cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4898
Views
7
Helpful
8
Replies

authentication session does not change on multi-auth port behind Polycom phones

umahar
Cisco Employee
Cisco Employee

Hello,

How does the switch detect link status for endpoints when they are disconnected behind IP-Phones on a multi-auth port ?

We have an issue where an endpoint is moved from one multi-auth port to another multi-auth port (both behind Polycom phones) but the authentication session still remains on the old port. The MAC-Address table however is updated.

Issue is faced on CAT 6K and CAT 4K switches only for Polycom phones. No issue is seen for Cisco IP Phones.

After clearing authentication session on both the interfaces the authentication session is correctly applied.

Is this a known issue on Polycomm Phones ?

1 Accepted Solution

Accepted Solutions

umahar
Cisco Employee
Cisco Employee

Thomas/Tim,

Thanks for the response

On going through Polycom documentation it is mentioned that Polyom phones too send CDP packets

Polycom phones can also send proxy EAPoL on behalf of the machine.

However it seems both these are not enabled by default and we need to make changes to the XML configuration file.

Please check the link below

Configuration Parameters | documents.polycom.com

View solution in original post

8 Replies 8

Timothy Abbott
Cisco Employee
Cisco Employee

Utkarsh,

The switch detects new endpoints on a switchport by MAC address. I suspect the polycom phones are not telling the switch about the disconnection when the endpoint moves.  This would explain why the session remains but the MAC address table is being updated.

Regards,

-Tim

thomas
Cisco Employee
Cisco Employee

Cisco IP Phones have a special feature called CDP 2nd Port Disconnect which tells the switch when the endpoint behind it is Disconnected. Polycoms don't have this feature.

umahar
Cisco Employee
Cisco Employee

Thomas/Tim,

Thanks for the response

On going through Polycom documentation it is mentioned that Polyom phones too send CDP packets

Polycom phones can also send proxy EAPoL on behalf of the machine.

However it seems both these are not enabled by default and we need to make changes to the XML configuration file.

Please check the link below

Configuration Parameters | documents.polycom.com

thomas
Cisco Employee
Cisco Employee

Thank you for the followup on this, Utkarsh!

Glad to hear they do have the capability so it will work for you!

vibobrov
Cisco Employee
Cisco Employee

Another common option is to enable the inactivity timer on the port: Wired 802.1X Deployment Guide - Cisco.

That will remove authenticated MAC addresses that don't transmit any data over a certain period of minutes.

Additionally, you can allow MAC addresses to move between ports using this command: authentication mac-move permit. This command will remove a MAC address session if the same MAC address pops up on another port.

Thanks

Thanks Viktor

I tried to capture this behaviour for Cisco IP phone 9971 (running 1.9.4) but could not find any CDP disconnect packet.

However I did find proxy EAPoL as below although with an frame check sequence incorrect error.

I am sure this is the expected behaviour. I think the error is due to checksum offloading explained as Ethernet Frame Check Sequence set to 0x00000000 | VMware Communities


Maybe these phones don't support CDP second port notification. This is what I see on my 9971. EAPOL Logoff would accomplish the same thing though.

Device ID: SEPD0C282D00906

Entry address(es):

  IP address: 10.118.97.3

Platform: Cisco IP Phone 9971,  Capabilities: Host Phone Two-port Mac Relay

Interface: GigabitEthernet0,  Port ID (outgoing port): Port 1

Holdtime : 153 sec

Second Port Status: Unknown

Version :

sip9971.9-4-2SR2-2

advertisement version: 2

Duplex: full

Power drawn: 12.804 Watts

Power request id: 1547, Power management id: 2

Power request levels are:12804 0 0 0 0

I was able to get the Polycom Phone working with EAPoL proxy logoff.

Adding the line <sec.dot1x.eapollogoff sec.dot1x.eapollogoff.enabled="1"> in the configuration file made it work.