This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Wireless
- ExtremeWireless (General)
- RE: Network Login 802.1x with Mitel phone 6865i an...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Network Login 802.1x with Mitel phone 6865i and X440 fails because of a link down
Network Login 802.1x with Mitel phone 6865i and X440 fails because of a link down
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
05-12-2016 12:19 PM
Environment : EXOS X440-48P version 15.6.3.1 patch 1-5, X150-24t version 12.6.5.2,
Mitel phones Mitel 6865i version 4.0.0.2031, FreeRADIUS, DHCP server
LLDP is not configured on the switches and the phones VLAN is dynamicaly created on the switches after the phones are authenticated
As you can see below,the proccess is succesfull with X150-24t
08:24:38.44 Network Login 802.1x user AuthUser logged in MAC XX:XX:XX:XX:XX:XX port 15 VLAN(s) "V_VOICE", authentication Radius
08:24:37.83 port 15 link UP at speed 100 Mbps and full-duplex
08:24:36.18 Network Login user AuthUser cleared due to link down event, Mac XX:XX:XX:XX:XX:XX port 15 VLAN(s) "V_VOICE"
08:24:36.18 port 15 link down
08:24:32.55 Network Login 802.1x user AuthUser logged in MAC XX:XX:XX:XX:XX:XX port 15 VLAN(s) "V_VOICE", authentication Radius
08:24:03.64 port 15 link UP at speed 100 Mbps and full-duplex
08:23:25.44 Port 24 link UP at speed 100 Mbps and full-duplex
08:23:08.62 port 15 link down
08:23:08.56 port 15 link UP at speed 100 Mbps and full-duplex
With X440-48P,the proccess failed after the link down
09:15:11.01 port 15 link UP at speed 1 Gbps and full-duplex
09:15:08.18 Network Login user AuthUser cleared due to link down event, Mac XX:XX:XX:XX:XX:XX port 15 VLAN(s) "V_VOICE"
09:15:08.17 port 15 link down
09:15:02.92 Network Login 802.1x user AuthUser logged in MAC XX:XX:XX:XX:XX:XX port 15 VLAN(s) "V_VOICE", authentication Radius
09:14:36.76 port 15 link UP at speed 1 Gbps and full-duplex
09:14:36.45 port 15 is delivering power
Can you help in finding an issue for X440, many thanks.
ColoCopa
Mitel phones Mitel 6865i version 4.0.0.2031, FreeRADIUS, DHCP server
LLDP is not configured on the switches and the phones VLAN is dynamicaly created on the switches after the phones are authenticated
As you can see below,the proccess is succesfull with X150-24t
08:24:38.44 Network Login 802.1x user AuthUser logged in MAC XX:XX:XX:XX:XX:XX port 15 VLAN(s) "V_VOICE", authentication Radius
08:24:37.83 port 15 link UP at speed 100 Mbps and full-duplex
08:24:36.18 Network Login user AuthUser cleared due to link down event, Mac XX:XX:XX:XX:XX:XX port 15 VLAN(s) "V_VOICE"
08:24:36.18 port 15 link down
08:24:32.55 Network Login 802.1x user AuthUser logged in MAC XX:XX:XX:XX:XX:XX port 15 VLAN(s) "V_VOICE", authentication Radius
08:24:03.64 port 15 link UP at speed 100 Mbps and full-duplex
08:23:25.44 Port 24 link UP at speed 100 Mbps and full-duplex
08:23:08.62 port 15 link down
08:23:08.56 port 15 link UP at speed 100 Mbps and full-duplex
With X440-48P,the proccess failed after the link down
09:15:11.01 port 15 link UP at speed 1 Gbps and full-duplex
09:15:08.18 Network Login user AuthUser cleared due to link down event, Mac XX:XX:XX:XX:XX:XX port 15 VLAN(s) "V_VOICE"
09:15:08.17 port 15 link down
09:15:02.92 Network Login 802.1x user AuthUser logged in MAC XX:XX:XX:XX:XX:XX port 15 VLAN(s) "V_VOICE", authentication Radius
09:14:36.76 port 15 link UP at speed 1 Gbps and full-duplex
09:14:36.45
Can you help in finding an issue for X440, many thanks.
ColoCopa
20 REPLIES 20
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
05-12-2016 08:56 PM
We finaly discover the main problem of this :
We have netlogin 802.1x and dynamic vlan assignment.
We assigned tagged vlan with the FreeRadius dictionnary Extreme-Netlogin-Extended-Vlan = Tvoicevlan.
When a packet with tagged 802.1q arrived on a port without the same 802.1q tagged open on the port, is dropped directly without sending the packet to the 802.1x process (which normaly open this tagged port).
If the switch port is open with the tagged vlan (conf vlan voicevlan add port tagged), when a packet arrived on port, the 802.1q process validate the packet and pass to the second process 802.1x which send a EAP Request Identity.
To resume, the 802.1q validation process is before the 802.1x validation process.
If the 802.1x validation process is before 802.1q validation process, we will not have any issue, because the 802.1x process will open the good 802.1q tagged port...
This can be simulate with two Extreme Network switch. One trying to "speak" with tagged packet on a port of the second switch, without the tag on the port. Never the second switch will send the EAP request identity.
We have netlogin 802.1x and dynamic vlan assignment.
We assigned tagged vlan with the FreeRadius dictionnary Extreme-Netlogin-Extended-Vlan = Tvoicevlan.
When a packet with tagged 802.1q arrived on a port without the same 802.1q tagged open on the port, is dropped directly without sending the packet to the 802.1x process (which normaly open this tagged port).
If the switch port is open with the tagged vlan (conf vlan voicevlan add port tagged), when a packet arrived on port, the 802.1q process validate the packet and pass to the second process 802.1x which send a EAP Request Identity.
To resume, the 802.1q validation process is before the 802.1x validation process.
If the 802.1x validation process is before 802.1q validation process, we will not have any issue, because the 802.1x process will open the good 802.1q tagged port...
This can be simulate with two Extreme Network switch. One trying to "speak" with tagged packet on a port of the second switch, without the tag on the port. Never the second switch will send the EAP request identity.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
05-12-2016 08:56 PM
Kevin, I agree. I think the EXOS 12.6 behavior is wrong but it prevented you from seeing this issue.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
05-12-2016 08:56 PM
It sounds to me like the phone itself bounces the link since the problem appears to happen even when the auto-negotiation is off only in the switch side.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
05-12-2016 08:56 PM
Yes you understand the problem correctly.
However, with auto-negotiation turn off or the port speed fixed, a link bounce occures and the switch clears the existing authentication state.
The link never bounces when both swicth port and phone port are manually set or only the phone port is manually set.
However, with auto-negotiation turn off or the port speed fixed, a link bounce occures and the switch clears the existing authentication state.
The link never bounces when both swicth port and phone port are manually set or only the phone port is manually set.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
05-12-2016 08:56 PM
I hope I understand the problem correctly. When a link bounces, it's the expected behavior that a switch clears the existing authentication state and waits for a new EAPoL start packet to reauthenticate from a supplicant. If you see an unexpected link bounce occur on an auto-nogotiated port and somehow the ip phone not send EAPoL start packets to the switch at this point, I would turn off auto-negotiation on a port to prevent an unexpected link bounce. Or, I would fix the port speed to a desired one along with auto-negotiation.
# configure ports 5 auto on speed 1000 duplex full
# configure ports 5 auto on speed 1000 duplex full
