Security

Reply
Frequent Contributor I
Posts: 87
Registered: ‎08-05-2013

ClearPass with Cisco C40 Video Codec?

Anyone have any success with ClearPass and Cisco C40 Video Conferencing codecs?  Curious if a VSA needs to be sent back to the switch, other than the normal device-traffic-class=voice. (Tried that and it didn't work). 

 

Guru Elite
Posts: 19,988
Registered: ‎03-29-2007

Re: ClearPass with Cisco C40 Video Codec?

When you say "success", what do you mean?  What model switch are you talking about?

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Frequent Contributor I
Posts: 87
Registered: ‎08-05-2013

Re: ClearPass with Cisco C40 Video Codec?

"Success" means the device exists on a port configured for 802.1x/MAB authentication, was fingerprinted correctly and authenticates within that framework.  I have Cisco C40 video conferencing codecs that are being fingerprinted, however the enforcement policy is not letting them on.  Curious if there is a VSA that needs to be sent back to the switch, like VoIP phones. Switches are Cisco 3750x and 4507R+E. 

Guru Elite
Posts: 19,988
Registered: ‎03-29-2007

Re: ClearPass with Cisco C40 Video Codec?

Sorry if you have done this already, but did you see the ASE solution here?  https://ase.arubanetworks.com/solutions/id/93

 

 

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Frequent Contributor I
Posts: 87
Registered: ‎08-05-2013

Re: ClearPass with Cisco C40 Video Codec?

Thanks for the link, however I have 802.1x/MAB working across my environment already with all my Cisco switches.  Laptops, APs, Crestron room schedulers, VoIP phones, printers, etc. all work with the port config and wired service that was created.  I'm only having issues with video conferencing codecs being allowed on.  

Guru Elite
Posts: 19,988
Registered: ‎03-29-2007

Re: ClearPass with Cisco C40 Video Codec?

Is the device being placed into the correct VLAN, but no voice traffic is flowing?  device-traffic-class=voice is really to just put a voice device into the correct voice VLAN, right?

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Frequent Contributor I
Posts: 87
Registered: ‎08-05-2013

Re: ClearPass with Cisco C40 Video Codec?

I'm not doing any dynamic vlan'ing.  My enforcement policies are simple "allow access" or "deny access".  The switchport configuration calls the shots on what vlan the device gets.  My service says "If you are a video conferencing endpoint and manufactured by Cisco you are allowed on".  The port that the video conference device is plugged into is already configured for the correct vlan.  However, even thought the video conferencing endpoint is fingerprinted and exists in the endpoints database, the "allow access" enforcement profile for that service doesn't work.  I'm thinking there's something else the switch needs to see from ClearPass.  Not sure.

MVP
Posts: 1,392
Registered: ‎11-30-2011

Re: ClearPass with Cisco C40 Video Codec?


RyanNetEng wrote:

However, even thought the video conferencing endpoint is fingerprinted and exists in the endpoints database, the "allow access" enforcement profile for that service doesn't work.  I'm thinking there's something else the switch needs to see from ClearPass.  Not sure.


what do you mean with the allow access doesn't work, is the device totally disallowed or ...? if you just send an allow and no other things and this works for all other devices i don't see why it wouldn't for this one. you might want to look into dot1x debugs on the cisco.

Search Airheads
Showing results for 
Search instead for 
Did you mean: