IP Phone gets IP in voice vlan very slowly because of 802.1x authentication

Publication Date:  2016-10-26 Views:  723 Downloads:  0
Issue Description

Customer connected one IP Phone to Huawei S5700 switch and configure NAC authentication. After that, customer found that the IP Phone could get IP in date vlan quickly. However, it will take long time to get IP in voice vlan.

The port configuration is as following which is connected to IP Phone.
interface GigabitEthernet0/0/15
port link-type hybrid
voice-vlan X enable
port hybrid pvid vlan X
port hybrid tagged vlan XX
port hybrid untagged vlan X
stp bpdu-filter enable
stp edged-port enable
domain name X dot1x force
domain name X mac-authen force
authentication dot1x mac-authen
dot1x unicast-trigger
dot1x reauthenticate
mac-authen timer reauthenticate-period 60
multicast-suppression 50

Handling Process

1.Check the configuration initially and did not found abnormal point.

2.Since the IP Phone cannot get IP in voice vlan quickly, capture packet to analyze the DHCP process on the port which is connected to IP Phone.
According to the DHCP process, we could see that:
a. IP Phone get IP in date vlan normally and release data IP successfully
b. After that, IP Phone keeps sending dhcp request and dhcp discover to request new IP address in voice vlan.
However, there is no reply from DHCP server
c. After around 60 minutes, DHCP server responds offer packets and IP Phone could take voice IP.

3.Based on above analysis, we could confirm that DHCP Server did not timely respond the request from IP Phone and it makes the delay.
There are two possible reasons:
a.S5700 did not forward the dhcp request/discover correctly
b.The upper network did not forward the dhcp request/discover correctly

4.Further analyze the packet capture and found one interesting point as following.
After IP Phone released the data IP,there is 802.1x authentication failure record. After three times failure. IP Phone could get voice IP.
Confirmed with customer and they were using MAC authentication for IP Phone. However, dot1x authentication is prioritized than MAC authentication in the configuration
If multiple authentication modes are enabled, the authentication modes take effect in the sequence they are configured.

5.Till now, we could conclude that dot1x authentication delay the DHCP process. since customer need to keep dot1x authentication for PC, below solution is provided.
Decreased dot1x authentication timer as following and the problem is solved.
[HUAWEI]dot1x timer client-timeout 3
[HUAWEI]dot1x timer tx-period 3

Root Cause

If multiple authentication modes are enabled, the authentication modes take effect in the sequence they are configured.

In our case, dot1x authentication is prior to MAC authentication.

Solution
Decreased dot1x authentication timer as following and the problem is solved.
[HUAWEI]dot1x timer client-timeout 3
[HUAWEI]dot1x timer tx-period 3

END