cancel
Showing results for 
Search instead for 
Did you mean: 

Polycom VVX phones on an 802.1x EAP Enabled Switch fail to obtain DHCP IP address

SOLVED
Advisor

Polycom VVX phones on an 802.1x EAP Enabled Switch fail to obtain DHCP IP address

I am trying to find out the answer to this issue. I have version 5.5.1 running on a VVX 411 and am able to authenticate the phone against my RADIUS server using EAP-MSCAPv2 authentication. 

 

The RADIUS server is setup to auto assign the VLAN ID back to the Avaya Switch. I have ran multiple traces and can confirm that the phone is authenticated and placed into the correct vlan.

 

All devices start in a static VLAN and if they fail authentication they can be remediated from there. I don't even see the MAC of the phone show up in the 'staging' DHCP scope. 

 

The DHCP server never receives the DHCP request after the EAP portion is complete. I have also plugged in a Windows 10 laptop into the PC port on the phone and it will authenticate correct and does obtain an IP address.

 

I have no DHCP issues if I disable EAPoL autentication on the switch and manually place the phone in the VLAN.

 

During my research I found out that the supplicant on the phone is 802.1x-2004, and older code revs from Avaya only supported 802.1x-2001.

 

The code rev I have running on my ERS 5632 is 6.6.3 and has 2004 support.

 

Any idea why the phone is unable to obtain a DHCP IP after it is flipped into a new VLAN? 

Message 1 of 20
19 REPLIES
Highlighted
Advisor

Re: Polycom VVX phones on an 802.1x EAP Enabled Switch fail to obtain DHCP IP address

Since the post, I have done some more troubleshooting on this. 

 

It seems that the phone has an issue understanding what VLAN it was placed into after the sucessful EAP authentication. I manually set the VLAN ID on the phone to 620, left it as DHCP and then re-tried the 802.1x authentication. 

 

It finally worked and the VVX was able to get an IP address from the DHCP server. 

 

 

172.28.104.36    64:16:7f:08:11:77  dynamic  2016-12-23 14:13:04 MST

 

Is there another way to get the VLAN ID to be assigned to the phone, in this 802.1x scenario, without having to resort to manually entering it?  

 

 

Message 2 of 20
Polycom Employee & Community Manager

Re: Polycom VVX phones on an 802.1x EAP Enabled Switch fail to obtain DHCP IP address

Hello SR_MCSE,

welcome to the Polycom Community.

The community's VoIP FAQ contains this post here:

Jul 10, 2013 Question: How can I use VLAN's with Polycom phones?

Resolution: Please check => here <=

 

and

 

Aug 24, 2015 Question:What basic network data is send and received by a Polycom phone?

Resolution: Please check this post => here <=


Please ensure to provide some feedback if this reply has helped you so other users can profit from your experience.

Best Regards

Steffen Baier

Polycom Global Services

Please be aware:

The purpose of these forums is to allow community members collaborate and help each other.
Questions posted here do not follow Polycom’s SLA guidelines.
If you require assistance from Polycom technical support, please open a
web service request or call us .

The above is necessary in order to track issue internally within Polycom.

You are welcome to post more questions or configuration or logs for other community members to look at but if your issue requires a fix via Polycom you must go via the official support structure.

Please ensure you always check the VoIP , Video Endpoint , Skype for Business , PSTN or RPM FAQ's

Please remember, if you see a post that helped you , and it answers your question, please mark it as an "Accept as Solution".

This forum reply or post is based upon my personal experience and does not reflect the opinion or view of my employer.
Polycom employee participation within this community is not mandatory and any post or FAQ article provided by myself is done either during my working hours or outside working hours, in my private time, and may be answered on weekends, bank holidays or personal holidays.
Message 3 of 20
Advisor

Re: Polycom VVX phones on an 802.1x EAP Enabled Switch fail to obtain DHCP IP address

In a dynamic VLAN assignment scenario, where the VLAN ID is being sent back from the RADIUS policy server after a successful 802.1x authentication, will the DHCP option 128, or 144, or 191 VLAN assignment work? 

