Everything Instant On

Hello,
I have an Aruba Instant On 1930 switch and Grandstream IP phones. I want phones to be placed in Voice VLAN through RADIUS (NPS/802.1X), but it doesn't work correctly:

• When Voice VLAN membership is enabled on the port, the phone loses network and DHCP.

• When Voice VLAN is disabled, the phone works (manual VLAN or DHCP ).

• Switch always sends the device to RADIUS, even if VLAN Authentication for voice vlan is disabled.

PAP is not allowed in my environment, so I want to use 802.1X (PEAP/TLS) with Active Directory.
Has anyone configured 1930 + RADIUS + Voice VLAN successfully? Any best practices or reference configs would be appreciated.

Thanks!

Do you have cloud or local managed switch? 

In port profile you should select Client based authentication and deselect all vlans except native vlan. Your RADIUS server need to provide correct vlan when authenticated.

Authentication (dot1x or mac) will always take place any your RADIUS server need to provide access/accept and vlan response. 

You can set the port to device mode and in this case the first device that gets online on the port will do the authentication and all other devices will share the same vlan and authentication. This is most probably not the scenario you want. 

The best way is to enable dot1x authentication on phones and it should work.

Best, Gorazd

Hello,
I have an Aruba Instant On 1930 switch and Grandstream IP phones. I want phones to be placed in Voice VLAN through RADIUS (NPS/802.1X), but it doesn't work correctly:

• When Voice VLAN membership is enabled on the port, the phone loses network and DHCP.

• When Voice VLAN is disabled, the phone works (manual VLAN or DHCP ).

• Switch always sends the device to RADIUS, even if VLAN Authentication for voice vlan is disabled.

PAP is not allowed in my environment, so I want to use 802.1X (PEAP/TLS) with Active Directory.
Has anyone configured 1930 + RADIUS + Voice VLAN successfully? Any best practices or reference configs would be appreciated.

Thanks!

Thank you for your answer!

We are using a locally managed Instant On 1930 (not cloud).

Returning to your answer, I would like to clarify our scenario:

• What if we have more than 5000 phones in the environment?

• Phones should initially bypass 802.1X (so they can download their provisioning/configuration from the PBX server).

• After provisioning, the phones should then perform 802.1X authentication and move into the correct VLAN.

• On the same ports, there are also PCs connected behind the phones, and those PCs already use 802.1X authentication.

How can we achieve this scenario on the Instant On 1930?
Is there any recommended way to support both stages (pre-provisioning + 802.1X) for large numbers of phones together with PCs?

Do you have cloud or local managed switch? 

In port profile you should select Client based authentication and deselect all vlans except native vlan. Your RADIUS server need to provide correct vlan when authenticated.

Authentication (dot1x or mac) will always take place any your RADIUS server need to provide access/accept and vlan response. 

You can set the port to device mode and in this case the first device that gets online on the port will do the authentication and all other devices will share the same vlan and authentication. This is most probably not the scenario you want. 

The best way is to enable dot1x authentication on phones and it should work.

Best, Gorazd

Hello,
I have an Aruba Instant On 1930 switch and Grandstream IP phones. I want phones to be placed in Voice VLAN through RADIUS (NPS/802.1X), but it doesn't work correctly:

• When Voice VLAN membership is enabled on the port, the phone loses network and DHCP.

• When Voice VLAN is disabled, the phone works (manual VLAN or DHCP ).

• Switch always sends the device to RADIUS, even if VLAN Authentication for voice vlan is disabled.

PAP is not allowed in my environment, so I want to use 802.1X (PEAP/TLS) with Active Directory.
Has anyone configured 1930 + RADIUS + Voice VLAN successfully? Any best practices or reference configs would be appreciated.

Thanks!

You are using NPS as RADIUS server. I can't help with it. In Clearpass you should do a MAC authentication first and onboard the device and then dot1x authentication when it is available. 

Maybe it will also work with NPS.

So factory phone should do a mac authentication and get on onboarding vlan where it can configure itself. It's more NAC system functionality than switch functionality. 

When it is configured, it should use dot1x authentication to get correct vlan.

Best, Gorazd

Thank you for your answer!

We are using a locally managed Instant On 1930 (not cloud).

Returning to your answer, I would like to clarify our scenario:

• What if we have more than 5000 phones in the environment?

• Phones should initially bypass 802.1X (so they can download their provisioning/configuration from the PBX server).

• After provisioning, the phones should then perform 802.1X authentication and move into the correct VLAN.

• On the same ports, there are also PCs connected behind the phones, and those PCs already use 802.1X authentication.

How can we achieve this scenario on the Instant On 1930?
Is there any recommended way to support both stages (pre-provisioning + 802.1X) for large numbers of phones together with PCs?

Do you have cloud or local managed switch? 

In port profile you should select Client based authentication and deselect all vlans except native vlan. Your RADIUS server need to provide correct vlan when authenticated.

Authentication (dot1x or mac) will always take place any your RADIUS server need to provide access/accept and vlan response. 

You can set the port to device mode and in this case the first device that gets online on the port will do the authentication and all other devices will share the same vlan and authentication. This is most probably not the scenario you want. 

The best way is to enable dot1x authentication on phones and it should work.

Best, Gorazd

Hello,
I have an Aruba Instant On 1930 switch and Grandstream IP phones. I want phones to be placed in Voice VLAN through RADIUS (NPS/802.1X), but it doesn't work correctly:

• When Voice VLAN membership is enabled on the port, the phone loses network and DHCP.

• When Voice VLAN is disabled, the phone works (manual VLAN or DHCP ).

• Switch always sends the device to RADIUS, even if VLAN Authentication for voice vlan is disabled.

PAP is not allowed in my environment, so I want to use 802.1X (PEAP/TLS) with Active Directory.
Has anyone configured 1930 + RADIUS + Voice VLAN successfully? Any best practices or reference configs would be appreciated.

Thanks!