802.1X security

[jeffjacobs]

We recently implemented Network Access Control and 802.1x. I am not a network engineer so I am not too sure how that works. We are having problems with our 9650 telephone sets since this was implemented.

The biggest problem seems to be that the phone will pick up the voice V-LAN then reset and reboot. It will not go past this process. Just keeps rebooting.

We have also noticed that the phones will just go to a "Discover" screen trying to discover the IP of our CM. No matter how many times we reboot or clear the phone it never connects to the CM. We have to replace the telephone set. The new set will initialize and connect to the CM without a problem. In the last 2 months we have replaced about 50 telephone sets

I noticed in the Craft Procedures menu that there is an option to activate a log. Has anyone done this? Where does the log file go?

We have had quite a few other problems with our telephones sets as well since they activated 802.1X. Has anyone else had problems with this? Any suggestions on what we should do to correct these problems?

 

[gwebster]

Start be upgrading to the latest release of firmware

https://support.avaya.com/downloads...38630_6&productId=P0553&releaseId=H.323 3.2.x

 

[rejackson]

You talk about what the network guys did but you didn't say whether you made the necessary changes to the telephone system It has been a while since we tried and gave up on it. It was working on the phones most of the time but they had too many problems on the PCs and gave up. It greatly increased the installation and maintenance work load.

Every phone had to have an account set up in active directory using its MAC address.

We were using 4621s and had to set up the supplicant mode at the phone but the 46xx file has a section about the 802.1x supplicant settings for 96xx phones.

I believe the pass thru mode had something to do with enabling PCs attached to phones to do their own 802.1x authentication.
##################### 802.1X SETTINGS ####################
##
## 802.1X Supplicant Status
## This setting determines the 802.1X supplicant operating
## mode for 96xx telephones only.
## 0: Supplicant operation disabled.
## 1: Supplicant operation enabled, but responds only to
## received unicast EAPOL messages (default)
## 2: Supplicant operation enabled; responds to received
## unicast and multicast EAPOL messages
## Note 1: The default value of "0" is only for R2.4.1 and later
## releases of 96xx SIP telephones. For releases prior to R2.4.1,
## the default value is "1".
## Note 2: This setting is applicable to 1603 SIP phone models also.
## the default value for 1603 SIP is "0".
## SET DOT1XSTAT 0
##
## 802.1X Pass-Through Mode
## This setting determines the 802.1X pass-through operating
## mode.
## 0: PAE multicast pass-through enabled. No proxy Logoff.
## (For H.323 phones, also enables Unicast Supplicant
## operation.) DEFAULT OPERATION.
## 1: Same operation as for "0" but with proxy Logoff.
## 2: No PAE multicast pass-through or proxy Logoff.
## (For H.323 phones prior to S2.0, also enables Unicast or multicast
## Supplicant operation.)
## Note : This setting is applicable for 1603 SIP phones also.
## SET DOT1X 0
##

 

[jeffjacobs]

On the phone system side we haven't made any changes. When the data team implemented the additional port security the data switches had to rebooted. At first when they rebooted all 6 switches on a floor the phones would not reconnect. However when they forced a reboot of only one switch at a time the phones seemed to work much better. Now that the port security has been in place for a few months we are having complaints from individuals all over our campus about their phones just showing DISCOVER. The biggest problem is the member of our phone support team who helped set up the telephone sets originally is no longer here. Those of us who are left have never worked with the DHCP scope or the 46XXsetting file. So it is difficult for us to know what to do.