Security

Reply
Occasional Contributor II

Clearpass Profile Cisco IP Phone With Generic

i've manage to profile my Cisco IP phone with aruba switch without any issue but failed to do so with cisco switch. the only way i can make the phone profile is through SNMP

 

ip helper has been configured correctly at the L3 interface.

 

image.png

 

if i connect the same phone, it will be succesfully profiled. all computers able to profiled succesfully with the cisco switches.

 

Cisco config:

 

ip dhcp relay information trust-all
ip dhcp snooping vlan x-y

 

interface range GigabitEthernet x
switchport access vlan x
switchport mode access
switchport voice vlan x
authentication event server dead action authorize vlan x
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout server-timeout 30
dot1x timeout tx-period 10
dot1x max-req 3
dot1x max-reauth-req 3
spanning-tree portfast

Guru Elite

Re: Clearpass Profile Cisco IP Phone With Generic

What is the fingerprint for the endpoint?


Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: Clearpass Profile Cisco IP Phone With Generic

As requested:
Occasional Contributor II

Re: Clearpass Profile Cisco IP Phone With Generic

I'm running into a very similar issue.

 

I have a Catalyst 4500 switch connected (L2) to a Cisco 9K. We're using a guest VLAN terminated on the 9K for all unknown devices. The VLAN on the 9K is in its own VRF, with IP relays setup correctly on the 9K to forward DHCP to our internal AD servers.

 

When we connect a workstation to the 4500, we get the correct guest VLAN assignment and the DHCP Discover gets forwarded to our domain controller. When we connect an IP phone, it seems that the DHCP discover is not forwared off the 4500.. Despite it also getting the same guest vlan/Data port assignment.


Has anyone seen this behavior before? I suspect it's something to do with the way the 4500 is handling the VOIP phone.


Else is there another way I can profile phones?

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: