• ×
    Information
    Windows update impacting certain printer icons and names. Microsoft is working on a solution.
    Click here to learn more
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.
    Windows 11 Support Center.
  • post a message
  • ×
    Information
    Windows update impacting certain printer icons and names. Microsoft is working on a solution.
    Click here to learn more
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.
    Windows 11 Support Center.
  • post a message
Guidelines
The HP Community is where owners of HP products, like you, volunteer to help each other find solutions.
HP Recommended

I am trying to find out the answer to this issue. I have version 5.5.1 running on a VVX 411 and am able to authenticate the phone against my RADIUS server using EAP-MSCAPv2 authentication. 

 

The RADIUS server is setup to auto assign the VLAN ID back to the Avaya Switch. I have ran multiple traces and can confirm that the phone is authenticated and placed into the correct vlan.

 

All devices start in a static VLAN and if they fail authentication they can be remediated from there. I don't even see the MAC of the phone show up in the 'staging' DHCP scope. 

 

The DHCP server never receives the DHCP request after the EAP portion is complete. I have also plugged in a Windows 10 laptop into the PC port on the phone and it will authenticate correct and does obtain an IP address.

 

I have no DHCP issues if I disable EAPoL autentication on the switch and manually place the phone in the VLAN.

 

During my research I found out that the supplicant on the phone is 802.1x-2004, and older code revs from Avaya only supported 802.1x-2001.

 

The code rev I have running on my ERS 5632 is 6.6.3 and has 2004 support.

 

Any idea why the phone is unable to obtain a DHCP IP after it is flipped into a new VLAN? 

1 ACCEPTED SOLUTION

Accepted Solutions
HP Recommended

Hello SR_MCSE,

welcome to the Polycom Community.

The community's VoIP FAQ contains this post here:

Jul 10, 2013 Question: How can I use VLAN's with Polycom phones?

Resolution: Please check => here <=

 

and

 

Aug 24, 2015 Question:What basic network data is send and received by a Polycom phone?

Resolution: Please check this post => here <=


Please ensure to provide some feedback if this reply has helped you so other users can profit from your experience.

Best Regards

Steffen Baier

Polycom Global Services

------------------------------------------------
Notice: I am an HP Poly employee but all replies within the community are done as a volunteer outside of my day role. This community forum is not an official HP Poly support resource, thus responses from HP Poly employees, partners, and customers alike are best-effort in attempts to share learned knowledge.
If you need immediate and/or official assistance for former Poly\Plantronics\Polycom please open a service ticket through your support channels
For HP products please check HP Support.

Please also ensure you always check the General VoIP , Video Endpoint , UC Platform (Microsoft) , PSTN

View solution in original post

19 REPLIES 19
HP Recommended

Since the post, I have done some more troubleshooting on this. 

 

It seems that the phone has an issue understanding what VLAN it was placed into after the sucessful EAP authentication. I manually set the VLAN ID on the phone to 620, left it as DHCP and then re-tried the 802.1x authentication. 

 

It finally worked and the VVX was able to get an IP address from the DHCP server. 

 

 

172.28.104.36    64:16:7f:08:11:77  dynamic  2016-12-23 14:13:04 MST

 

Is there another way to get the VLAN ID to be assigned to the phone, in this 802.1x scenario, without having to resort to manually entering it?  

 

 

HP Recommended

Hello SR_MCSE,

welcome to the Polycom Community.

The community's VoIP FAQ contains this post here:

Jul 10, 2013 Question: How can I use VLAN's with Polycom phones?

Resolution: Please check => here <=

 

and

 

Aug 24, 2015 Question:What basic network data is send and received by a Polycom phone?

Resolution: Please check this post => here <=


Please ensure to provide some feedback if this reply has helped you so other users can profit from your experience.

Best Regards

Steffen Baier

Polycom Global Services

------------------------------------------------
Notice: I am an HP Poly employee but all replies within the community are done as a volunteer outside of my day role. This community forum is not an official HP Poly support resource, thus responses from HP Poly employees, partners, and customers alike are best-effort in attempts to share learned knowledge.
If you need immediate and/or official assistance for former Poly\Plantronics\Polycom please open a service ticket through your support channels
For HP products please check HP Support.

