Security

Reply
Occasional Contributor II
Posts: 18
Registered: ‎04-27-2016

AAA with IP phone and pc

Greetings, I am looking for the cisco switch setting for an IP Phone and pc being used in tandem for authentication. I tried the authentication host-mode multi-domain command and it's not working.  Am I missing a step/command.   Here are my settings on the port....   

 switchport access vlan 1560
 switchport mode access
 switchport voice vlan 3636
 authentication host-mode multi-domain
 authentication order mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 mab
 dot1x pae authenticator
 dot1x timeout server-timeout 7
 dot1x timeout tx-period 5
 dot1x timeout supp-timeout 5
 dot1x max-req 3
 dot1x max-reauth-req 5
 spanning-tree portfast

MVP
Posts: 4,168
Registered: ‎07-20-2011

Re: AAA with IP phone and pc

What exactly is not working ?
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II
Posts: 18
Registered: ‎04-27-2016

Re: AAA with IP phone and pc

The IP phone gives me a "DHCP failed " message.  The phone worked fine before I placed all of the AAA and dot1x commands on the port. I need the phone to work with MAB since we're not running 802.1x on the phones but but we are running 802.1x on the pc's. I just read that I need to add the "mls qos" and "lldp run" commands.  I'll try those commands. Is there anything else that I may be missing?

MVP
Posts: 4,168
Registered: ‎07-20-2011

Re: AAA with IP phone and pc

Do you have a Mac auth service in ClearPass ? if so , do you see the mac authentication request making it to the ClearPass server (Access Tracker)?
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II
Posts: 18
Registered: ‎04-27-2016

Re: AAA with IP phone and pc

Yes, I have mac auth service in ClearPass. Access tracker shows that it is ignoring the voice vlan assigned to the port and is placing the phone in the data vlan.

MVP
Posts: 4,168
Registered: ‎07-20-2011

Re: AAA with IP phone and pc

In your enforcement profile for the voip phone try sending the following : Cisco-AVPair / Value = device-traffic-class=voice
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II
Posts: 18
Registered: ‎04-27-2016

Re: AAA with IP phone and pc

That was already present in the config.  I have the ClearPass IP address in the vlan statement for the data network.  Should I also have it for the voice LAN?   See the data config below.

  interface Vlan1560
 ip address 10.64.100.5 255.255.255.0
 ip helper-address 158.111.2.50 (CLEARPASS)
 ip helper-address 158.111.21.87
end

 

MVP
Posts: 4,168
Registered: ‎07-20-2011

Re: AAA with IP phone and pc

Adding ClearPass as a DHCP relay is optional if you want to send profiling information to ClearPass .

 

But is not required for the phone to get the appropiate voice VLAN.

 

Can you share the OUTPUT tab in Access Tracker 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Search Airheads
Showing results for 
Search instead for 
Did you mean: