cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1799
Views
5
Helpful
3
Replies
andreasalberti
Beginner

Clients behind Avaya telephones

Hello everybody,

we use 802.1x to authenticate our telephones and also the devices that are connected to the telephones. (Notebooks, PCs and so on)

The problem is, if I unplug the end device, the session remains authenticated and I can no longer use the endevice on any other port.

 

Even after 2 Days the Session remains authenticated and the cam table does not change either.


If I assign the parameter "authentication timer inactivity 30" on the switchport then it works. But since we also use Meraki switches, this is not a suitable workaround. Furthermore, I set the reauthentication timer to 30 in the authorization profile on the ISE as a test. Unfortunately without success

 

The devices are connected as follows:

Switch Port -> Avaya telephone -> Notebook

 

I am sure this is config related.

Maybe one or the other already had this problem and has a flash of inspiration for me

 

Port Configuration

description VOIP/PC
switchport mode access
switchport nonegotiate
switchport voice vlan 220
switchport port-security maximum 10
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 5
no cdp enable
spanning-tree portfast edge
spanning-tree bpduguard enable

 

 

Best regards

1 ACCEPTED SOLUTION

Accepted Solutions
paul
Advocate

The Avaya phones support EAP Proxy Logoff feature which is not enabled by default.  You just need to enable that feature on your phone and the phone will send an EAP logoff when the 802.1x device disconnects.

View solution in original post

3 REPLIES 3
paul
Advocate

The Avaya phones support EAP Proxy Logoff feature which is not enabled by default.  You just need to enable that feature on your phone and the phone will send an EAP logoff when the 802.1x device disconnects.

Thats what we had to do.  We had to enable the proxy logoff as well as the inactivity timer.  We haven't had issues

thomas
Cisco Employee

Correct. See Avaya 802.1X Authentication, Link Layer Discovery Protocol (LLDP), and Avaya IP Telephones

 

802.1X Pass Through (PC Authentication)

Beginning with 46xx H.323 Release 2.3, 96xx H.323 Release 1.0, 96xx SIP Release 1.0, and 16xx H.323 Release 1.0, the Ethernet switches built into Avaya IP telephones support forwarding of messages that have the 802.1X reserved multicast group address as the MAC-layer Destination Address. This allows a laptop or workstation connected to the secondary Ethernet port on Avaya telephones to authenticate with an Ethernet switch on the network. Beginning with 46xx H.323 Release 2.6, 96xx H.323 Release 1.0, 96xx SIP Release 2.0, and 16xx H.323 Release 1.0, the telephone can provide additional security by sending an EAPOL-Logoff message to the Ethernet switch when the device connected to the telephone disconnects from the Ethernet port. This functionality, also known as proxy logoff, prevents another device from using the port without first authenticating via 802.1X.

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube