Security

Reply
Frequent Contributor I
Posts: 76
Registered: ‎03-09-2015

CPPM profiling not working with IP phone

[ Edited ]

CPPM profiling not working with LLDP-MED or basic LLDP enabled on HPE switch port.

HPE switch

Mitel handset

Anyone had issues with profiling IP phones from CPPM ?

Guru Elite
Posts: 20,422
Registered: ‎03-29-2007

Re: CPPM profiling not working with IP phone

We need more information.  You are talking about two functions:  Profiling, which is identification via CPPM using DHCP signatures and identification using the switch via LLDP.  Which one is not working, and how do you have things configured to identify both?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Regular Contributor II
Posts: 226
Registered: ‎03-03-2011

Re: CPPM profiling not working with IP phone

Does the HP switch show the correct make/model info in the LLDP information?

Is CPPM set to gather information using SNMP from the switch?

What information does CPPM show for the device MAC?

David
ACDX #98 | ACMP | ACCP
Frequent Contributor I
Posts: 76
Registered: ‎03-09-2015

Re: CPPM profiling not working with IP phone


cjoseph wrote:

We need more information.  You are talking about two functions:  Profiling, which is identification via CPPM using DHCP signatures and identification using the switch via LLDP.  Which one is not working, and how do you have things configured to identify both?


Fair point. My bad.

Let's start again.

 

DHCP method used for profiling.

Special 'quarantine vlan' is set and helper of CPPM is applied to this SVI/RVI/subnet.

Service of 'Allow all MAC Auth' is used with enforcement profile to push this quarantine vlan, and the profiling option, plus CoA. 

The mindset is, allow mac, update endpoint DB, and profile, push CoA, then the next service is condition matched (with a rule that says 'Username EXISTS', the allow all mac auth is 'Username DOES NOT EXIST'.. obviously).

This works fine for printers, workstations, etc.

Not the case for phones.

Now,.. I think because LLDP, LLDP-MED is enforced on the switch ports carrying phones, this quarantine vlan is never pushed.. so it's actually/maybe/probably not the profiling function that's at fault.. it's the the fact that the quarantine vlan is not pushed.. though a simple 'show vlan' on the port on the HPE switch indicates that the port is pushed the quarantine vlan.

But to add insult to injury.. the port has got the ole' tagged and untagged vlan (for the whole daisy chained phone + pc scenario)..

So, static port configuration on switch side before this profiling/quarantine vlan enforcement is pushed by CPPM, is 210 vlan for voice (tagged), and 113 for data (untagged).

When CPPM service 'Allow All MAC Auth and profile' fires.. I check vlan assignment on port, and, appropriately, 210 remains as tagged, but 4000 appears as the untagged (the quarantine vlan)... everything working great so far.

 

Problem is profiling takes ages.. and I don't think CoA is ever sent.  And that's with non LLDP-MED enabled.  With LLDP-MED enabled it doesn't work period.  Because it's trumping the push of this quarantine/4000 vlan ..

 

Does all that make sense now ?

Frequent Contributor I
Posts: 76
Registered: ‎03-09-2015

Re: CPPM profiling not working with IP phone

I think.. rather than trying to do a vlan enforcement onto this quarantine vlan.... because LLDP-MED is trumping the RADIUS send, I think i'll need to profile the voice vlan ? 

Keen to hear what the community has to think..

 

And, from a RADIUS perspective, can a RADIUS vlan enforcement trump CDP/LLDP or not.

Regular Contributor II
Posts: 226
Registered: ‎03-03-2011

Re: CPPM profiling not working with IP phone

Do you need to use LLDP-MED??

Can you not provide the required information from RADIUS attributes ClearPass sends back to the switch?

David
ACDX #98 | ACMP | ACCP
Frequent Contributor I
Posts: 76
Registered: ‎03-09-2015

Re: CPPM profiling not working with IP phone

Because with LLDP-MED the switch and phone can exchange info on power levels, automate QoS configuration, etc, etc.  More benefits to using it (strictly speaking with respect to IP telephony) then not using it.

But it seemingly gets in the way from RADIUS pushing a vlan. 

On a separate note, I've added CPPM address as helper on this voice vlan anyway.. as directed to from Aruba support.. as they also alluded to the fact that most likely LLDP-MED is 'trumping' whatever RADIUS vlan enforcement is attempting to do.

Guru Elite
Posts: 20,422
Registered: ‎03-29-2007

Re: CPPM profiling not working with IP phone

So why don't you choose one method or the other?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 76
Registered: ‎03-09-2015

Re: CPPM profiling not working with IP phone

[ Edited ]

Yes... I've just tied in vlan enforcement along with profiling for a range of devices.. i.e. workstations/printers, all in one service.

I just have to split out service doing profiling AND vlan enforcement to do the dedicated 'quarantine' vlan, for workstations and printers, and instead just do a profile (minus vlan pivoting) for the phones (... remember .. I have to profile.. that's the constant/given.. but I can't profile phones on the dedicated vlan for profiling, so will have to profile this additional vlan)

Frequent Contributor I
Posts: 76
Registered: ‎03-09-2015

Re: CPPM profiling not working with IP phone

Just needed to reboot the phones to trigger DHCP (shutting ports wasn't enough as it seems..).. and then profiling was fine.

However, profiling occurring with LLDP-MED handling vlan enforcement (thus CPPM helper address assigned to that SVI/RVI vlan also.. not just my 'quarantine' vlan) ..switch side.. can't push from RADIUS/CPPM.. (where I had a designated 'quarantine vlan' to profile.. )

All in all.. happy with that.

Search Airheads
Showing results for 
Search instead for 
Did you mean: