.eapollogoff sec.dot1x.eapollogoff.enabled="1"> in the configuration file made it work.

Content for Community-Ad