Security

Super frustrated rihgt now trying to get our IP phones to work on a wired port that is doing 802.1x auth.  Isnt there a way to setup in the service that if Clearpass determines a device to be a printer or a ip phone that it allows access?  That is basically what we want. We do not want to have to MAC auth as that is so messy with keeping the database up to date. 

That would be part of a MAC auth configuration. There is nothing to maintain. Did you look at the Solutions Guide for Wired Policy Enforcement? It shows examples of that.

I've tried digging through it but I must be missing it. 

In order for me to have both 802.1x and MAC auth on the port I have to use the web-based instead of authenticator which I do not care for at all. 

Not sure I understand what you're saying. If you follow the doc, it will give you a complete colorless port configuration.

Do the phones do 802.1X username/password or Certificate authentication? In order to perform the logic of device type, the authentication has to succeed first. That authentication needs to be validated somehow, and after then you can use role mapping or enforcement policy to say "Device Category = VoIP Phone" to then assign a VLAN or dACL (cisco).

 

If you do MAC-based Authentication, you can do Allow All MAC Auth, and do the same logic. If you have computers connected behind the phones, and your using Cisco, make sure you configure Multihost (forget actual name, it's Multi something)

Also, that logic is dependent upon the fingerprinting. I would suggest setting up some type of IP helper pointing toward ClearPass or other way of fingerprinting to ensure when new phones are added, they are identified as VoIP as well.

Yep. All that is covered in the doc 😉

So am I reading this write that I have to setup roles on the switches with different policies for this to work properly?

Not necessarily, but roles are the recommended way to deploy colorless ports and that's what the docs cover.

Assuming your working with Aruba switches? 2900 series or 3800 series?

No these are Aruba 2530's 

This is my issue and error that I am getting when trying to enable MAC and authenticator access on the same port.  

 

Re-run those config commands in the reverse error.

Same result. 

Hm. Best to work with your partner or TAC. It's a validated config so something must be up with your switch.

Seems odd since I tried this on the Customers 2530 and now in my test lab 2530 with the same error and result. 

Just curious - what version is running on the switch?

SW2(config)# sho ver

Image stamp: /ws/swbuildm/rel_ukiah_qaoff/code/build/lakes(swbuildm_rel_ukiah_qaoff_rel_ukiah)
Oct 12 2017 22:43:52
YA.16.04.0009
723
Boot Image: Primary

Boot ROM Version: YA.15.20

If this error wasnt occuring I would be able to have this done already :) 

 

 

Hi,

 

Any updates about this issue? One of our customers mentioned same issue and we opened a case but case has not been owned yet.

 

Thank you.

Any update? I am running into the same issue. I am using Aruba 2930 switches, and it will not allow me to do a combination of MAC auth and 802.1x. This is a big problem for us and our design. Hopefully you were able to get some good information!