cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3562
Views
5
Helpful
3
Replies

IP phones don't get an IP-address with 802.1X

MH311x
Level 1
Level 1

Hi there!

We are facing some issues when trying to implement 802.1X on our Cisco IP phones.

The authentication of the phone is successful, an authentication session is created on the switch, everything seems fine.

Unfortunetaly the phone isn't able to receive an IP address after authenticating. 

 

When authenticating a fat client on the same switch, everything is working fine. It also works fine with the phone when 802.1X is disabled, so the configuration of the dhcp relay (Cisco ASA) should be fine.

 

In a trace file which I captured, the phone is sending a dhcp release after authentication and is then sending dhcp discover messages, but no response is coming back.

 

 

We are using Dynamic ARP inspection and DHCP snooping on our access switches. I found a discussion with the same problem, the solution was to turn off DAI and DHCP snooping (https://community.cisco.com/t5/security-documents/wired-dot1x-clients-cannot-get-a-dhcp-ip-address-on-a-3560/ta-p/3131853). I disabled both, but still no IP address is assigned to the phone.

 

We tried different phones and different phone models. The issue occurs on every phone.

 

Any ideas what could cause this issue?

 

 

Port Configuration:

Port.PNG

 

Successful authentication session:

AuthenticationSession.PNG

 

Greetings

Michael

1 Accepted Solution

Accepted Solutions

@MH311x have you configure the RADIUS server to include the string "device-traffic-class = voice" when successfully authorised? This VSA tells the switch that the device that just authenticated is a phone and should be allowed access to the voice VLAN.

 

When you had DHCP snooping enabled, did you have DHCP snooping trust enabled on the uplink interface (facing the DHCP server)?

 

You've got the port configure as "single-host" if you intend to connect a PC behind the phone you will need to use "multi-auth" or "multi-domain" to authenticate both devices.

View solution in original post

3 Replies 3

@MH311x have you configure the RADIUS server to include the string "device-traffic-class = voice" when successfully authorised? This VSA tells the switch that the device that just authenticated is a phone and should be allowed access to the voice VLAN.

 

When you had DHCP snooping enabled, did you have DHCP snooping trust enabled on the uplink interface (facing the DHCP server)?

 

You've got the port configure as "single-host" if you intend to connect a PC behind the phone you will need to use "multi-auth" or "multi-domain" to authenticate both devices.

@Rob Ingram no, I haven't. I have read about this, but thought this was only needed when using the multi domain mode.

Unfortunately we are not using ISE as radius server, so I'm not sure how to configure the RADIUS to include the string, but I will do some reasearch on this. ==> Will this solve the dhcp issue? Isn't the voice LAN detected via cdp?

 

Yes, the DHCP snooping trusted ports facing the dhcp server were defined (also ip arp inspection trust).

 

The single-host mode was only for the testing scenario, there is just a phone connected to the port.

 

Thanks in advance!

MH311x
Level 1
Level 1

When including the string after authentication, DHCP works fine.

 

Thanks @Rob Ingram!