04-28-2015 02:38 PM
Currently I am conducting a POC on clearpass and a cisco switch, we are facing some problems with authentication.
We are basically doing DOT1X using AD for PCs and Mac Auth all for the IP Phones (avaya)
we have to services one for dot1x and one for mac auth..
We have set up the cisco switch configuration for multi-auth and mab and COA and everything looks fine..
Also port is set to voice vlan and access vlan (Data)
when a PC connects he is by default in the data vlan and when he's authenticated the CPPM returns another vlan which is the internet and intranet vlan and he's authenticated..
When a ip phone connects, it authenticates using Mac auth and the CPPM returns cisco-device-class=voice (or something like that) and the ip phone is successfully connected to the voice vlan.the problem is the phone can not get its DHCP...
although if I configured the port without any authentication (dot1x or mac auth) and I set up the port for voice vlan and access vlan, the phone connects and gets its IP normally via dhcp.
I have configured lldp run..
the customer is reluctant to configure anything qos although i doubt it would cause this problem..
The enforcement profile for the phone contains the Vlan assignment plus cisco device traffic, and i tried another one where it returns only cisco device traffic and it gave the ip phone its vlan even faster.
I have rules in enforcement policies based on device category and they're all working fine and the phone and pcs are all profiled and even printers worked fine and were profiled.
I have configured ip helper addresses of cource (The phone gets ip address on an unauthenticated port)
I can't think of something that may cause this problem except some specific commands on the switch's port or a special VSA that needs to be sent from the clearpass that I can't find anywhere...
So please, urgent help is needed and appreciated
P.S. I didn't open a case because they take too long, i'm still awaiting reply since 2 days about a failure to profile a Sun thin client so I matched based on mac vendor and I still haven't received any replies..
Cisco switch model is 3750 pd ef 48 ports..version is 15.0.2se
clearpass is 6.5 on an evaluation VM
04-29-2015 12:28 AM
interface GigabitEthernet1/0/2 //or any port that you want to be authenticated
switchport access vlan 250
switchport mode access
switchport voice vlan 109
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication mode multi-auth
authentication timer reauthenticate server
dot1x pae authenticator
dot1x timeout server-timeout 30
dot1x timeout tx-period 10
dot1x max-reauth-req 3
spanning-tree bpduguard enable
04-29-2015 11:59 AM
you say it connects correctly to the voice VLAN, how do you know it does when DHCP afterwards doesn't work? did you do a packetcapture on the port, do you see DHCP discovers being send?
do you only send that extra =voice option? because i don't believe you can actually send the voice vlan, if you send a vlan assignment in the accept packet it will set the data vlan.
04-29-2015 12:05 PM
I know it connects to the voice vlan, because the phone says its in vlan 102 which is the voice, it starts with vlan 0 then after the CPPM sends its vlan it goes to vlan 102, i have tried sending an enforcement policy with device-traffic-class = voice + vlan assignment and just device-traffic-class=voice without vlan assignment and they both have placed it in its vlan.
then the ip phone's lcd says its doing DHCP Requests, and it keeps increasing a counter until 60 seconds and then fails to get its IP and reboots...
When i connect the phone in a normal port with just this config
switchport access vlan 2
switchport voice vlan 102
switchport mode access
the ip phone gets its ip in just 3 seconds as well as the vlan.
I haen't done a packet capture yet
also when I "show vlan" on the cisco switch I see the Phone's port in both the voice vlan and data vlan(PC is also connected)
04-29-2015 12:47 PM
what do you get when you do: show authentication sessions
you are a running a new version so it might be different, but with the 12.x versions im quite sure that you can't set the voice VLAN and if you earlier posted config is correct and you set the voice VLAN there then that is what is going to be used i believe.
04-29-2015 12:50 PM
I don't have the output with me right now but it shows success or authenticated
also on the access tracker I get success and no alerts and everything is just as it should except the ip phone got no IP Address
04-29-2015 12:58 PM
the domain part is what interests me.
ClearPass will show a success when authentication passes and it is able to send the accept to the switch. it doesn't check if the things you send to the switch make sense to the switch or not.
this is something you will have to debug on the switch side. look up the dot1x debug commands and see if the switch mentions it doesn't like something you send.