netlogin mac authentication and lldp issue

  • 0
  • 1
  • Problem
  • Updated 2 years ago
  • Solved
Hello.


I have a customer with Cisco infrastructure and NPS Microsoft Radius and they are using MAC auth. (MAB) for the Cisco phones. I'm running some tests with a Summit X460-G2.

I have netlogin configured on port 1 to authenticate an IP phone using mac authentication and a PC using 802.1x authentication. Initially both (PC and IP phone) devices get authentication and authorization with dynamic VLAN. Voice VLAN tagged and set LLDP (TLVs) to switch to recognize IP phone and place voice traffic in the correct VLAN.

#

configure netlogin vlan Auth

enable netlogin dot1x mac

configure netlogin authentication protocol-order dot1x mac web-based

configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48

enable netlogin ports 1,3-5,7,9,11-19 dot1x

enable netlogin ports 1,3-5,7,9,11-19 mac

configure netlogin ports 1 mode mac-based-vlans

configure netlogin ports 1 no-restart

#

configure lldp port 1 advertise system-capabilities

configure lldp port 1 advertise vendor-specific med capabilities

configure lldp port 1 advertise vendor-specific med power-via-mdi

configure lldp port 1 advertise vendor-specific dot1 port-protocol-vlan-id vlan VOIP_OPT

configure lldp port 1 advertise vendor-specific dot1 vlan-name vlan VOIP_OPT

configure lldp port 1 advertise vendor-specific med policy application voice vlan VOIP_OPT dscp 46

 

The problem is when for some reason the ip phone is disconnected and connected (port down/up) again both devices authenticates again, but the ip phone it is not recognized (lldp) by the switch and don ́t receives ip address. The ip phone is recognized and back working again after I re-enter the following commands, even if they already standing in the configuration:

 

configure lldp port 1 advertise vendor-specific dot1 port-protocol-vlan-id vlan VOIP_OPT

configure lldp port 1 advertise vendor-specific dot1 vlan-name vlan VOIP_OPT

configure lldp port 1 advertise vendor-specific med policy application voice vlan VOIP_OPT dscp 46

Photo of Vitor Barreiro

Vitor Barreiro

  • 272 Points 250 badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of Jeremy

Jeremy, Embassador

  • 9,788 Points 5k badge 2x thumb
Does cisco require a certain LLDP transmit interval? 
Photo of Vitor Barreiro

Vitor Barreiro

  • 272 Points 250 badge 2x thumb
Cisco? the ip phone?
Photo of Tyler Marcotte

Tyler Marcotte, Official Rep

  • 2,740 Points 2k badge 2x thumb
Have you tried configuring NPS to assign the VLAN for the IP phone rather than relying on LLDP to assign it? The only thing I can think of off the top of my head is that during authentication the LLDP is not passing thorough for some reason.

This may be a good case to open with GTAC to help troubleshoot live if you can.
Photo of Vitor Barreiro

Vitor Barreiro

  • 272 Points 250 badge 2x thumb
Thank you Tyler. I am opening a case in the GTAC to get more help.