Switching

Expand all | Collapse all

ex2200/3300 VOIP phone does not DOT1x with pc plugged in

Jump to Best Answer
  • 1.  ex2200/3300 VOIP phone does not DOT1x with pc plugged in

    Posted 10-15-2018 11:02

    Hello 

     

    We have both ex2200 and ex3300 this is happening on. 

     

    If a voip phone is plugged in and PC behind it, the PC with auth dot1 x and the phone will not, we can see the phone in lldp but the mac does not on the switch 

     

    this happen with both poloy comm and avaya phones and has been an ongoing issue for a couple years, i have opened tickets in that past an Juniper blames it on the avaya phones at the time but now we have brand new phones and it still happens

     

    set protocols dot1x authenticator authentication-profile-name ClearPass-Radius
    set protocols dot1x authenticator interface All-dot1x-Ports supplicant multiple
    set protocols dot1x authenticator interface All-dot1x-Ports transmit-period 5
    set protocols dot1x authenticator interface All-dot1x-Ports mac-radius
    set protocols dot1x authenticator interface All-dot1x-Ports reauthentication 3600
    set protocols dot1x authenticator interface All-dot1x-Ports server-timeout 3
    set protocols dot1x authenticator interface All-dot1x-Ports maximum-requests 3
    set protocols dot1x authenticator interface All-dot1x-Ports server-fail use-cache

     

    ge-0/0/4.0    Authenticator  Authenticated 

    show lldp neighbors
    Oct 15 12:58:16
    Local Interface Parent Interface Chassis Id Port info System Name
    ge-0/0/4.0 - 0.0.0.0 1 Polycom VVX 411

     

    if you reboot the phone (hard or soft), if you restart dot1x on the switch this happens. above is the after here is the before 

     

    ge-0/0/4.0 Authenticator Authenticated 64:16:7F:27:BD:99 64167f27bd99
    ge-0/0/4.0 Authenticated FC:4D:D4:F4:87:FE

    we have a packet capture showing the phone send tha mac to the switch but it look like the switch irgnors it. 

    this only happens if a PC is plugged into the phone



  • 2.  RE: ex2200/3300 VOIP phone does not DOT1x with pc plugged in

    Posted 10-16-2018 09:32

    Further testing shows dropping the port out of the range and manually configing makes the issue stop 

     

    however if we do this to the entire switch the problem comes back again 

     

    check tcam and is seems fine



  • 3.  RE: ex2200/3300 VOIP phone does not DOT1x with pc plugged in

    Posted 12-04-2018 15:29

    Working with juniper on this ongoing but i wanted to update 

     

    Juniper found a bug, if we remove the lo0 filter (protect RE) the device connected fine. this is our protect RE filter and is NOT set to block L2 packets. we found move the filter to a L3 interface on the switch allows the devices to work however you have to add the filter to every L3 interface to protect the switch. we only have one L3 so for now it is a worked around for us

     

    Juniper was able to recreate this in the lab and we are waiting on them to get back to us. 

     

    They are not yet sure if this is a hardware issue or a software or a combo, we have tried 12, 14, and 15 code on the 2200 and the issue still happens 

     

    we fully tested a ex3400 and it DOES NOT have this issue. 



  • 4.  RE: ex2200/3300 VOIP phone does not DOT1x with pc plugged in

    Posted 12-14-2018 09:15

    update: 

     

    juniper has sent a one off OS to try that fixes the issue, we are waiting on a time frame for offical realse 



  • 5.  RE: ex2200/3300 VOIP phone does not DOT1x with pc plugged in

    Posted 01-02-2019 08:37

    update for anyone that may be searching google for this 

     

    Juniper notified us that 12.3R12-S12 will include the fix



  • 6.  RE: ex2200/3300 VOIP phone does not DOT1x with pc plugged in

     
    Posted 01-02-2019 12:38

    Did anyone provide you a Juniper PR number?  Just wondering.  Thanks



  • 7.  RE: ex2200/3300 VOIP phone does not DOT1x with pc plugged in

    Posted 01-02-2019 15:01

    @rccpgm wrote:

    Did anyone provide you a Juniper PR number?  Just wondering.  Thanks


    We did not get a PR number yet 



  • 8.  RE: ex2200/3300 VOIP phone does not DOT1x with pc plugged in

     
    Posted 01-03-2019 13:06

    @Andrewmiller wrote:

    @rccpgm wrote:

    Did anyone provide you a Juniper PR number?  Just wondering.  Thanks


    We did not get a PR number yet 

     


    Looks like 1332957?

     

    https://prsearch.juniper.net/InfoCenter/index?page=prcontent&id=PR1332957



  • 9.  RE: ex2200/3300 VOIP phone does not DOT1x with pc plugged in

     
    Posted 01-03-2019 13:27

    Yes that looks to be the one.  I see the PR is applied to every code stream.  Although the original PR was opened against EX4300 (which does not support 12.3) it appears situation affected any/all products that can run 802.1x, so same fix was applied to 12.3 for EX2200/3300/4200.

     

    Thanks



  • 10.  RE: ex2200/3300 VOIP phone does not DOT1x with pc plugged in

    Posted 01-03-2019 13:34

    that is not it, it only affect the non ELS switches 

     

    I request the PR number from TAC since the search is broke 



  • 11.  RE: ex2200/3300 VOIP phone does not DOT1x with pc plugged in

    Posted 01-09-2019 09:16

    update from juniper 

     

    PR num is 1401915.

     

    12.3R12-S13 is the fix release now 



  • 12.  RE: ex2200/3300 VOIP phone does not DOT1x with pc plugged in

     
    Posted 01-09-2019 10:37

    From what I can tell the change is most likely applicable to any Juniper device that supports 802.1x with multiple supplicants, and the change is across all code streams, 12.3 and beyond.  As for situation:

     

    On EX2200/EX3200/EX3300/EX4200,  when interface is enabled dot1x multiple supplicant mode and there is a firewall filter configured on loopback interface, MAC learning for unknown source might be dropped which causes dot1x authentication issue.

     

    Just FYI.



  • 13.  RE: ex2200/3300 VOIP phone does not DOT1x with pc plugged in
    Best Answer

    Posted 03-13-2019 12:37

    They updated it 

     

    Resolved In 12.3R13 15.1R8


  • 14.  RE: ex2200/3300 VOIP phone does not DOT1x with pc plugged in

     
    Posted 01-03-2019 13:05