Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

802.1x Pass through

Status
Not open for further replies.
Vidmine

Vidmine

Technical User
Oct 2, 2008
100
US
I am running 6.3 with a 9611G running 6.8102 connected to a cisco switch.
The issue I am having is when the user disconnects their laptop from the phone and tries to connect in a conference room they get an unidentified network error. The issue is the phone is not releasing the users mac address. in talking to Cisco they are telling me the phone needs to be set for 802.1x pass through.
I checked the 46xxsettings and verified the DOT1X is set to 1 which is pass through enable.
 
Sort by date Sort by votes
You can turn the logging up in the phone and have it send via syslog. Get that and a packet capture, prove it and open a case with Avaya?
 
Upvote 0 Downvote
I would be looking at the network port security system in use. Pass-through is just that, it is passing the traffic through, the phone is not capture the MAC address of the PC.
I would still do what Kyle555 recommends, but I am betting it will show it it a network issue not a phone issue.
 
Upvote 0 Downvote
ISE or whatever your team uses for network access control (NAC) could be set up that since it saw the laptop's MAC over on one port it must be an attempt to spoof the laptop's MAC coming through on the conference room port. Therefore it shuts down network access for the one it thinks is the spoofer. This can be tied back through DHCP lease times not having expired also, so it's not necessarily a phone hanging on to a number.

I'd have your network security folks take a deeper look.
 
Upvote 0 Downvote
Thanks, I have an active case with Avaya as well as Cisco. I have sent wireshark traces to Avaya and as of right now they do not see the phone "notifying" the network that the laptop has disconnected.
As a workaround I configured "authentication mac-move permit" on the switch which basically tells the switch that it is possible to see the mac move to another port, allow it on the new port and kill it on the old. Seems to have fixed about 80% of my problems. The issue I am still having is if the user moves to a room that is not directly on one of my main switches but on a neighboring switch they still get the unidentified network and the phone on the main switch is still acting as if the laptop is connected.

Good idea on the logging, I have not done this before on a phone. Dumb question probably but how do I do that?
 
Upvote 0 Downvote
craft menu. if you got an avaya case open, you can enable ssh, logging levels and syslog on the phone via 46xx or from the craft menu
You can ssh in the phone if they give you the challenge response and just scp the log files off. Or get them on a syslog server or whatever. The pcap shows what the phone did. The phone logs show why.
 
Upvote 0 Downvote
Thanks, You gave me a good direction to look.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

BJetter
  • Locked
  • Question
DID trunk group type, can you pass more than one set of digits
Replies
1
Views
1K
JefferP
JefferP
Neeru S A
  • Locked
  • Question
Unable to access trunk through TAC
Replies
0
Views
156
Neeru S A
Neeru S A
T
  • Question
How to change Avaya Web ExtractionUI system password?
Replies
2
Views
236
terminator81
T
jh40
  • Locked
  • Question
IX Messaging Supervisor Password
Replies
0
Views
281
jh40
jh40
X
  • Locked
  • Question
SIP phone password best practice
Replies
4
Views
660
kyle555
kyle555

Part and Inventory Search

Sponsor

Back
Top