Please also ensure you always check the General VoIP , Video Endpoint , UC Platform (Microsoft) , PSTN
HP Recommended

In a dynamic VLAN assignment scenario, where the VLAN ID is being sent back from the RADIUS policy server after a successful 802.1x authentication, will the DHCP option 128, or 144, or 191 VLAN assignment work? 

 

In my scenario, each floor I have in my office building has 2 /24 network subnets assigned on 2 separate VLANs. 1 for Data and 1 for Voice. I QoS the voice vlan based on VLAN ID and also use the subnet information for 911 call tracking. 

 

Setting a static VLAN ID in the configuration could be problematic if the phone is moved to a different floor or different building. The VLAN ID would then need to be manually changed in the phone configuration file. 

 

One thought I had, was to create a small 'staging' VLAN per floor with a small DHCP scope, where all devices are placed into by default before they are processed by EAP or MAC based authentication. Within this DHCP scope would be the DHCP option tell the phone the correct VLAN-A=xxx; information. 

 

Any idea if this would solve my issue?

 

 

HP Recommended

Hi,

 

We have exactly the same problem.

802.1x enabled from the provisionning server. 802.1X works. The switch port go the the right vlan, but DHCP failed on the VVX.

 

We have try to change the VLAN parameter to manually set it (it's not a solution) and it doesn't work better.

 

What is the solution to have 802.1X and dynamic vlan attribuation work with VVX phones ?

HP Recommended

Hello SR_MCSE and Doum

Simply replicate this and get us the logs and a wireshark.

 

In order to raise a support ticket you need to work with your Polycom reseller as they need to do this for you.

If this is some sort of an Internet discounter please post either your phone's MAC address or your Polycom devices serial so I can look up who would be able to support you.

Please ensure to provide some feedback if this reply has helped you so other users can profit from your experience.

Best Regards

Steffen Baier

Polycom Global Services

------------------------------------------------
Notice: I am an HP Poly employee but all replies within the community are done as a volunteer outside of my day role. This community forum is not an official HP Poly support resource, thus responses from HP Poly employees, partners, and customers alike are best-effort in attempts to share learned knowledge.
If you need immediate and/or official assistance for former Poly\Plantronics\Polycom please open a service ticket through your support channels
For HP products please check HP Support.

Please also ensure you always check the General VoIP , Video Endpoint , UC Platform (Microsoft) , PSTN
HP Recommended

I ended up using 802.1x EAPoL authentication for my phone deployment. 

 

I setup my switch ports for 802.1x and point my switches to a RADIUS server, in this case NPS. 

 

My ports are setup to be untagall, and also not a member of any VLAN, however the default VLAN ID is 1. EAP is setup to allow Dynamic VLAN assignment. Depending on your switch manufacturer, this will differ. 

 

My phones are setup to use EAP-PEAP authentication, using a root certificate and AD credentials preloaded on the phone during the initial provisioning process.  

 

When the phone EAP supplicant starts the authenticiation process, the 802.1x policy is valididated and the VLAN ID is assigned to the port. The default VLAN ID stays at remains at 1, however for example, the port is assigned to VLAN 10. 

 

I also use the PC port on the phone for my 802.1x authenticated corporate computers. It runs through the same RADIUS process and the Computer/Laptop is assigned a different VLAN ID. The default VLAN ID stays at remains at 1, however for example, the port is assigned to VLAN 20. 

 

Just make sure that the VLANs are defined on your switch, remove all access ports from VLAN 1, and add the VLANs to your tagged uplink port(s) to your core router(s). If the DHCP serever is remote, then confirm that your DHCP relay settings work. 

 

This method resolved my issue. 

 

In a previous VoIP implementation using Nortel phones, we didn't use 802.1x, however did use information in the DHCP scopes to flip the phones from an initial VLAN into another. We did have to set the ports for untagpivid only. 

