Cisco phones loosing connectivity with VMPS and IOS upgrade to 15.0(1)SE2

[Brian Julin]

> Kaya Saman
> Sent: Friday, June 01, 2012 10:05 AM
> To: FreeRadius users mailing list
> Subject: Re: Cisco phones loosing connectivity with VMPS and IOS upgrade to
> 15.0(1)SE2
> 
> On Thu, May 31, 2012 at 3:45 PM, Brian Julin <BJulin at clarku.edu> wrote:
> >
> >
> >> Kaya Saman wrote:
> >> I will perform a wireshark and tcpdump packet capture this evening in
> >> order to try to debug more clearly what is going on between the
> >> devices however, in the mean time I was wondering if there was some
> >> sort of interoperability quircks between newer Cisco IOS releases and
> >> FreeRADIUS (VMPS)??
> >
> > Likely the CISCO decided to change the way they interpret the
> > tunnel-group-id attribute.
> >
> > There are two ways to pass this attribute (normally, and using a
> > cisco vendor specific attribute.)
> >
> > There are three ways the switch may interpret the string contained
> therein.
> >
> > 1) numerically
> > 2) vlan name
> > 3) vlan group name
> >
> >> Can anyone suggest anything?
> >
> > Play with different combinations of the above.
> >
> > Also verify that all the global and interface commands which are
> > applied on a working 12.2 switch remain applied on 15.0.  Sometimes
> > command syntax changes and the commands get rejected on upgrade.
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 
> 
> Thanks for the information.
> 
> I will have a look at the tunnel-group-id attribute.

Actually now that I've looked up "VMPS" I doubt it is in use.  Also
my bad, it's "tunnel-private-group-id".

VMPS is widely considered deprecated, in favor of dot1x+mab.
If you're having trouble moving forward on upgrades, it might
be a good time to consider modernizing.

However, if you are also using the more basic non-auth-related
first-hop security features such as ip sourceguard+port-security,
I would recommend you to steer clear of the 15 release train 
for now; it has issues.