Network Login 802.1x with Mitel phone 6865i and X440 fails because of a link down

  • 0
  • 1
  • Problem
  • Updated 2 years ago
  • Solved
Environment : EXOS X440-48P version 15.6.3.1 patch 1-5, X150-24t version 12.6.5.2,
Mitel phones Mitel 6865i version 4.0.0.2031, FreeRADIUS, DHCP server
LLDP is not configured on the switches and the phones VLAN is dynamicaly created on the switches after the phones are authenticated

As you can see below,the proccess is succesfull with X150-24t

08:24:38.44 <Info:nl.ClientAuthenticated> Network Login 802.1x user AuthUser logged in MAC XX:XX:XX:XX:XX:XX port 15 VLAN(s) "V_VOICE", authentication Radius
08:24:37.83 <Info:vlan.msgs.portLinkStateUp> port 15 link UP at speed 100 Mbps and full-duplex
08:24:36.18 <Info:nl.ClientLinkDown> Network Login user AuthUser cleared due to link down event, Mac XX:XX:XX:XX:XX:XX port 15 VLAN(s) "V_VOICE"
08:24:36.18 <Info:vlan.msgs.portLinkStateDown> port 15 link down
08:24:32.55 <Info:nl.ClientAuthenticated> Network Login 802.1x user AuthUser logged in MAC XX:XX:XX:XX:XX:XX port 15 VLAN(s) "V_VOICE", authentication Radius
08:24:03.64 <Info:vlan.msgs.portLinkStateUp> port 15 link UP at speed 100 Mbps and full-duplex
08:23:25.44 <Info:vlan.msgs.portLinkStateUp> Port 24 link UP at speed 100 Mbps and full-duplex
08:23:08.62 <Info:vlan.msgs.portLinkStateDown> port 15 link down
08:23:08.56 <Info:vlan.msgs.portLinkStateUp> port 15 link UP at speed 100 Mbps and full-duplex


With X440-48P,the proccess failed after the link down

09:15:11.01 <Info:vlan.msgs.portLinkStateUp> port 15 link UP at speed 1 Gbps and full-duplex
09:15:08.18 <Info:nl.ClientLinkDown> Network Login user AuthUser cleared due to link down event, Mac XX:XX:XX:XX:XX:XX port 15 VLAN(s) "V_VOICE"
09:15:08.17 <Info:vlan.msgs.portLinkStateDown> port 15 link down
09:15:02.92 <Info:nl.ClientAuthenticated> Network Login 802.1x user AuthUser logged in MAC XX:XX:XX:XX:XX:XX port 15 VLAN(s) "V_VOICE", authentication Radius
09:14:36.76 <Info:vlan.msgs.portLinkStateUp> port 15 link UP at speed 1 Gbps and full-duplex
09:14:36.45 <Noti:POE.port_delivering> port 15 is delivering power

Can you help in finding an issue for X440, many thanks.

ColoCopa
Photo of Claude COPAVER

Claude COPAVER

  • 150 Points 100 badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of Stephen Williams

Stephen Williams, Employee

  • 9,076 Points 5k badge 2x thumb
Does the link go down because the phone is rebooting to send tagged traffic in VLAN v-voice? 

Also i would check the netlogin detail configuration to make sure they are configured the same.  "show conf netlogin detail"
Photo of Claude COPAVER

Claude COPAVER

  • 150 Points 100 badge 2x thumb
The link goes down but the phone never reboots. After the Network Login user AuthUser cleared due to link down, the phone makes a router solicitation an goes to an endless DHCP discover.

Here are the netlogin details

For X440
NetLogin Authentication Mode : web-based DISABLED;  802.1x ENABLED;  mac-based DISABLED
NetLogin VLAN                : "auth_dot1x"
NetLogin move-fail-action    : Deny

------------------------------------------------
        802.1x Mode Global Configuration
------------------------------------------------
Quiet Period                    : 60
Supplicant Response Timeout     : 30
Re-authentication period        : 7200
Max Re-authentications          : 3
RADIUS server timeout           : 30
EAPOL MPDU version to transmit  : v1
------------------------------------------------

For X150
NetLogin Authentication Mode : web-based DISABLED;  802.1x ENABLED;  mac-based DISABLED
NetLogin VLAN                : "auth_dot1x"
NetLogin move-fail-action    : Deny

------------------------------------------------
        802.1x Mode Global Configuration
------------------------------------------------
Quiet Period                    : 60
Supplicant Response Timeout     : 30
Re-authentication period        : 7200
Max Re-authentications          : 3
RADIUS server timeout           : 30
EAPOL MPDU version to transmit  : v1
------------------------------------------------
Photo of Claude COPAVER

Claude COPAVER

  • 150 Points 100 badge 2x thumb
In addition,the VLAN V_VOICE is configured on the phone in a separate operation. The phone is connected to a  switch that doesn't run 802.1X and obtains for the first time its config files from a FTP server after a DHCP proccess.
Photo of Kevin Kim

Kevin Kim, Employee

  • 2,266 Points 2k badge 2x thumb
You could also verify if the IP phone sends an EAPoL start to the switch after the link comes up again by checking the log counter, configuring additional log event, or mirrorring EAPOL packets on the port to the IP phone. 

show log counters "nl.dot1x.eapolPktRcvd" 

enable log debug-mode 
configure log filter "DefaultFilter" add events "nl.dot1x.eapolPktRcvd"  
Photo of Kevin Kim

Kevin Kim, Employee

  • 2,266 Points 2k badge 2x thumb
It sounds to me like the phone itself bounces the link since the problem appears to happen even when the auto-negotiation is off only in the switch side. 
Photo of Stephen Williams

Stephen Williams, Employee

  • 9,062 Points 5k badge 2x thumb
Kevin,  I agree.  I think the EXOS 12.6 behavior is wrong but it prevented you from seeing this issue.
We finaly discover the main problem of this :

We have netlogin 802.1x and dynamic vlan assignment.
We assigned tagged vlan with the FreeRadius dictionnary Extreme-Netlogin-Extended-Vlan = Tvoicevlan.

When a packet with tagged 802.1q arrived on a port without the same 802.1q tagged open on the port, is dropped directly without sending the packet to the 802.1x process (which normaly open this tagged port).
If the switch port is open with the tagged vlan (conf vlan voicevlan add port tagged), when a packet arrived on port, the 802.1q process validate the packet and pass to the second process 802.1x which send a EAP Request Identity.

To resume, the 802.1q validation process is before the 802.1x validation process.
If the 802.1x validation process is before 802.1q validation process, we will not have any issue, because the 802.1x process will open the good 802.1q tagged port...

This can be simulate with two Extreme Network switch. One trying to "speak" with tagged packet on a port of the second switch, without the tag on the port. Never the second switch will send the EAP request identity.
Photo of Claude COPAVER

Claude COPAVER

  • 150 Points 100 badge 2x thumb
I agree. But this is the result when the switch port bounces. The question is, why the switch port bounces when the IP phone port is set to auto-negociation.
Is it because in auto-negociation mode, the maximum speed is 100 Mbps for the switch port 10/100/1000 Mbps ? Is it because of the IP phone ?
Photo of Kevin Kim

Kevin Kim, Employee

  • 2,266 Points 2k badge 2x thumb
It appears that the IP phone somehow drops the link on a tri-speed auto-nego port based on the fact that a link bounce occurs as long as the iphone port has auto-nego turned on. (while a switch port has auto-nego off.)