Solved: Unable to see MAC address of IP Phone in ISE

dgaikwad · ‎06-19-2018

Hi All,

Been configuring the HP 5130 switch with ISE.

I am able to get the normal Dot1X authentication working fine.

Now when I am configuring the switch to do a MAB, using the Cisco IP phone.

What I see that is, the phone gets registered, but there are no traces of it the live logs on ISE.

Also, if I connect a computer via the phone, I can see that computer MAC address and other details in the live logs just fine.

Following is the setup:

ISE ver 2.3.0.298 patch 3

Switch Hp H3C Comware 7

Port config:

interface GigabitEthernet1/0/4

port link-type hybrid

undo port hybrid vlan 1

port hybrid vlan 230 untagged

port hybrid pvid vlan 230

voice-vlan 260 enable

mac-vlan enable

undo stp enable

stp edged-port

port bridge enable

poe enable

dot1x

undo dot1x handshake

dot1x handshake reply enable

dot1x mandatory-domain ciscoise

undo dot1x multicast-trigger

dot1x unicast-trigger

mac-authentication max-user 5

mac-authentication domain ciscoise

mac-authentication timer auth-delay 15

mac-authentication host-mode multi-vlan

mac-authentication parallel-with-dot1x

Any idea what could be going on here?

Craig Hyps · ‎06-21-2018

It sounds like the switch is performing a CDP or LLDP bypass like function. The CDP Bypass function that was introduced by Cisco many years ago basically uses CDP to detect phone and authorize it to the Voice VLAN without authorization. We no longer recommend its use since it bypasses (as name suggests) authentication so you will not get record of it in the Live log. If HP switch is performing a similar function, then it will bypass RADIUS auth.

View solution in original post

gbekmezi-DD · ‎06-20-2018

Maybe these could help?

https://community.hpe.com/t5/Switches-Hubs-and-Modems/MAC-amp-802-1x-on-the-same-network/td-p/4620649

https://networkguy.de/?p=1649

Do you need this?

port-security port-mode userlogin-secure-or-mac-ext

I’d do a tcpdump on the psn to see if the switch is sending any radius requests when the phone connects (is it even attempting man?).

Warning: I either dictated this to my device, or typed it with my thumbs. Erroneous words are a feature, not a typo.

Craig Hyps · ‎06-21-2018

It sounds like the switch is performing a CDP or LLDP bypass like function. The CDP Bypass function that was introduced by Cisco many years ago basically uses CDP to detect phone and authorize it to the Voice VLAN without authorization. We no longer recommend its use since it bypasses (as name suggests) authentication so you will not get record of it in the Live log. If HP switch is performing a similar function, then it will bypass RADIUS auth.

dgaikwad · ‎06-21-2018

Was able to resolve it.

As pointed out chyps, the switch was running LLDP.
Disabled it and then was able to get the MAC addresses of the IP phones connected to this HP switch.

dgaikwad · ‎06-21-2018

Thank you!

Disabled LLDP.

Was able to see the MAC addresses of the phone in ISE.

Dinesh

Craig Hyps · ‎06-21-2018

Glad that you were able to confirm LLDP "bypass" was the culprit. Of course, profiling will not be able to use LLDP for profiling although DHCP is usuallty sufficient for phones. I would check with HPE to see if option to disable the bypass function so that you can continue to leverage LLDP and phone auth.

dgaikwad · ‎06-21-2018

That would be really great!