• October 30, 2020, 08:37:44 AM
Welcome, Guest. Please login or register. Registration is free.
Did you miss your activation email?

Author Topic: avaya 4500 + radius + ip phones + eapol re-auth  (Read 2551 times)

0 Members and 1 Guest are viewing this topic.

Offline CraigStrydom

  • Rookie
  • **
  • Posts: 4
avaya 4500 + radius + ip phones + eapol re-auth
« on: June 04, 2015, 09:40:18 AM »
Hi All,

I apologize if this should be in the forum's switch section.

I use a network access control call Packetfence to manage eapol on the edge switches.
This is essentially a a freeradius server with a nice gui interface. It handles wired and wireless device authentication. Wired devices do NEAP and wireless devices do 802.1x.

Switches are mostly Avaya 4548GT-PWR    HW:12       FW:5.3.0.3   SW:v5.7.1.021 BN:21
IP Phones are mix of Avaya 1120e, 1220 and 1230's - no configuration set on the phones.
I have tried with and without ADAC. (The packetfence nac can also detects ip phones and the phones where set in radius to be added to a voice vlan when connected.

What happens is that sometimes the switches loose connection to the radius server, which causes the phones to disconnect after a while. They then go into a state where they do not see the dhcp server to be able to download its configs from the PBX. These phones do not seem to re-authenticate even if the re-auth option is enabled. They also loose the vlan that was set on the port for voice.

So, no port change and no radius assigned vlan = dead phone service.

The switch EAPOL settings script look like this:

eapol allow-port-mirroring
eapol multihost allow-non-eap-enable
eapol multihost radius-non-eap-enable
eapol multihost non-eap-phone-enable
eapol multihost allow-non-eap-enable
eapol multihost use-radius-assigned-vlan
eapol multihost non-eap-use-radius-assigned-vlan
eapol multihost multivlan enable
eapol multihost non-eap-reauthentication-enable

interface FastEthernet ALL
eapol multihost port 1-24 enable mac-max 16 eap-mac-max 8 allow-non-eap-enable non-eap-mac-max 8 radius-non-eap-enable non-eap-use-radius-assigned-vlan
eapol multihost port 1-24 enable non-eap-phone-enable use-radius-assigned-vlan
eapol port 1-24 re-authentication enable
eapol port 1-24 re-authentication-period 900
exit

eapol enable


What am I missing in the configuration of the phones as it seems that the re-auth option is ignored?
Thank you in advance.

Craig.


Offline TankII

  • Hero Member
  • *****
  • Posts: 556
Re: avaya 4500 + radius + ip phones + eapol re-auth
« Reply #1 on: June 23, 2015, 10:01:57 AM »
Have you tried adding in LLDP-Med statements?
TankII

Offline CraigStrydom

  • Rookie
  • **
  • Posts: 4
Re: avaya 4500 + radius + ip phones + eapol re-auth
« Reply #2 on: October 21, 2015, 04:29:17 AM »
Hi All,

Just adding this incase someone else find the same problem.
It looks like I finally found the problem.

I had to set the port timeouts to a much longer delay than default:

interface ethernet all
eapol port 1/1-47 re-authentication enable
eapol port 1/1-47 re-authentication-period 14400
eapol port 1/1-47 server-timeout 1800
eapol port 1/1-47 quiet-interval 60
eapol port 1/1-47 max-request 10
exit

The radius server can now be unreachable for 4 hours before a port re-authentication and disconnection of devices.

Regards,
Craig.