 

I attempted to use the same model, however found that if the PC was placed into a specific VLAN and the VLAN ID was set to the PC VLAN ID, the phone would go into the VoIP VLAN, however it was not able to communicate. I think this is the same issue you are seeing. 

 

I will admit that it took a bit of time to craft my .cfg files to make the VVX work in this manner, but found that this method worked best. Now all of my edge ports are void of any VLAN assignment until an 802.1x device is authenticated. 

 

If you choose to extend 802.1x through the PC port, please be sure to add the following to your configuration file:

 

<!-- 802.1x Secondary Port Link Status -->
<sec.dot1x.eapollogoff sec.dot1x.eapollogoff.enabled="1" />
<sec.dot1x.eapollogoff sec.dot1x.eapollogoff.lanlinkreset="1" />

 

Ensure that the PC Port is enabled as well:

 

<!-- Enable External Ports -->
<device device.set = "1" />
<device device.net.etherModePC.set="1" />
<device device.net.etherModePC = "Auto" />

When the PC is removed from the PC port on the phone, the switch removes the VLAN ID assigned to the PC and leaves the phone in the assigned VLAN. 

 

If I can help further, let me know. 

 

Scott

 

HP Recommended

I am trying to  use Dynmic VLAN assignment using 802.1x device on Polycom VVX410 as well. I need to extend 802.1x through the PC port, also I have added the following configuration and I have imported using the web interface. I was wondering what kind of switch configuration you must have to extend 802.1x through the PC port.  BTW, the VVX is alredy authenticating using 802.1x, however the PC port is not broadcasting the DHCP.  

 

What I am try to acomplish: When the PC will be added on the PC port on the phone, the switch will add  the VLAN ID  assigned to the PC (VALN 99) and leaves the phone in the assigned VLAN (VLAN 66) using  802.1x authentication. 

 

 

Switch settings:


interface FastEthernet0/4
switchport mode access
dot1x port-control auto
dot1x guest-vlan 24
spanning-tree portfast

 

 

Polycom Settings 

 

<!-- 802.1x Secondary Port Link Status -->
<sec.dot1x.eapollogoff sec.dot1x.eapollogoff.enabled="1" />
<sec.dot1x.eapollogoff sec.dot1x.eapollogoff.lanlinkreset="1" />

 

Ensure that the PC Port is enabled as well:

 

<!-- Enable External Ports -->
<device device.set = "1" />
<device device.net.etherModePC.set="1" />
<device device.net.etherModePC = "Auto" />

 

 

HP Recommended

Scott, 

First, Wonderful posts!  Thanks for sharing.

I think we may have some foundational work to run thru.  We have a VOIP provider that "provisions and issues" new phones wehen we need them.  I am fairly certain the configs are stored in an EdgeMarc device on a dedicated vlan in each of our location.  I think our provider will either have to give us access to the edgemarc or the config files (or both). -- not a polycom issue, per-se.

I would like to know from YOU, however,  about the certificates being installed on the phones.  You stated :

 

     "My phones are setup to use EAP-PEAP authentication, using a root certificate and AD credentials preloaded

      on the phone during the initial provisioning process."

 

Could you please rpovide a little more insight on that ?

 

Thanks in advance!

HP Recommended

My provisioning process loads our internal root CA and creates a username and password for EAP-PEAP authentication into Active Directory. 

 

I also collect the phones into an AD group, which I use to query in my NPS policy. 

 

The base mac-address.cfg file references the file it needs to load to import the CA cert. I have this setup as a single file, for ease of updating when I need to load a new CA cert. 

 

The mac-address-phone.cfg file has the EAP-PEAP settings and AD credentials populated at the time of phone creation. 

 

Each phone has a unique set of username and password credentials. 

 

Did I answer your question? 

† The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the <a href="https://www8.hp.com/us/en/terms-of-use.html" class="udrlinesmall">Terms of Use</a> and <a href="/t5/custom/page/page-id/hp.rulespage" class="udrlinesmall"> Rules of Participation</a>.