Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

ClearPass with Cisco C40 Video Codec?

This thread has been viewed 0 times

  • 1.  ClearPass with Cisco C40 Video Codec?

    Posted Mar 18, 2016 03:52 PM

    Anyone have any success with ClearPass and Cisco C40 Video Conferencing codecs?  Curious if a VSA needs to be sent back to the switch, other than the normal device-traffic-class=voice. (Tried that and it didn't work). 

     



  • 2.  RE: ClearPass with Cisco C40 Video Codec?

    EMPLOYEE
    Posted Mar 19, 2016 07:01 PM

    When you say "success", what do you mean?  What model switch are you talking about?



  • 3.  RE: ClearPass with Cisco C40 Video Codec?

    Posted Mar 22, 2016 08:34 AM

    "Success" means the device exists on a port configured for 802.1x/MAB authentication, was fingerprinted correctly and authenticates within that framework.  I have Cisco C40 video conferencing codecs that are being fingerprinted, however the enforcement policy is not letting them on.  Curious if there is a VSA that needs to be sent back to the switch, like VoIP phones. Switches are Cisco 3750x and 4507R+E. 



  • 4.  RE: ClearPass with Cisco C40 Video Codec?

    EMPLOYEE
    Posted Mar 22, 2016 08:50 AM

    Sorry if you have done this already, but did you see the ASE solution here?  https://ase.arubanetworks.com/solutions/id/93

     

     



  • 5.  RE: ClearPass with Cisco C40 Video Codec?

    Posted Mar 22, 2016 08:58 AM

    Thanks for the link, however I have 802.1x/MAB working across my environment already with all my Cisco switches.  Laptops, APs, Crestron room schedulers, VoIP phones, printers, etc. all work with the port config and wired service that was created.  I'm only having issues with video conferencing codecs being allowed on.  



  • 6.  RE: ClearPass with Cisco C40 Video Codec?

    EMPLOYEE
    Posted Mar 22, 2016 09:01 AM

    Is the device being placed into the correct VLAN, but no voice traffic is flowing?  device-traffic-class=voice is really to just put a voice device into the correct voice VLAN, right?



  • 7.  RE: ClearPass with Cisco C40 Video Codec?

    Posted Mar 22, 2016 09:08 AM

    I'm not doing any dynamic vlan'ing.  My enforcement policies are simple "allow access" or "deny access".  The switchport configuration calls the shots on what vlan the device gets.  My service says "If you are a video conferencing endpoint and manufactured by Cisco you are allowed on".  The port that the video conference device is plugged into is already configured for the correct vlan.  However, even thought the video conferencing endpoint is fingerprinted and exists in the endpoints database, the "allow access" enforcement profile for that service doesn't work.  I'm thinking there's something else the switch needs to see from ClearPass.  Not sure.



  • 8.  RE: ClearPass with Cisco C40 Video Codec?

    Posted Mar 26, 2016 11:32 AM
    @RyanNetEng wrote:

    However, even thought the video conferencing endpoint is fingerprinted and exists in the endpoints database, the "allow access" enforcement profile for that service doesn't work.  I'm thinking there's something else the switch needs to see from ClearPass.  Not sure.

    what do you mean with the allow access doesn't work, is the device totally disallowed or ...? if you just send an allow and no other things and this works for all other devices i don't see why it wouldn't for this one. you might want to look into dot1x debugs on the cisco.