Ethernet Switching
Highlighted
Ethernet Switching

ex2200/3300 VOIP phone does not DOT1x with pc plugged in

‎10-15-2018 11:01 AM

Hello 

 

We have both ex2200 and ex3300 this is happening on. 

 

If a voip phone is plugged in and PC behind it, the PC with auth dot1 x and the phone will not, we can see the phone in lldp but the mac does not on the switch 

 

this happen with both poloy comm and avaya phones and has been an ongoing issue for a couple years, i have opened tickets in that past an Juniper blames it on the avaya phones at the time but now we have brand new phones and it still happens

 

set protocols dot1x authenticator authentication-profile-name ClearPass-Radius
set protocols dot1x authenticator interface All-dot1x-Ports supplicant multiple
set protocols dot1x authenticator interface All-dot1x-Ports transmit-period 5
set protocols dot1x authenticator interface All-dot1x-Ports mac-radius
set protocols dot1x authenticator interface All-dot1x-Ports reauthentication 3600
set protocols dot1x authenticator interface All-dot1x-Ports server-timeout 3
set protocols dot1x authenticator interface All-dot1x-Ports maximum-requests 3
set protocols dot1x authenticator interface All-dot1x-Ports server-fail use-cache

 

ge-0/0/4.0    Authenticator  Authenticated 

show lldp neighbors
Oct 15 12:58:16
Local Interface Parent Interface Chassis Id Port info System Name
ge-0/0/4.0 - 0.0.0.0 1 Polycom VVX 411

 

if you reboot the phone (hard or soft), if you restart dot1x on the switch this happens. above is the after here is the before 

 

ge-0/0/4.0 Authenticator Authenticated 64:16:7F:27:BD:99 64167f27bd99
ge-0/0/4.0 Authenticated FC:4DSmiley Very Happy4:F4:87:FE

we have a packet capture showing the phone send tha mac to the switch but it look like the switch irgnors it. 

this only happens if a PC is plugged into the phone

13 REPLIES 13
Ethernet Switching

Re: ex2200/3300 VOIP phone does not DOT1x with pc plugged in

‎10-16-2018 09:31 AM

Further testing shows dropping the port out of the range and manually configing makes the issue stop 

 

however if we do this to the entire switch the problem comes back again 

 

check tcam and is seems fine

Ethernet Switching

Re: ex2200/3300 VOIP phone does not DOT1x with pc plugged in

‎12-04-2018 03:28 PM

Working with juniper on this ongoing but i wanted to update 

 

Juniper found a bug, if we remove the lo0 filter (protect RE) the device connected fine. this is our protect RE filter and is NOT set to block L2 packets. we found move the filter to a L3 interface on the switch allows the devices to work however you have to add the filter to every L3 interface to protect the switch. we only have one L3 so for now it is a worked around for us

 

Juniper was able to recreate this in the lab and we are waiting on them to get back to us. 

 

They are not yet sure if this is a hardware issue or a software or a combo, we have tried 12, 14, and 15 code on the 2200 and the issue still happens 

 

we fully tested a ex3400 and it DOES NOT have this issue. 

Ethernet Switching

Re: ex2200/3300 VOIP phone does not DOT1x with pc plugged in

‎12-14-2018 09:15 AM

update: 

 

juniper has sent a one off OS to try that fixes the issue, we are waiting on a time frame for offical realse 

Ethernet Switching

Re: ex2200/3300 VOIP phone does not DOT1x with pc plugged in

[ Edited ]
‎01-02-2019 08:37 AM

update for anyone that may be searching google for this 

 

Juniper notified us that 12.3R12-S12 will include the fix

Ethernet Switching

Re: ex2200/3300 VOIP phone does not DOT1x with pc plugged in

‎01-02-2019 12:38 PM

Did anyone provide you a Juniper PR number?  Just wondering.  Thanks

Ethernet Switching

Re: ex2200/3300 VOIP phone does not DOT1x with pc plugged in

‎01-02-2019 03:00 PM

@rccpgm wrote:

Did anyone provide you a Juniper PR number?  Just wondering.  Thanks


We did not get a PR number yet 

Ethernet Switching

Re: ex2200/3300 VOIP phone does not DOT1x with pc plugged in

‎01-03-2019 01:04 PM
Ethernet Switching

Re: ex2200/3300 VOIP phone does not DOT1x with pc plugged in

[ Edited ]
‎01-03-2019 01:05 PM

@Andrewmiller wrote:

@rccpgm wrote:

Did anyone provide you a Juniper PR number?  Just wondering.  Thanks


We did not get a PR number yet 

 


Looks like 1332957?

 

https://prsearch.juniper.net/InfoCenter/index?page=prcontent&id=PR1332957

Ethernet Switching

Re: ex2200/3300 VOIP phone does not DOT1x with pc plugged in

‎01-03-2019 01:26 PM

Yes that looks to be the one.  I see the PR is applied to every code stream.  Although the original PR was opened against EX4300 (which does not support 12.3) it appears situation affected any/all products that can run 802.1x, so same fix was applied to 12.3 for EX2200/3300/4200.

 

Thanks

Ethernet Switching

Re: ex2200/3300 VOIP phone does not DOT1x with pc plugged in

‎01-03-2019 01:34 PM

that is not it, it only affect the non ELS switches 

 

I request the PR number from TAC since the search is broke 

Ethernet Switching

Re: ex2200/3300 VOIP phone does not DOT1x with pc plugged in

‎01-09-2019 09:15 AM

update from juniper 

 

PR num is 1401915.

 

12.3R12-S13 is the fix release now 

Ethernet Switching

Re: ex2200/3300 VOIP phone does not DOT1x with pc plugged in

‎01-09-2019 10:36 AM

From what I can tell the change is most likely applicable to any Juniper device that supports 802.1x with multiple supplicants, and the change is across all code streams, 12.3 and beyond.  As for situation:

 

On EX2200/EX3200/EX3300/EX4200,  when interface is enabled dot1x multiple supplicant mode and there is a firewall filter configured on loopback interface, MAC learning for unknown source might be dropped which causes dot1x authentication issue.

 

Just FYI.

Ethernet Switching
Solution
Accepted by topic author Andrewmiller
a week ago

Re: ex2200/3300 VOIP phone does not DOT1x with pc plugged in

[ Edited ]
a week ago

They updated it 

 

Resolved In 12.3R13 15.1R8