Login

u/Serious_Operation196

▲ 5 r/networking

Hey guys, an 802.1X deployment and hoping someone has seen this before.

Setup is an Aruba CX 6300F, PacketFence, and Mitel 6900 phones. The phone authenticates fine via EAP-TLS on the voice VLAN.

If I plug a PC directly into the switch, 802.1X works instantly. But if the PC is daisy-chained behind the Mitel, it fails.

I did a SPAN capture on the switch port. I can see the switch sending the EAP Request Identity. A local capture on the PC shows the PC is sending the EAP Response back. BUT the SPAN capture proves the switch never receives the response. The Mitel phone's internal switch is completely swallowing the upstream EAPOL multicast frame (01:80:c2:00:00:03).

Port is in client-mode (default on CX). I've got "eapol forward: 1" in my Mitel TFTP config, but it's not helping. Did anyone ever find the magic TFTP parameter to make the Mitel 6900 PC port truly transparent for 802.1X? Or is it a known firmware bug?

Thanks!

reddit.com
u/Serious_Operation196 — 8 days ago
▲ 1 r/ArubaNetworks

Hi everyone,

I'm currently deploying an 802.1X architecture and I'm facing a wall with daisy-chained PCs behind Mitel IP phones. I'm hoping someone here has successfully configured this specific hardware combo.

The Environment:

  • Switch: Aruba CX 6300F
  • RADIUS: PacketFence
  • IP Phone: Mitel 6900 series (using TFTP configuration)
  • Client: Windows PC
  • Auth Protocol: EAP-TLS for the Phone (Voice VLAN 50), 802.1X for the PC (Data VLAN 100).

The Goal: Authenticate both the Mitel phone and the PC behind it on the same switch port using multi-domain / client-limit.

What works perfectly:

  1. The Mitel phone authenticates flawlessly via EAP-TLS and is dynamically placed in VLAN 50.
  2. If I bypass the phone and plug the PC directly into the switch port, the PC authenticates instantly and gets VLAN 100. (This confirms my switch port and RADIUS configs are 100% correct).

The Issue: When the PC is daisy-chained behind the Mitel phone, the 802.1X process fails. Looking at packet captures:

  • The switch sends the EAP Request, Identity.
  • The Mitel forwards it to the PC.
  • The PC instantly sends the EAP Response, Identity.
  • The switch seems to never receive the response from the PC (it keeps sending Request, Identity in a loop until timeout).

What I've already tried / ruled out:

  • Switch limits: The Aruba port is set to client-limit 3.
  • Race Conditions: I completely disabled mac-auth on the port to ensure the 802.1X process isn't being superseded by a MAC-auth failure.
  • Mitel TFTP Config: In my configuration file, I've used eapol forward: 1. I also tried adding/removing pc port vlan: 0 and pc port priority: 0 (and tag pc port: 0), but the upstream traffic from the PC still seems to die at the phone.

My Hypothesis: The internal switch of the Mitel phone is actively filtering/dropping the upstream EAPOL response (multicast MAC 01:80:c2:00:00:03) from the PC instead of bridging it transparently to the Aruba switch.

Has anyone successfully made the PC port of a Mitel 6900 truly transparent for 802.1X? Are there any hidden or undocumented TFTP parameters for these phones regarding EAPOL pass-through?

Thanks in advance for any insights!

reddit.com
u/Serious_Operation196 — 9 days ago