06-19-2018 11:44 PM
Hi All,
Been configuring the HP 5130 switch with ISE.
I am able to get the normal Dot1X authentication working fine.
Now when I am configuring the switch to do a MAB, using the Cisco IP phone.
What I see that is, the phone gets registered, but there are no traces of it the live logs on ISE.
Also, if I connect a computer via the phone, I can see that computer MAC address and other details in the live logs just fine.
Following is the setup:
ISE ver 2.3.0.298 patch 3
Switch Hp H3C Comware 7
Port config:
interface GigabitEthernet1/0/4
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 230 untagged
port hybrid pvid vlan 230
voice-vlan 260 enable
mac-vlan enable
undo stp enable
stp edged-port
port bridge enable
poe enable
dot1x
undo dot1x handshake
dot1x handshake reply enable
dot1x mandatory-domain ciscoise
undo dot1x multicast-trigger
dot1x unicast-trigger
mac-authentication max-user 5
mac-authentication domain ciscoise
mac-authentication timer auth-delay 15
mac-authentication host-mode multi-vlan
mac-authentication parallel-with-dot1x
Any idea what could be going on here?
Solved! Go to Solution.
06-21-2018 04:54 AM
It sounds like the switch is performing a CDP or LLDP bypass like function. The CDP Bypass function that was introduced by Cisco many years ago basically uses CDP to detect phone and authorize it to the Voice VLAN without authorization. We no longer recommend its use since it bypasses (as name suggests) authentication so you will not get record of it in the Live log. If HP switch is performing a similar function, then it will bypass RADIUS auth.
06-20-2018 07:14 AM
Maybe these could help?
https://community.hpe.com/t5/Switches-Hubs-and-Modems/MAC-amp-802-1x-on-the-same-network/td-p/4620649
https://networkguy.de/?p=1649
Do you need this?
port-security port-mode userlogin-secure-or-mac-ext
I’d do a tcpdump on the psn to see if the switch is sending any radius requests when the phone connects (is it even attempting man?).
Warning: I either dictated this to my device, or typed it with my thumbs. Erroneous words are a feature, not a typo.
06-21-2018 04:54 AM
It sounds like the switch is performing a CDP or LLDP bypass like function. The CDP Bypass function that was introduced by Cisco many years ago basically uses CDP to detect phone and authorize it to the Voice VLAN without authorization. We no longer recommend its use since it bypasses (as name suggests) authentication so you will not get record of it in the Live log. If HP switch is performing a similar function, then it will bypass RADIUS auth.
06-21-2018 07:21 AM
Was able to resolve it.
As pointed out chyps, the switch was running LLDP.
Disabled it and then was able to get the MAC addresses of the IP phones connected to this HP switch.
06-21-2018 07:22 AM
Thank you!
Disabled LLDP.
Was able to see the MAC addresses of the phone in ISE.
Dinesh
06-21-2018 07:41 AM
Glad that you were able to confirm LLDP "bypass" was the culprit. Of course, profiling will not be able to use LLDP for profiling although DHCP is usuallty sufficient for phones. I would check with HPE to see if option to disable the bypass function so that you can continue to leverage LLDP and phone auth.
06-21-2018 07:59 AM
That would be really great!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide