Security

Reply
Occasional Contributor II

ClearPass 802.1x authentication

Super frustrated rihgt now trying to get our IP phones to work on a wired port that is doing 802.1x auth.  Isnt there a way to setup in the service that if Clearpass determines a device to be a printer or a ip phone that it allows access?  That is basically what we want. We do not want to have to MAC auth as that is so messy with keeping the database up to date. 

Guru Elite

Re: ClearPass 802.1x authentication

That would be part of a MAC auth configuration. There is nothing to maintain. Did you look at the Solutions Guide for Wired Policy Enforcement? It shows examples of that.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: ClearPass 802.1x authentication

I've tried digging through it but I must be missing it. 

Occasional Contributor II

Re: ClearPass 802.1x authentication

In order for me to have both 802.1x and MAC auth on the port I have to use the web-based instead of authenticator which I do not care for at all. 

Guru Elite

Re: ClearPass 802.1x authentication

Not sure I understand what you're saying. If you follow the doc, it will give you a complete colorless port configuration.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: ClearPass 802.1x authentication

Do the phones do 802.1X username/password or Certificate authentication? In order to perform the logic of device type, the authentication has to succeed first. That authentication needs to be validated somehow, and after then you can use role mapping or enforcement policy to say "Device Category = VoIP Phone" to then assign a VLAN or dACL (cisco).

 

If you do MAC-based Authentication, you can do Allow All MAC Auth, and do the same logic. If you have computers connected behind the phones, and your using Cisco, make sure you configure Multihost (forget actual name, it's Multi something)


Thank you.

Michael Haring | AIS Consultant
Architecture and Implementation Solutions
Optiv Security Inc. | www.optiv.com

Re: ClearPass 802.1x authentication

Also, that logic is dependent upon the fingerprinting. I would suggest setting up some type of IP helper pointing toward ClearPass or other way of fingerprinting to ensure when new phones are added, they are identified as VoIP as well.


Thank you.

Michael Haring | AIS Consultant
Architecture and Implementation Solutions
Optiv Security Inc. | www.optiv.com
Guru Elite

Re: ClearPass 802.1x authentication

Yep. All that is covered in the doc 😉

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: ClearPass 802.1x authentication

So am I reading this write that I have to setup roles on the switches with different policies for this to work properly?

Guru Elite

Re: ClearPass 802.1x authentication

Not necessarily, but roles are the recommended way to deploy colorless ports and that's what the docs cover.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: