cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1392
Views
9
Helpful
6
Replies

Unable to see MAC address of IP Phone in ISE

dgaikwad
Contributor
Contributor

Hi All,


Been configuring the HP 5130 switch with ISE.

I am able to get the normal Dot1X authentication working fine.


Now when I am configuring the switch to do a MAB, using the Cisco IP phone.

What I see that is, the phone gets registered, but there are no traces of it the live logs on ISE.


Also, if I connect a computer via the phone, I can see that computer MAC address and other details in the live logs just fine.


Following is the setup:

ISE ver 2.3.0.298 patch 3

Switch Hp H3C Comware 7


Port config:

interface GigabitEthernet1/0/4

port link-type hybrid

undo port hybrid vlan 1

port hybrid vlan 230 untagged

port hybrid pvid vlan 230

voice-vlan 260 enable

mac-vlan enable

undo stp enable

stp edged-port

port bridge enable

poe enable

dot1x

undo dot1x handshake

dot1x handshake reply enable

dot1x mandatory-domain ciscoise

undo dot1x multicast-trigger

dot1x unicast-trigger

mac-authentication max-user 5

mac-authentication domain ciscoise

mac-authentication timer auth-delay 15

mac-authentication host-mode multi-vlan

mac-authentication parallel-with-dot1x


Any idea what could be going on here?

1 Accepted Solution

Accepted Solutions

It sounds like the switch is performing a CDP or LLDP bypass like function.  The CDP Bypass function that was introduced by Cisco many years ago basically uses CDP to detect phone and authorize it to the Voice VLAN without authorization.  We no longer recommend its use since it bypasses (as name suggests) authentication so you will not get record of it in the Live log.  If HP switch is performing a similar function, then it will bypass RADIUS auth.

View solution in original post

6 Replies 6

gbekmezi-DD
Contributor
Contributor

Maybe these could help?

https://community.hpe.com/t5/Switches-Hubs-and-Modems/MAC-amp-802-1x-on-the-same-network/td-p/4620649

https://networkguy.de/?p=1649

Do you need this?

port-security port-mode userlogin-secure-or-mac-ext

I’d do a tcpdump on the psn to see if the switch is sending any radius requests when the phone connects (is it even attempting man?).

Warning: I either dictated this to my device, or typed it with my thumbs. Erroneous words are a feature, not a typo.

It sounds like the switch is performing a CDP or LLDP bypass like function.  The CDP Bypass function that was introduced by Cisco many years ago basically uses CDP to detect phone and authorize it to the Voice VLAN without authorization.  We no longer recommend its use since it bypasses (as name suggests) authentication so you will not get record of it in the Live log.  If HP switch is performing a similar function, then it will bypass RADIUS auth.

Was able to resolve it.

As pointed out chyps, the switch was running LLDP.
Disabled it and then was able to get the MAC addresses of the IP phones connected to this HP switch.

Thank you!

Disabled LLDP.

Was able to see the MAC addresses of the phone in ISE.

Dinesh

Glad that you were able to confirm LLDP "bypass" was the culprit.  Of course, profiling will not be able to use LLDP for profiling although DHCP is usuallty sufficient for phones.  I would check with HPE to see if option to disable the bypass function so that you can continue to leverage LLDP and phone auth.

That would be really great!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers