Security

Reply
Moderator
Posts: 894
Registered: ‎07-29-2010

ClearPass for wired phones and printers

Hey guys

 

A customer of ours is interested in the Clearpass solution for its wireles and wired infrastructure. They intend to deploy dot1x authentication in the wred network but have some concerns that perhaps you may be able to help us with.


Our customer has Cisco 2960S and AT8000S switches. They also have some NEC VoIP phones that support dot1x authentication but our customer is not too fond of using it on their phones. 

 

In regards to printers, my guess is that we would have to do some sort of mac auth bypass (we'll have to se how that's done using Allied Telesis switches) and that the CPPM would need to have the full database of printer's MAC addresses. Am I right? Do you guys know of a better way of authenticating printers? I'm thingking we might be able to authenticate based on the device profile or something like that....

 

In regards to VoIP phones, our customer has PCs connected to them. How would the dot1x authentication work in this case? Will we be able to authenticate the PC using dot1x but allow communication for the voip phone at the same time?

 

Thanks a lot

 

Regards

 

Samuel

 

Samuel Pérez
ACMP, ACCP, ACDX#100

---

If I answerd your question, please click on "Accept as Solution".
If you find this post useful, give me kudos for it ;)
Guru Elite
Posts: 20,579
Registered: ‎03-29-2007

Re: ClearPass for wired phones and printers

Most phones and printers you can enforce using mac authentication.  The usual procedure is that there is a period of time where you do mac authentication and collect all the mac addresses of devices on your wired network, but do not enforce it (allow unknown mac addresses while doing authentication).  While these devices are collected, they end up in the endpoint database and using profiler (forwarding DHCP requests to the CPPM server), it will identify manufacturer and OS of devices so that you can go through and decide what is a desired device or not.  Later, when you are satisfied that you have enough devices profiled, you can turn on enforcement.

 

Some phones do 802.1x, and some do not.  Some phones allow the device on the port behind them to also do 802.1x and that device can be enforced separately.  This is all dependent on the phone...

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Moderator
Posts: 894
Registered: ‎07-29-2010

Re: ClearPass for wired phones and printers

Hi Cjoseph

 

Thanks for your quick reply and for the great idea you gave me. Building on top of that, Would it be possible to do that mac authentication (without enforcing) and shutdown the port in case the device type is not allowed?

 

Regards

Samuel Pérez
ACMP, ACCP, ACDX#100

---

If I answerd your question, please click on "Accept as Solution".
If you find this post useful, give me kudos for it ;)
New Contributor
Posts: 1
Registered: ‎04-13-2009

Re: ClearPass for wired phones and printers

Hey Samuel,

 

As far as I know to shutdown the port on the switch side you would have to define what happens when a violation occurs.  CPPM would check to see if that device type is accepted and/or if it exists in the MAC database and if not then it would simply send back a reject message to your switch.  Once your switch gets that you should be able to define a violation action it takes, but it depends on the switch.

Guru Elite
Posts: 20,579
Registered: ‎03-29-2007

Re: ClearPass for wired phones and printers

We cannot shutdown the port, but you can have the Home vlan to be a quarantine vlan and have cppm switch it based on whether the device passes and where you want it to be.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 1,110
Registered: ‎10-11-2011

Re: ClearPass for wired phones and printers

[ Edited ]

I too am trying to figure out how to authenticate my wired phones that don't support dot1x.  I want to be sure I understand what you're suggesting...  Are you saying that after enough time has passed to profile all of the devices on the network that you would key off of device attributes that have been collected in order to authenticate a phone to the network?  i.e. if the device connecting has been profiled and it's vendor is "polycom" and it's a phone, then enforce a policy?  If so, this sounds way more desirable than using a static host list since the endpoint database is dynamic and a host list is static.

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Moderator
Posts: 894
Registered: ‎07-29-2010

Re: ClearPass for wired phones and printers

Hum, I didn't understand the same think as you did. From what I gathered, you'd learn all the MAC addresses in your network for some time and then you'd create some sort of static list based on the MAC addresses learnt. Am I right?

 

Regards

Samuel Pérez
ACMP, ACCP, ACDX#100

---

If I answerd your question, please click on "Accept as Solution".
If you find this post useful, give me kudos for it ;)
MVP
Posts: 1,110
Registered: ‎10-11-2011

Re: ClearPass for wired phones and printers

Samuel,

 

I believe you're correct in what you're saying, I was just hoping that there is another way of authenticating devices.  Since ClearPass learns all endpoints that connect and is capable of profiling them, why not use the attributes collected and build a service that matches those attributes to enforce policy?  If it profiles a device that is a Cisco IP Phone, then put it in VLAN X -- something to that effect.

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Moderator
Posts: 894
Registered: ‎07-29-2010

Re: ClearPass for wired phones and printers

I don't think you can do dynamic vlan assignment when using Mac authentication.
Samuel Pérez
ACMP, ACCP, ACDX#100

---

If I answerd your question, please click on "Accept as Solution".
If you find this post useful, give me kudos for it ;)
Guru Elite
Posts: 20,579
Registered: ‎03-29-2007

Re: ClearPass for wired phones and printers

You can:  http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-663759.html#wp9000104

 

You can just return a radius attribute in the result of a positive mac authentication.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: