IP Phone not getting Auto Voice VLAN if no passthrough connected

mdsgnmds · ‎01-03-2023

Hello all,

I am trying to set up three CBS 350 switches to have following features:

Workstation ports have Auto Voice vlan, LAN with 802.1x and guest access for devices that don't authenticate with 1x.

In 99% cases each switch port will go to an IP Phone(Grandstream GXP2170) and a corporate computer will be connected to the passthrough PC port on the IP Phone. Guest access is for rare cases of employees connecting their private laptops.

Issue I am facing now is that if an IP phone is connected without any device in the passthrough/pc port, then it fails to get Auto Voice vlan and ends up on guest vlan. If a computer is connected to the passthrough/pc port(Does not matter if it is corporate with 1x authentication or gets a guest vlan) then the phone gets on the voice vlan without a problem.

Also the Smartport macro for IP Phone + Desktop is failing on the command: "port security discard trap 60" with error: "802.1x Guest Enable prevents executing Lock Port Disable."

Here is my config:

VLANs: LAN(3) Guest(6) Voice(10)

Port vlan: Trunk(3U,10T), Operational ports: 3U, 6G, 10T

Smartport set to auto

802.1x: Host authentication set to multiple sessions, Guest vlan enabled.

Not sure what other info is needed, so just ask what additional information I should provide.

Rodrigo Diaz · ‎01-03-2023

Hello @mdsgnmds , as it would appear that the issue is only when a phone is connected and it's not being assigned correctly , I would verify if within the Access Accept request of the Radius server is giving you the following attributes within the phone' session (example taken from ISE attributes sent to a the endpoint' session where within the authorization profile we have the option "voice domain permission" enabled ) , there should be another attributes that are proper from the vlan assigned like Tunnel-Type that correspond to the vlan :

Access Type = ACCESS_ACCEPT

cisco-av-pair = device-traffic-class=voice

mdsgnmds · ‎01-04-2023

Thank you for the reply, Rodrigo! Unfortunately we do not have ISE or any other 3rd party software, we use the built in Windows Server NPS. Additionally, we did not want to authenticate the phones in any way, just assign them the VLAN. So we went a way that is not so pretty - specifying the VLAN tag on the phones themselves.

This issue is now resolved, thank you!

Marcelo Morais · ‎01-04-2023

Hi @mdsgnmds ,

good news that you solve your issue by specifying the VLAN tag on the Phones.

I would like to add the following:

. If a device advertises itself as a Phone, the default Smartport Macro is Phone.

. If a device advertises itself as a Phone and Host, the default Smartport Macro is Phone+Desktop.

. a device (in your case Grandstream GXP2170) attaching to a Port advertises itself as a Voice Endpoint through CDP and/or LLDP

. Voice and Data VLAN configuration (just an example):

smartport switchport trunk allowed vlan add voice_vlan>
smartport switchport trunk native vlan <native_vlan>

Hope this helps !!!

mdsgnmds · ‎01-04-2023

Thank you for the reply! I actually have an issue with Smartport assignment and it seems that 802.1x authentication is the culprit.

When the switch tries to apply the macro for Phone or Phone+Desktop, it fails on step port security discard trap 60

If I try to run the command manually on that port in CLI, the message is this: Port gi13: 802.1x Guest Enable prevents executing Lock Port Disable. So all the smartports that I connect Phones, or Phones+Laptops to are showing up as Smartport Type: Unknown. They do get the right VLANs and actually work though.

I have Classic Lock on all ports.