Security

Reply
Occasional Contributor II

802.1x Auth with IP Phones and Printers

Looking fro some guidance for a Clearpass setup at a financial institution. I have the Clearpass server working and 802.1x Auth working properly for the Windows computers.  Unfortuently the computers are connected through the IP phones and this is posing a problem.  Although the computers are online and working properly the phones are not.  The client does NOT have an aruba controller and we are using Aruba 2530 switches.  My thought process would be to setup profiling and dumping the phones as well as printers into their respected vlans using an enforcement policy and rules.  My wired ports are setup using 802.1x auth for the computers and my thought was to use MAC auth for the phones and printers BUT I was informed today by Aruba support that having 802.1x auth and MAC auth on the same port isnt possible. WHICH seems wrong.   HOW else are people doing this.  I cannot be the only one obviously. 

Guru Elite

Re: 802.1x Auth with IP Phones and Printers

That's completely false.

 

Start here: http://community.arubanetworks.com/t5/Security/ClearPass-Solution-Guide-Wired-Policy-Enforcement/td-p/298161

 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: 802.1x Auth with IP Phones and Printers

Thank you!  I didnt think so either.  I will go through this and post back any questions I encounter.  

Occasional Contributor II

Re: 802.1x Auth with IP Phones and Printers

Interesting.  I did not know that I can place roles on the SWITCH itself. 

Occasional Contributor II

Re: 802.1x Auth with IP Phones and Printers

Trying to turn on MAC auth on a per port basis as well but I am getting an error.  Config is below. 

 

 

radius-server host 10.72.211.26 key "*******"
radius-server host 10.72.211.26 dyn-authorization
timesync sntp
sntp unicast
sntp server priority 1 10.72.211.16
snmp-server community "public" unrestricted
aaa authentication port-access eap-radius
aaa port-access authenticator 42
aaa port-access authenticator 42 auth-vid 1
aaa port-access authenticator 42 unauth-vid 150
aaa port-access authenticator active

 

SW1(config)# aaa port-access mac-based 42
Configuration change denied for port 42.Only Web or Local MAC or
MAC-authenticator can
have unauthenticated VLAN enabled if 802.1X authenticator is enabled on the
same port.Please remove the unauthenticated VLAN from 802.1X authentication
on this port using the following command:
"no aaa port-access authenticator <PORT-LIST> unauth-vid"
Note that you can set unauthenticated VLAN for Web or Local MAC or MAC
authentication instead.
SW1(config)#

Occasional Contributor II

Re: 802.1x Auth with IP Phones and Printers

It should be pretty basic what I want to do.  If I can get away with NOT having to creating roles on the switches and everything that would be prefered solutions.   I have a Static Host list setup with the MAC addresses entered in. I have a MAC Auth Service setup but in my access tracker nothing is showing up with these devices. I am pretty sure I need to turn on Mac Auth on the switch and that is where I am at with the error above.  OR I could be down the wrong path :) 

Occasional Contributor II

Re: 802.1x Auth with IP Phones and Printers

BUMP

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: