01-15-2015 04:50 PM
Is anyone out there actively using ClearPass with Cisco switches? I am interested to know if you have had any issues managing the Cisco gear versus using Aruba switch gear? Is there any reason to be concerned in using Cisco switch gear versus Aruba?
Solved! Go to Solution.
01-15-2015 04:54 PM - edited 01-15-2015 04:55 PM
The Aruba mobility access switch was purpose-built with role-based access and mobility at it's core.
Cisco switches can perform most of the same functions but configuration is much more complex because there is no context of a role and many features are dependent on code levels.
For example, we can simply return STAFF to an Aruba switch and the switch is configured to assign a certain VLAN, access controls, QoS settings, etc for users in that role.
On a Cisco switch, there aren't as many "dynamic" options for port configurations. Things like VLAN and ACLs can be changed, but on some platforms, all other port configurations are static.
Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
01-16-2015 03:30 AM
There is one interesting thing we do. All documentation I have seen has the RADIUS server return a vlan number to the switch as the vlan-id. The server can send the vlan name instead of the number. This permits you to have switches that have a Student vlan, for instance, but have different vlan numbers. We needed this for scalability in our network environment.
01-16-2015 04:39 AM
Thanks Bruce. I was aware of returning the VLAN name versus number and will likely use this feature. Good to here you are doing Cisco phones and switches, as that is the environment we have as well.
01-16-2015 04:44 AM
Be careful if using the Cisco manufacturer-installed certificates. Some older models, such as 7970 support 802.1X, but the factory-installed certificates have expired. We moved our 7970 to mac authentication.
For the phones, we let the switch use CDP for the voice vlan. We use 802.1X to tag the client as "voice" & setup the switch port for multi-domain, which permite 1 voice & 1 data client per port.
Another caveat: mac address security is not compatible with 802.1X. In some places with both configured, there have been switch CPU loading issues. You do not need to use mac address security anyway if 802.1X is properly deployed.