Security

Hey guys

 

A customer of ours is interested in the Clearpass solution for its wireles and wired infrastructure. They intend to deploy dot1x authentication in the wred network but have some concerns that perhaps you may be able to help us with.

Our customer has Cisco 2960S and AT8000S switches. They also have some NEC VoIP phones that support dot1x authentication but our customer is not too fond of using it on their phones. 

 

In regards to printers, my guess is that we would have to do some sort of mac auth bypass (we'll have to se how that's done using Allied Telesis switches) and that the CPPM would need to have the full database of printer's MAC addresses. Am I right? Do you guys know of a better way of authenticating printers? I'm thingking we might be able to authenticate based on the device profile or something like that....

 

In regards to VoIP phones, our customer has PCs connected to them. How would the dot1x authentication work in this case? Will we be able to authenticate the PC using dot1x but allow communication for the voip phone at the same time?

 

Thanks a lot

 

Regards

 

Samuel

 

Most phones and printers you can enforce using mac authentication.  The usual procedure is that there is a period of time where you do mac authentication and collect all the mac addresses of devices on your wired network, but do not enforce it (allow unknown mac addresses while doing authentication).  While these devices are collected, they end up in the endpoint database and using profiler (forwarding DHCP requests to the CPPM server), it will identify manufacturer and OS of devices so that you can go through and decide what is a desired device or not.  Later, when you are satisfied that you have enough devices profiled, you can turn on enforcement.

 

Some phones do 802.1x, and some do not.  Some phones allow the device on the port behind them to also do 802.1x and that device can be enforced separately.  This is all dependent on the phone...

 

Hi Cjoseph

 

Thanks for your quick reply and for the great idea you gave me. Building on top of that, Would it be possible to do that mac authentication (without enforcing) and shutdown the port in case the device type is not allowed?

 

Regards

Hey Samuel,

 

As far as I know to shutdown the port on the switch side you would have to define what happens when a violation occurs.  CPPM would check to see if that device type is accepted and/or if it exists in the MAC database and if not then it would simply send back a reject message to your switch.  Once your switch gets that you should be able to define a violation action it takes, but it depends on the switch.

what about printer and ip phones with static ip ,how could the profiler collect the info about it,with no forwarding DHCP requests to the CPPM server

i know that the profiler collect info with many way like MAC OUI,SNMP,Subnet Scanner 

plz ,could any one help me to understand this way 

We cannot shutdown the port, but you can have the Home vlan to be a quarantine vlan and have cppm switch it based on whether the device passes and where you want it to be.

I too am trying to figure out how to authenticate my wired phones that don't support dot1x.  I want to be sure I understand what you're suggesting...  Are you saying that after enough time has passed to profile all of the devices on the network that you would key off of device attributes that have been collected in order to authenticate a phone to the network?  i.e. if the device connecting has been profiled and it's vendor is "polycom" and it's a phone, then enforce a policy?  If so, this sounds way more desirable than using a static host list since the endpoint database is dynamic and a host list is static.

Hum, I didn't understand the same think as you did. From what I gathered, you'd learn all the MAC addresses in your network for some time and then you'd create some sort of static list based on the MAC addresses learnt. Am I right?

 

Regards

Samuel,

 

I believe you're correct in what you're saying, I was just hoping that there is another way of authenticating devices.  Since ClearPass learns all endpoints that connect and is capable of profiling them, why not use the attributes collected and build a service that matches those attributes to enforce policy?  If it profiles a device that is a Cisco IP Phone, then put it in VLAN X -- something to that effect.

I don't think you can do dynamic vlan assignment when using Mac authentication.

You can:  http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-663759.html#wp9000104

 

You can just return a radius attribute in the result of a positive mac authentication.

 

cjoseph,

 

I've found that dynamic VLAN assignment will not work with MAB if the port is in multi-domain mode.  Cisco's explanation:

You must configure the voice VLAN for the IP phone when the host mode is set to multidomain.
Note: If you use a dynamic VLAN in order to assign a voice VLAN on an MDA-enabled switch port, the voice device fails authorization.

 

The switch will log the following error message:

 

%AUTHMGR-5-FAIL: Authorization failed for client (0004.f2**.****) on Interface Gi3/17

 

I had to specifiy the voice VLAN & data VLAN.  The Polycom phone has to retrieve it's VLAN via DHCP on the data VLAN, then it can hop over to the voice VLAN.  After setting this up, the port showed up/up and had an IP address on the proper VLAN.

 

References:

http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a00808abf2d.shtml

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_37_se/configuration/guide/sw8021x.html#wp1274573

---

@thecompnerd wrote:

cjoseph,

 

I've found that dynamic VLAN assignment will not work with MAB if the port is in multi-domain mode.  Cisco's explanation:

You must configure the voice VLAN for the IP phone when the host mode is set to multidomain.
Note: If you use a dynamic VLAN in order to assign a voice VLAN on an MDA-enabled switch port, the voice device fails authorization.

 

The switch will log the following error message:

 

%AUTHMGR-5-FAIL: Authorization failed for client (0004.f2**.****) on Interface Gi3/17

 

I had to specifiy the voice VLAN & data VLAN.  The Polycom phone has to retrieve it's VLAN via DHCP on the data VLAN, then it can hop over to the voice VLAN.  After setting this up, the port showed up/up and had an IP address on the proper VLAN.

 

References:

http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a00808abf2d.shtml

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_37_se/configuration/guide/sw8021x.html#wp1274573

---

I was having the same issue with dynamically setting the voice vlan when doing MAC Auth.  I know this thread is old but I have found a resolution to this issue in CPPM when using MDA.

 

I found one document entry on Cisco's site when referencing Radius attribute configuration for IP Phone Authentication:

https://supportforums.cisco.com/docs/DOC-22478

 

Sending the "device-traffic-class=voice" in the enforcement profile will allow you to complete the authentication process.  This still doesn't allow you to set voice vlan dynamically, it just sets the phone traffic to the voice vlan configured on the port.

 

I have attached a screenshot of the enforcement profile for CPPM.