Campus Switching and Routing

Reply
MVP
Posts: 1,110
Registered: ‎10-11-2011

MAS: VoIP profile for untrusted port

I'm troubleshooting an issue with Polycom phones not being placed in the voice VLAN after authenticating on untrusted MAS ports.  As the MAS guide states, you can't apply a VOIP profile in an interface group if the port is untrusted, so we're sending a phone role from clearpass that includes a reference to a voip profile that already exists on the switch.  The phone stays in the VLAN specified in the interface group's switching profile and never switches over to the voice VLAN.  If you look up the MAC in the MAC table, it says the MAC is in the voice VLAN, yet if you 'show arp' the MAC is in the switching profile's VLAN.

 

Before we switched to untrusted ports, these phones worked on the VOIP VLAN flawlessly.  The VOIP profile had static mode set and was applied to the interface group's switching profile.  Not sure why doing authentication on the ports has introduced a problem.  We're doing exactly as the user guide instructs: send a role to the switch and specify the VOIP profile in the role.  Not sure what else there is to do.  I'm wondering if this is a bug.  Any thoughts?

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Guru Elite
Posts: 8,457
Registered: ‎09-08-2010

Re: MAS: VoIP profile for untrusted port

Why not just return a PHONE-ROLE with the VLAN attached?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 1,110
Registered: ‎10-11-2011

Re: MAS: VoIP profile for untrusted port

The phone may have a workstation plugged into it and we want VLAN separation of the two devices.

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Guru Elite
Posts: 8,457
Registered: ‎09-08-2010

Re: MAS: VoIP profile for untrusted port

The workstation will then authenticate as well and get a VLAN based on auth.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 1,110
Registered: ‎10-11-2011

Re: MAS: VoIP profile for untrusted port

So then what's the point of using a voip profile on an untrusted port?  I assumed this was the only way to associate two devices on the same port to different VLANs.

 

Still though, the point is that this should work but it doesn't. :(

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Search Airheads
Showing results for 
Search instead for 
Did you mean: