Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

802.1x Auth with IP Phones and Printers

This thread has been viewed 6 times

  • 1.  802.1x Auth with IP Phones and Printers

    Posted Oct 30, 2017 09:08 PM

    Looking fro some guidance for a Clearpass setup at a financial institution. I have the Clearpass server working and 802.1x Auth working properly for the Windows computers.  Unfortuently the computers are connected through the IP phones and this is posing a problem.  Although the computers are online and working properly the phones are not.  The client does NOT have an aruba controller and we are using Aruba 2530 switches.  My thought process would be to setup profiling and dumping the phones as well as printers into their respected vlans using an enforcement policy and rules.  My wired ports are setup using 802.1x auth for the computers and my thought was to use MAC auth for the phones and printers BUT I was informed today by Aruba support that having 802.1x auth and MAC auth on the same port isnt possible. WHICH seems wrong.   HOW else are people doing this.  I cannot be the only one obviously. 



  • 2.  RE: 802.1x Auth with IP Phones and Printers

    EMPLOYEE
    Posted Oct 30, 2017 09:09 PM

    That's completely false.

     

    Start here: http://community.arubanetworks.com/t5/Security/ClearPass-Solution-Guide-Wired-Policy-Enforcement/td-p/298161

     



  • 3.  RE: 802.1x Auth with IP Phones and Printers

    Posted Oct 30, 2017 09:15 PM

    Thank you!  I didnt think so either.  I will go through this and post back any questions I encounter.  



  • 4.  RE: 802.1x Auth with IP Phones and Printers

    Posted Oct 30, 2017 09:23 PM

    Interesting.  I did not know that I can place roles on the SWITCH itself. 



  • 5.  RE: 802.1x Auth with IP Phones and Printers

    Posted Nov 03, 2017 11:34 AM

    Trying to turn on MAC auth on a per port basis as well but I am getting an error.  Config is below. 

     

     

    radius-server host 10.72.211.26 key "*******"
    radius-server host 10.72.211.26 dyn-authorization
    timesync sntp
    sntp unicast
    sntp server priority 1 10.72.211.16
    snmp-server community "public" unrestricted
    aaa authentication port-access eap-radius
    aaa port-access authenticator 42
    aaa port-access authenticator 42 auth-vid 1
    aaa port-access authenticator 42 unauth-vid 150
    aaa port-access authenticator active

     

    SW1(config)# aaa port-access mac-based 42
    Configuration change denied for port 42.Only Web or Local MAC or
    MAC-authenticator can
    have unauthenticated VLAN enabled if 802.1X authenticator is enabled on the
    same port.Please remove the unauthenticated VLAN from 802.1X authentication
    on this port using the following command:
    "no aaa port-access authenticator <PORT-LIST> unauth-vid"
    Note that you can set unauthenticated VLAN for Web or Local MAC or MAC
    authentication instead.
    SW1(config)#



  • 6.  RE: 802.1x Auth with IP Phones and Printers

    Posted Nov 03, 2017 11:49 AM
      |   view attached

    It should be pretty basic what I want to do.  If I can get away with NOT having to creating roles on the switches and everything that would be prefered solutions.   I have a Static Host list setup with the MAC addresses entered in. I have a MAC Auth Service setup but in my access tracker nothing is showing up with these devices. I am pretty sure I need to turn on Mac Auth on the switch and that is where I am at with the error above.  OR I could be down the wrong path :) 



  • 7.  RE: 802.1x Auth with IP Phones and Printers

    Posted Nov 09, 2017 11:03 AM

    BUMP