Yealink T27G Not Working With 802.1x Auth After 3cx v14 to v15.5 Upgrade

[KM Tire IT Support]

I originally posted this on the 3cx forum but they pointed me to the Yealink forum. I don't believe this is specifically a 3cx issue but for whatever reason we noticed the issue about 3 weeks after updating 3cx from v14 to v15.5.

I have Yealink T22P, T28P, and T27G phones. The T27G is being setup on a switch that does not have 802.1x setup. After we set it up and take it to it's desk, where 802.1x is setup, the phone won't connect to the network. If I provision an old T28P to the same extension and install it the phone boots and works without issue. If I log into the switch and disable 802.1x the T27G connects and works fine. I've tried the original templates that we've always used and I tried updating the default T27G template that came with 3cx and get the same result.

We are using NPS on server 2016 for the server that auth's phones and pc's. On the NPS server we're seeing the following message. The issue is that all the phones use this account, the configs are the same in each phone template so I'm not sure why only the T27G's does this:

Authentication Details:
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: Connections to other access servers
Authentication Provider: Windows
Authentication Server: $domaincontroller
Authentication Type: EAP
EAP Type: -
Account Session Identifier: 3035303045324646
Logging Results: Accounting information was written to the local log file.
Reason Code: 65
Reason: The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access Permission.


The switch we're using is a Cisco SF300. The message we see when debugging the port is:

%SEC-W-SUPPLICANTUNAUTHORIZED: username Yealink with MAC <mac address> was rejected on port fa33 due to wrong user name or password in Radius server

I've tried T27G firmware 69.84.0.10, 69.83.0.20, and the original firmware 69.81.0.106.rom. They all have the issue.

In the Template for the 802.1x configs I see the following configs.
network.802_1x.mode = 3
network.802_1x.identity = Yealink
network.802_1x.md5_password = $mypassword
network.802_1x.root_cert_url = %%PROVLINK%%/TrustCertificatesNorton.cer

When I look at the yealink information I see that the commands should be
static.network.802_1x.mode = 3
static.network.802_1x.identity = Yealink
static.network.802_1x.md5_password = $mypassword
static.network.802_1x.root_cert_url = %%PROVLINK%%/TrustCertificatesNorton.cer

Neither of these configs work and I can't seem to find any other configs that would be the problem. Has anyone run into this problem with Yealink's on 802.1x setups?

[KM Tire IT Support]

I want to post a followup on this to anyone who may see this thread. The 3cx upgrade was just a coincidence. The last batch of T27G phones that got ordered now have different starting digits to the MAC address. I had to update the NPS policy using the Call Station ID. But when I updated it I could not add a 2nd Call Station ID to the policy. I had to edit the original one and update the regex to include both of them. I ended up using the expression 00-15-65-?|80-5E-C0-? to include the format for both MAC address types.