 

In my scenario, each floor I have in my office building has 2 /24 network subnets assigned on 2 separate VLANs. 1 for Data and 1 for Voice. I QoS the voice vlan based on VLAN ID and also use the subnet information for 911 call tracking. 

 

Setting a static VLAN ID in the configuration could be problematic if the phone is moved to a different floor or different building. The VLAN ID would then need to be manually changed in the phone configuration file. 

 

One thought I had, was to create a small 'staging' VLAN per floor with a small DHCP scope, where all devices are placed into by default before they are processed by EAP or MAC based authentication. Within this DHCP scope would be the DHCP option tell the phone the correct VLAN-A=xxx; information. 

 

Any idea if this would solve my issue?

 

 

Message 4 of 20
Frequent Advisor

Re: Polycom VVX phones on an 802.1x EAP Enabled Switch fail to obtain DHCP IP address

Hi,

 

We have exactly the same problem.

802.1x enabled from the provisionning server. 802.1X works. The switch port go the the right vlan, but DHCP failed on the VVX.

 

We have try to change the VLAN parameter to manually set it (it's not a solution) and it doesn't work better.

 

What is the solution to have 802.1X and dynamic vlan attribuation work with VVX phones ?

Message 5 of 20
Polycom Employee & Community Manager

Re: Polycom VVX phones on an 802.1x EAP Enabled Switch fail to obtain DHCP IP address

Hello SR_MCSE and Doum

Simply replicate this and get us the logs and a wireshark.

 

In order to raise a support ticket you need to work with your Polycom reseller as they need to do this for you.

If this is some sort of an Internet discounter please post either your phone's MAC address or your Polycom devices serial so I can look up who would be able to support you.

Please ensure to provide some feedback if this reply has helped you so other users can profit from your experience.

Best Regards

Steffen Baier

Polycom Global Services

Please be aware:

The purpose of these forums is to allow community members collaborate and help each other.
Questions posted here do not follow Polycom’s SLA guidelines.
If you require assistance from Polycom technical support, please open a
web service request or call us .

The above is necessary in order to track issue internally within Polycom.

You are welcome to post more questions or configuration or logs for other community members to look at but if your issue requires a fix via Polycom you must go via the official support structure.

Please ensure you always check the VoIP , Video Endpoint , Skype for Business , PSTN or RPM FAQ's

Please remember, if you see a post that helped you , and it answers your question, please mark it as an "Accept as Solution".

This forum reply or post is based upon my personal experience and does not reflect the opinion or view of my employer.
Polycom employee participation within this community is not mandatory and any post or FAQ article provided by myself is done either during my working hours or outside working hours, in my private time, and may be answered on weekends, bank holidays or personal holidays.
Message 6 of 20
Advisor

Re: Polycom VVX phones on an 802.1x EAP Enabled Switch fail to obtain DHCP IP address

I ended up using 802.1x EAPoL authentication for my phone deployment. 

 

I setup my switch ports for 802.1x and point my switches to a RADIUS server, in this case NPS. 

 

My ports are setup to be untagall, and also not a member of any VLAN, however the default VLAN ID is 1. EAP is setup to allow Dynamic VLAN assignment. Depending on your switch manufacturer, this will differ. 

 

My phones are setup to use EAP-PEAP authentication, using a root certificate and AD credentials preloaded on the phone during the initial provisioning process.  

 

When the phone EAP supplicant starts the authenticiation process, the 802.1x policy is valididated and the VLAN ID is assigned to the port. The default VLAN ID stays at remains at 1, however for example, the port is assigned to VLAN 10. 

 

I also use the PC port on the phone for my 802.1x authenticated corporate computers. It runs through the same RADIUS process and the Computer/Laptop is assigned a different VLAN ID. The default VLAN ID stays at remains at 1, however for example, the port is assigned to VLAN 20. 

 

Just make sure that the VLANs are defined on your switch, remove all access ports from VLAN 1, and add the VLANs to your tagged uplink port(s) to your core router(s). If the DHCP serever is remote, then confirm that your DHCP relay settings work. 

 

This method resolved my issue. 

 

In a previous VoIP implementation using Nortel phones, we didn't use 802.1x, however did use information in the DHCP scopes to flip the phones from an initial VLAN into another. We did have to set the ports for untagpivid only. 

