Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

AAA with IP phone and pc

This thread has been viewed 8 times

  • 1.  AAA with IP phone and pc

    Posted May 02, 2016 04:16 PM

    Greetings, I am looking for the cisco switch setting for an IP Phone and pc being used in tandem for authentication. I tried the authentication host-mode multi-domain command and it's not working.  Am I missing a step/command.   Here are my settings on the port....   

     switchport access vlan 1560
     switchport mode access
     switchport voice vlan 3636
     authentication host-mode multi-domain
     authentication order mab
     authentication priority dot1x mab
     authentication port-control auto
     authentication periodic
     authentication timer reauthenticate server
     mab
     dot1x pae authenticator
     dot1x timeout server-timeout 7
     dot1x timeout tx-period 5
     dot1x timeout supp-timeout 5
     dot1x max-req 3
     dot1x max-reauth-req 5
     spanning-tree portfast



  • 2.  RE: AAA with IP phone and pc

    Posted May 02, 2016 04:21 PM
    What exactly is not working ?


  • 3.  RE: AAA with IP phone and pc

    Posted May 02, 2016 04:29 PM

    The IP phone gives me a "DHCP failed " message.  The phone worked fine before I placed all of the AAA and dot1x commands on the port. I need the phone to work with MAB since we're not running 802.1x on the phones but but we are running 802.1x on the pc's. I just read that I need to add the "mls qos" and "lldp run" commands.  I'll try those commands. Is there anything else that I may be missing?



  • 4.  RE: AAA with IP phone and pc

    Posted May 02, 2016 04:36 PM
    Do you have a Mac auth service in ClearPass ? if so , do you see the mac authentication request making it to the ClearPass server (Access Tracker)?


  • 5.  RE: AAA with IP phone and pc

    Posted May 02, 2016 04:48 PM

    Yes, I have mac auth service in ClearPass. Access tracker shows that it is ignoring the voice vlan assigned to the port and is placing the phone in the data vlan.



  • 6.  RE: AAA with IP phone and pc

    Posted May 02, 2016 04:58 PM
    In your enforcement profile for the voip phone try sending the following : Cisco-AVPair / Value = device-traffic-class=voice


  • 7.  RE: AAA with IP phone and pc

    Posted May 02, 2016 05:07 PM

    That was already present in the config.  I have the ClearPass IP address in the vlan statement for the data network.  Should I also have it for the voice LAN?   See the data config below.

      interface Vlan1560
     ip address 10.64.100.5 255.255.255.0
     ip helper-address 158.111.2.50 (CLEARPASS)
     ip helper-address 158.111.21.87
    end

     



  • 8.  RE: AAA with IP phone and pc

    Posted May 02, 2016 05:21 PM

    Adding ClearPass as a DHCP relay is optional if you want to send profiling information to ClearPass .

     

    But is not required for the phone to get the appropiate voice VLAN.

     

    Can you share the OUTPUT tab in Access Tracker