802.1x LLDP and AVAYA phones

Unanswered Question
Apr 6th, 2007

Has anyone worked on this? Got some 3750 LLDP code so we could do dot1x and voice vlans with Avaya 4610 phones. I am able to get the 4610 to authenticate with my Cisco ACs 4.1 server, but I am having trouble giving the phone the voice vlan. I am trying to use the IETF radius attributes to give the phone the voice vlan. From what I understand, the ACS server will authenticate the phone using CHAP username/password, then the ACS server sends the Voice Vlan info to the switch with LLDP-MED values. Once onto the voice vlan, I pass the DHCP values for the Media Server and the TFTP server and thats it. I just cant get the ACS server to send the phone the voice vlan using LLDP-Med. Here is a snippet from the doc on using a Foundrey switch. It appears all I have to do is set ACS to give out the vlan with the key work "Voice" and it should send that info to the phone.

"Click the Configure Attribute? button and configure the Vendor Specific Attribute (VSA). Enter 211 for the Vendor-assigned attribute number. Select String for the Attribute format, and T88 or Tvoice for the Attribute value. VSA 211 is used to support a tagged VLAN. T88 means tagged VLAN ID 88 and Tvoice means tagged VLAN name voice. Once the Microsoft IAS authenticates the phone, the Microsoft IAS will send VSA 211 to the BlackDiamond 8810. The BlackDiamond 8810 will move the phone?s MAC address dynamically into the tagged VLAN (note that VLAN 88 or VLAN voice is not statically configured on ports connected to the phones). The BlackDiamond 8810 will also send this VLAN ID associated with its name ?Voice? (configured on the BlackDiamond 8810) to the phone via LLDP Media advertisement. When the phone identifies the VLAN name as ?Voice? (?Voice? is a key word), the phone will reset and use this tagged VLAN. The BlackDiamond 8810 will forward tagged ?Voice? VLAN packets after the phone is authenticated again. The phone should be able to reach the DHCP and TFTP server and register to Avaya Communication Manager if configured properly."

http://www.avaya.com/master-usa/en-...eme-dot1x01.pdf

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
jafrazie Sat, 04/07/2007 - 06:16

LLDP has nothing to do with 802.1X, per se. If you're having trouble giving your phone the VVID via LLDP, you should be having this trouble irrespective of 802.1X. If this is NOT the case, then it's a bug and a TAC case is recommended.

But from your description, it sounded like you are trying to give the switch Voice-VLAN first via RADIUS as the phone authenticates. This (Dynamic Voice-VLAN Assignment with 1X) is not supported yet.

Hope this helps,

miwitte Sat, 04/07/2007 - 06:38

Makes sense. I am just trying to reverse-engineer the AVAYA doc that uses a Foundry switch. If you look through it, it appears that they use the radius attribute for vlan and that gets sent to the switch In the EAP success info. The switch then send the voice vlan info using LLDP-MED vlan attribute to the phone. The phone then sets its voice vlan and reboots. The issue with the AVAYA phones is they must come up on the data vlan, get a IP address on the data vlan and get its options for TFTP server and Media server. It then reboots onto the voice vlan and comes up. With dot1x its not possible as the data vlan is not authenticated. The next step I'll try is to get it up with no authentication. I only had a couple hours yesterday to play anyway. Will get a sniffer on there too.

jafrazie Sat, 04/07/2007 - 06:54

Fair enough.

Feel free to Fwd a reference. What you need here is multi-domain-authentication on your switch. See here:

<http://www.cisco.com/en/US/partner/products/hw/switches/ps5023/products_configuration_guide_chapter09186a00807743fb.html#wp1271000>

You cannot dynamically assign the VVID from RADIUS yet. Just rely on the static configuration that may already be there (before 1X is deployed).

With multi-domain auth, you tell the switch the device is a phone via RADIUS/802.1X. This way, the switch knows how to handle the session better. It'll allow the phone to communicate on the data-vlan initialy b/c it has to (Avaya operation, etc. has been take into account for the implementation). Then, when the phone reboots and begins 1Q-tagging, the switch can disallow the data-vlan access it temporarily granted to the phone on the fly.

Hope this helps,

Actions

This Discussion