Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3499
Views
5
Helpful
3
Replies

IP phones don't get an IP-address with 802.1X

Go to solution
MH311x
Level 1
Level 1

‎12-29-2021 01:31 AM - edited ‎12-29-2021 01:35 AM

Hi there!

We are facing some issues when trying to implement 802.1X on our Cisco IP phones.

The authentication of the phone is successful, an authentication session is created on the switch, everything seems fine.

Unfortunetaly the phone isn't able to receive an IP address after authenticating. 

 

When authenticating a fat client on the same switch, everything is working fine. It also works fine with the phone when 802.1X is disabled, so the configuration of the dhcp relay (Cisco ASA) should be fine.

 

In a trace file which I captured, the phone is sending a dhcp release after authentication and is then sending dhcp discover messages, but no response is coming back.

 

 

We are using Dynamic ARP inspection and DHCP snooping on our access switches. I found a discussion with the same problem, the solution was to turn off DAI and DHCP snooping (https://community.cisco.com/t5/security-documents/wired-dot1x-clients-cannot-get-a-dhcp-ip-address-on-a-3560/ta-p/3131853). I disabled both, but still no IP address is assigned to the phone.

 

We tried different phones and different phone models. The issue occurs on every phone.

 

Any ideas what could cause this issue?

 

 

Port Configuration:

Port.PNG

 

Successful authentication session:

AuthenticationSession.PNG

 

Greetings

Michael

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎12-29-2021 01:38 AM

@MH311x have you configure the RADIUS server to include the string "device-traffic-class = voice" when successfully authorised? This VSA tells the switch that the device that just authenticated is a phone and should be allowed access to the voice VLAN.

 

When you had DHCP snooping enabled, did you have DHCP snooping trust enabled on the uplink interface (facing the DHCP server)?

 

You've got the port configure as "single-host" if you intend to connect a PC behind the phone you will need to use "multi-auth" or "multi-domain" to authenticate both devices.

View solution in original post

3 Replies 3

Go to solution
Rob Ingram
VIP
VIP

‎12-29-2021 01:38 AM

@MH311x have you configure the RADIUS server to include the string "device-traffic-class = voice" when successfully authorised? This VSA tells the switch that the device that just authenticated is a phone and should be allowed access to the voice VLAN.

 

When you had DHCP snooping enabled, did you have DHCP snooping trust enabled on the uplink interface (facing the DHCP server)?

 

You've got the port configure as "single-host" if you intend to connect a PC behind the phone you will need to use "multi-auth" or "multi-domain" to authenticate both devices.

Go to solution
MH311x
Level 1
Level 1
In response to Rob Ingram

‎12-29-2021 02:13 AM

@Rob Ingram no, I haven't. I have read about this, but thought this was only needed when using the multi domain mode.

Unfortunately we are not using ISE as radius server, so I'm not sure how to configure the RADIUS to include the string, but I will do some reasearch on this. ==> Will this solve the dhcp issue? Isn't the voice LAN detected via cdp?

 

Yes, the DHCP snooping trusted ports facing the dhcp server were defined (also ip arp inspection trust).

 

The single-host mode was only for the testing scenario, there is just a phone connected to the port.

 

Thanks in advance!

0 Helpful

Go to solution
MH311x
Level 1
Level 1

‎12-30-2021 02:47 AM

When including the string after authentication, DHCP works fine.

 

Thanks @Rob Ingram!

0 Helpful
Customers Also Viewed These Support Documents