Solved: Re: Clients behind Avaya telephones

andreasalberti · ‎12-07-2020

Hello everybody,

we use 802.1x to authenticate our telephones and also the devices that are connected to the telephones. (Notebooks, PCs and so on)

The problem is, if I unplug the end device, the session remains authenticated and I can no longer use the endevice on any other port.

Even after 2 Days the Session remains authenticated and the cam table does not change either.

If I assign the parameter "authentication timer inactivity 30" on the switchport then it works. But since we also use Meraki switches, this is not a suitable workaround. Furthermore, I set the reauthentication timer to 30 in the authorization profile on the ISE as a test. Unfortunately without success

The devices are connected as follows:

Switch Port -> Avaya telephone -> Notebook

I am sure this is config related.

Maybe one or the other already had this problem and has a flash of inspiration for me

Port Configuration

description VOIP/PC
switchport mode access
switchport nonegotiate
switchport voice vlan 220
switchport port-security maximum 10
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 5
no cdp enable
spanning-tree portfast edge
spanning-tree bpduguard enable

Best regards

paul · ‎12-07-2020

The Avaya phones support EAP Proxy Logoff feature which is not enabled by default. You just need to enable that feature on your phone and the phone will send an EAP logoff when the 802.1x device disconnects.

View solution in original post

paul · ‎12-07-2020

The Avaya phones support EAP Proxy Logoff feature which is not enabled by default. You just need to enable that feature on your phone and the phone will send an EAP logoff when the 802.1x device disconnects.

bravotom99 · ‎12-08-2020

Thats what we had to do. We had to enable the proxy logoff as well as the inactivity timer. We haven't had issues

thomas · ‎12-14-2020

Correct. See Avaya 802.1X Authentication, Link Layer Discovery Protocol (LLDP), and Avaya IP Telephones

802.1X Pass Through (PC Authentication)

Beginning with 46xx H.323 Release 2.3, 96xx H.323 Release 1.0, 96xx SIP Release 1.0, and 16xx H.323 Release 1.0, the Ethernet switches built into Avaya IP telephones support forwarding of messages that have the 802.1X reserved multicast group address as the MAC-layer Destination Address. This allows a laptop or workstation connected to the secondary Ethernet port on Avaya telephones to authenticate with an Ethernet switch on the network. Beginning with 46xx H.323 Release 2.6, 96xx H.323 Release 1.0, 96xx SIP Release 2.0, and 16xx H.323 Release 1.0, the telephone can provide additional security by sending an EAPOL-Logoff message to the Ethernet switch when the device connected to the telephone disconnects from the Ethernet port. This functionality, also known as proxy logoff, prevents another device from using the port without first authenticating via 802.1X.