Meraki

Community

PolyCom 802.1x - Issue

Solved
AhmedJawad
Getting noticed
‎Oct 11 2021 9:21 AM
‎Oct 11 2021 9:21 AM

PolyCom 802.1x - Issue

Hi Team 

 I have polycom phones configured to do 802.1x with Meraki MS 120. when i configure it in multi-domain or multi mode, the phone works and gets voice Vlan. but the laptops that connected to the phones keep getting auth - reathu. 

 

I did a packet capture . I see the CiscoMer_cc:6b:14 source is keep sending request identity all the time. the destination is sending the identity reply. 

 

 I will add a screen capture of the Wireshark 

 

any idea, please? 

 

the only way this works is in multi host. but that is not what we want. Meraki.JPG

 

 

 

0 Kudos
1 Accepted Solution
In response to AhmedJawad
bigben386
Getting noticed
‎Oct 12 2021 8:36 AM
‎Oct 12 2021 8:36 AM

I'm pretty sure your RADIUS server needs to be sending it to the switch, not the other way around. We use NPS and it sends the attribute with the radius accept. The bigger issue we had with poly devices was that our voip provider did not enable 

  • sec.dot1x.eapollogoff.enabled
  • sec.dot1x.eapollogoff.lanlinkreset
  • sec.hostmovedetect.cdp.enabled

Which caused issues with the devices behind the poly phones. Once they enabled them, all our issues went away.

View solution in original post

8 Replies 8
RaphaelL
Kind of a big deal
Kind of a big deal
‎Oct 11 2021 1:38 PM
‎Oct 11 2021 1:38 PM

Hi, 

 

Have you tried multi-auth ( the last one ) ?

0 Kudos
In response to RaphaelL
AhmedJawad
Getting noticed
‎Oct 11 2021 1:40 PM
‎Oct 11 2021 1:40 PM

yes I have, the same issue. the only one that work is the multi host 

0 Kudos
bigben386
Getting noticed
‎Oct 12 2021 6:30 AM
‎Oct 12 2021 6:30 AM

Did you make sure you are sending the radius attribute noted in the config guide?

 

  • Multi-Domain
    With multi-domain authentication, one device can be authenticated on each of the data and voice VLANs; if a second device is detected on one of the VLANs, the device will not be granted access. In this mode, Hybrid Authentication is used and Voice VLAN authentication is required.  This mode is recommended for switchports connected to a phone with a device behind the phone.  Authentication is independent on each VLAN and will not affect the forwarding state of each other.
    Cisco Meraki switches require the following attribute pairs within the Access-Accept frame to put devices on the voice VLAN:

    • Cisco-AVPair

      • device-traffic-class=voice

0 Kudos
In response to bigben386
AhmedJawad
Getting noticed
‎Oct 12 2021 6:59 AM
‎Oct 12 2021 6:59 AM

Yes, we saw the raduis attribute in the packet capture. the meraki is sending it to ISE. 

0 Kudos
In response to AhmedJawad
bigben386
Getting noticed
‎Oct 12 2021 8:36 AM
‎Oct 12 2021 8:36 AM

I'm pretty sure your RADIUS server needs to be sending it to the switch, not the other way around. We use NPS and it sends the attribute with the radius accept. The bigger issue we had with poly devices was that our voip provider did not enable 

  • sec.dot1x.eapollogoff.enabled
  • sec.dot1x.eapollogoff.lanlinkreset
  • sec.hostmovedetect.cdp.enabled

Which caused issues with the devices behind the poly phones. Once they enabled them, all our issues went away.

In response to bigben386
AhmedJawad
Getting noticed
‎Oct 12 2021 8:56 AM
‎Oct 12 2021 8:56 AM

 

 

@bigben386 thank you for your reply , are those needs to be enabled on the polycom ? 

 

 

  • sec.dot1x.eapollogoff.enabled
  • sec.dot1x.eapollogoff.lanlinkreset
  • sec.hostmovedetect.cdp.enabled
0 Kudos
In response to AhmedJawad
bigben386
Getting noticed
‎Oct 12 2021 9:04 AM
‎Oct 12 2021 9:04 AM

Yes they all need to be enabled in the poly config for devices behind the poly to function properly. It helps inform the switch when devices connected behind the poly change.

0 Kudos
In response to bigben386
AhmedJawad
Getting noticed
‎Oct 12 2021 10:48 AM
‎Oct 12 2021 10:48 AM

@bigben386  Thank you very much. that worked!  

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.