Junos
Junos

LLDP-MED and 802.1x

‎05-29-2019 07:42 PM

Hi, How does lldp-med work/interact with 802.1x ? I was under the impression that whe a port configured in multi suplicant mode phones would also be required to be authenticated over 802.1x. This doesn't seem to be the case, look like when I connect a phone lldp-med push configuration to phone and it phone come online event though that that 802.1x hasn't been enable on the phone. Am I missing somehting? My configuration look as follow..

interfaces {
    ge-0/0/8 {
        description "DOT1X with voip id";
        unit 0 {
            family ethernet-switching {
                interface-mode access;
                storm-control default;
            }
        }
    }
protocols {
    dot1x {
        authenticator {
            authentication-profile-name radius-corp-auth;
            no-mac-table-binding;
            interface {
                ge-0/0/8.0 {
                    supplicant multiple;
                    transmit-period 10;
                    reauthentication 14400;
                    supplicant-timeout 5;
                    guest-vlan 169;
                    server-reject-vlan 169;
                    server-fail vlan-name 169;
                }
            }
        }
    }
    lldp {
        interface all;
    }
    lldp-med {
        interface all;
switch-options {
    voip {
        interface ge-0/0/8.0 {
            vlan 160;
            forwarding-class assured-forwarding;
        }
    }
}

Any help/hint appreciated, thanx !

4 REPLIES 4
Junos

Re: LLDP-MED and 802.1x

‎05-29-2019 08:38 PM

Hi Paul,

 

Yes supplicant multiple is supposed to authenticate every user, however is the phone sitting in guest VLAN? As you have the guest-vlan setup same as authenticated dot1x user, you might not be seeing a difference.  Please check the following:

 

show dot1x interface ge-0/0/8.0 detail

show ethernet-switching interfaces ge-0/0/8

 

Please double check the configuration matches the required:

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/bridging-and-vlans.html#id-exampl...

 

Hope this helps.

 

Regards,
-r.

--------------------------------------------------

If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated Smiley Happy.

Junos

Re: LLDP-MED and 802.1x

‎05-30-2019 05:46 AM

No voice vlan is 160 while the guest vlan is 169. 

To me it look like LLDP-MED pass information prior to 802.1x authentication, therefore the phone is place within the VOIP vlan, even though that it never got authenticated 

{master:0}
admin.paulin@wlt4-luctesting-01> show dhcp-security binding interface ge-0/0/8
IP address        MAC address         Vlan     Expires State   Interface
10.250.160.163    00:04:f2:8b:0e:eb   voip     690788  BOUND   ge-0/0/8.0

{master:0}
admin.paulin@wlt4-luctesting-01> show dot1x interface ge-0/0/8.0 detail
ge-0/0/8.0
  Role: Authenticator
  Administrative state: Auto
  Supplicant mode: Multiple
  Number of retries: 3
  Quiet period: 60 seconds
  Transmit period: 10 seconds
  Mac Radius: Disabled
  Mac Radius Restrict: Disabled
  Reauthentication: Enabled
  Reauthentication interval: 14400 seconds
  Supplicant timeout: 5 seconds
  Server timeout: 30 seconds
  Maximum EAPOL requests: 2
  Guest VLAN member: 169
  Number of connected supplicants: 1
    Supplicant: No User, 00:04:F2:8B:0E:EB
      Operational state: Authenticated
      Backend Authentication state: Idle
      Authentication method: GuestVlan
      Authenticated VLAN: users_guests
      Session Reauth interval: 14400 seconds
      Reauthentication due in 0 seconds

{master:0}
admin.paulin@wlt4-luctesting-01> show ethernet-switching interface ge-0/0/8.0
Routing Instance Name : default-switch
Logical Interface flags (DL - disable learning, AD - packet action drop,
                         LH - MAC limit hit, DN - interface down,
                         MMAS - Mac-move action shutdown,
                         SCTL - shutdown by Storm-control )

Logical          Vlan          TAG     MAC         STP         Logical           Tagging
interface        members               limit       state       interface flags
ge-0/0/8.0                             16384                                      tagged,untagged
                 default       1       16384       Forwarding                     untagged
                 voip          160     16384       Forwarding                     tagged
                 users_guests  169     16384       Forwarding                     untagged

 

 

Junos

Re: LLDP-MED and 802.1x

‎05-30-2019 05:30 PM

This behavior seems to be expected to me as per the following statement 

 

NOTE

If the IP address isn't configured on the Avaya IP phone, the phone exchanges LLDP-MED information to get the VLAN ID for the voice VLAN. You must configure the voip statement on the interface to designate the interface as a VoIP interface and allow the switch to forward the VLAN name and VLAN ID for the voice VLAN to the IP telephone. The IP telephone then uses the voice VLAN (that is, it references the voice VLAN’s ID) to send a DHCP discover request and exchange information with the DHCP server (voice gateway).

 

 

sorce: https://www.juniper.net/documentation/en_US/junos/topics/topic-map/802-1x-and-voip-on-switches.html#...


If this solves your problem, please mark this post as "Accepted Solution."
Kudos are really appreciated as well.

Junos

Re: LLDP-MED and 802.1x

‎05-31-2019 09:03 PM

Yeah I have seen that,however to me that doesn't make any sense! isns't against security to permit a non 802.1x phone to be able to exchange LLDP-MED and get vlan information and be able to grab an IP.  Anyhow, I guess I'll try to open a ticket with support and see if i miss something or that really expected.