 

I attempted to use the same model, however found that if the PC was placed into a specific VLAN and the VLAN ID was set to the PC VLAN ID, the phone would go into the VoIP VLAN, however it was not able to communicate. I think this is the same issue you are seeing. 

 

I will admit that it took a bit of time to craft my .cfg files to make the VVX work in this manner, but found that this method worked best. Now all of my edge ports are void of any VLAN assignment until an 802.1x device is authenticated. 

 

If you choose to extend 802.1x through the PC port, please be sure to add the following to your configuration file:

 

<!-- 802.1x Secondary Port Link Status -->
<sec.dot1x.eapollogoff sec.dot1x.eapollogoff.enabled="1" />
<sec.dot1x.eapollogoff sec.dot1x.eapollogoff.lanlinkreset="1" />

 

Ensure that the PC Port is enabled as well:

 

<!-- Enable External Ports -->
<device device.set = "1" />
<device device.net.etherModePC.set="1" />
<device device.net.etherModePC = "Auto" />

When the PC is removed from the PC port on the phone, the switch removes the VLAN ID assigned to the PC and leaves the phone in the assigned VLAN. 

 

If I can help further, let me know. 

 

Scott

 

Message 7 of 20
Occasional Visitor

Re: Polycom VVX phones on an 802.1x EAP Enabled Switch fail to obtain DHCP IP address

I am trying to  use Dynmic VLAN assignment using 802.1x device on Polycom VVX410 as well. I need to extend 802.1x through the PC port, also I have added the following configuration and I have imported using the web interface. I was wondering what kind of switch configuration you must have to extend 802.1x through the PC port.  BTW, the VVX is alredy authenticating using 802.1x, however the PC port is not broadcasting the DHCP.  

 

What I am try to acomplish: When the PC will be added on the PC port on the phone, the switch will add  the VLAN ID  assigned to the PC (VALN 99) and leaves the phone in the assigned VLAN (VLAN 66) using  802.1x authentication. 

 

 

Switch settings:


interface FastEthernet0/4
switchport mode access
dot1x port-control auto
dot1x guest-vlan 24
spanning-tree portfast

 

 

Polycom Settings 

 

<!-- 802.1x Secondary Port Link Status -->
<sec.dot1x.eapollogoff sec.dot1x.eapollogoff.enabled="1" />
<sec.dot1x.eapollogoff sec.dot1x.eapollogoff.lanlinkreset="1" />

 

Ensure that the PC Port is enabled as well:

 

<!-- Enable External Ports -->
<device device.set = "1" />
<device device.net.etherModePC.set="1" />
<device device.net.etherModePC = "Auto" />

 

 

Message 8 of 20
Occasional Visitor

Re: Polycom VVX phones on an 802.1x EAP Enabled Switch fail to obtain DHCP IP address

Scott, 

First, Wonderful posts!  Thanks for sharing.

I think we may have some foundational work to run thru.  We have a VOIP provider that "provisions and issues" new phones wehen we need them.  I am fairly certain the configs are stored in an EdgeMarc device on a dedicated vlan in each of our location.  I think our provider will either have to give us access to the edgemarc or the config files (or both). -- not a polycom issue, per-se.

I would like to know from YOU, however,  about the certificates being installed on the phones.  You stated :

 

     "My phones are setup to use EAP-PEAP authentication, using a root certificate and AD credentials preloaded

      on the phone during the initial provisioning process."

 

Could you please rpovide a little more insight on that ?

 

Thanks in advance!

Message 9 of 20
Advisor

Re: Polycom VVX phones on an 802.1x EAP Enabled Switch fail to obtain DHCP IP address

My provisioning process loads our internal root CA and creates a username and password for EAP-PEAP authentication into Active Directory. 

 

I also collect the phones into an AD group, which I use to query in my NPS policy. 

 

The base mac-address.cfg file references the file it needs to load to import the CA cert. I have this setup as a single file, for ease of updating when I need to load a new CA cert. 

 

The mac-address-phone.cfg file has the EAP-PEAP settings and AD credentials populated at the time of phone creation. 

 

Each phone has a unique set of username and password credentials. 

 

Did I answer your question? 

Message 10 of 20