Security

Reply
Occasional Contributor II

AAA with IP phone and pc

Greetings, I am looking for the cisco switch setting for an IP Phone and pc being used in tandem for authentication. I tried the authentication host-mode multi-domain command and it's not working.  Am I missing a step/command.   Here are my settings on the port....   

 switchport access vlan 1560
 switchport mode access
 switchport voice vlan 3636
 authentication host-mode multi-domain
 authentication order mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 mab
 dot1x pae authenticator
 dot1x timeout server-timeout 7
 dot1x timeout tx-period 5
 dot1x timeout supp-timeout 5
 dot1x max-req 3
 dot1x max-reauth-req 5
 spanning-tree portfast

Re: AAA with IP phone and pc

What exactly is not working ?
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II

Re: AAA with IP phone and pc

The IP phone gives me a "DHCP failed " message.  The phone worked fine before I placed all of the AAA and dot1x commands on the port. I need the phone to work with MAB since we're not running 802.1x on the phones but but we are running 802.1x on the pc's. I just read that I need to add the "mls qos" and "lldp run" commands.  I'll try those commands. Is there anything else that I may be missing?

Re: AAA with IP phone and pc

Do you have a Mac auth service in ClearPass ? if so , do you see the mac authentication request making it to the ClearPass server (Access Tracker)?
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II

Re: AAA with IP phone and pc

Yes, I have mac auth service in ClearPass. Access tracker shows that it is ignoring the voice vlan assigned to the port and is placing the phone in the data vlan.

Re: AAA with IP phone and pc

In your enforcement profile for the voip phone try sending the following : Cisco-AVPair / Value = device-traffic-class=voice
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II

Re: AAA with IP phone and pc

That was already present in the config.  I have the ClearPass IP address in the vlan statement for the data network.  Should I also have it for the voice LAN?   See the data config below.

  interface Vlan1560
 ip address 10.64.100.5 255.255.255.0
 ip helper-address 158.111.2.50 (CLEARPASS)
 ip helper-address 158.111.21.87
end

 

Re: AAA with IP phone and pc

Adding ClearPass as a DHCP relay is optional if you want to send profiling information to ClearPass .

 

But is not required for the phone to get the appropiate voice VLAN.

 

Can you share the OUTPUT tab in Access Tracker 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: