Security

Reply
Occasional Contributor II

Dual Port IP Phone

Gurus,

 

i'm trying to do authentication with clearpass using Aruba 3810 switch. i've succesfully tested 802,1x with the cisco voip phone and laptop with 802.1x enable succesfully authenticated and get the correct VLAN..

 

but if the laptop is not configured with 802.1x enabled, it failed to redirect to the captive portal to authenticate, the laptop didnt get IP address but inside clearpass im able to see that the client is pushed with the correct profile for the captive portal login

 

is this can be done? the cisco phone will be mac auth, the client conneected to the phone will do mac auth also..

 

Voice VLAN: 854

data VLAN: 351

switch: Aruba 3810 (16.04.0009)

 

 

config:

aaa server-group radius "CPPM" host 10.50.6.76
aaa accounting update periodic 1
aaa accounting network start-stop radius server-group "CPPM"
aaa authentication port-access eap-radius authorized
aaa authentication web-based chap-radius server-group "CPPM"
aaa authentication mac-based chap-radius server-group "CPPM"
aaa authentication captive-portal enable

 

interface x

untagged vlan 351

tagged vlan 854

aaa port-access authenticator

aaa port-access authenticator x auth-vid 351

aaa port-access authenticator active

aaa port-access authenticator x client-limit 3

aaa port-access mac-based 

aaa port-access mac-based 13 auth-vid 351

 

 

 

Guru Elite

Re: Dual Port IP Phone

Did you follow the ClearPass Solution Guide for Wired Policy Enforcement?

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: Dual Port IP Phone

Hi Tim,

 

should be as everything is working as it should be except where the part i need to connect client to the Cisco Voip phone port..

Guru Elite

Re: Dual Port IP Phone

If the Cisco phone is expected a tagged VLAN, add a tagged VLAN to your phone role.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: Dual Port IP Phone

yes...the cisco phone is getting tagged VLAN as the ip address. 802.1x is working with the phone but mac auth doesnt work for url redirection

Re: Dual Port IP Phone

Yes, I just tried this in my lab and it works, 7940 phone with a laptop behind it where I do get redirected on the laptop. One thing that might be causing what you see is that by default only a single MAC address is allowed for mac authentication.

 

Do you have the addr-limit set in your config?

 

aaa port-access mac-based 1-4 addr-limit 3

 

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Occasional Contributor II

Re: Dual Port IP Phone

Herman,

 

yes that will do the trick. The limitation if the laptop connected to the phone is COA wont work as i want to change client VLAN from 351 to 359. I have to do manual plug in and plug out in order to change the VLAN.

 

is this normal?  due to to COA is only supported on the aruba switch and not the Cisco Phone?

Re: Dual Port IP Phone

What type of CoA are you sending out, and for what use-case? I only tested without CoA where I returned the client VLAN in a standard VLAN enforcement. So the client is not really switching VLANs.

I just tested, and sending an [HPE Terminate Session] to one of the devices (Phone or Laptop) triggers a re-authentication for that specific device only.

So you are not sending the CoA for the laptop to the Phone, but to the switch because that is where the authentication is happening.

 

If you still are stuck, it may help to contact your Aruba ClearPass partner or Aruba TAC to do some interactive session to address your use-case.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Occasional Contributor II

Re: Dual Port IP Phone

Manual coa is working and manage to termination but only working using the same vlan. If plan to change vlan it won't work

Re: Dual Port IP Phone

Still, I'm not sure what you try to achieve and how. I would try to avoid switching VLANs whenever possible, and rather use roles or dACLs to limit traffic for unknown devices. The structure that I typically use is put devices in a profiling VLAN or role, then when you learn new information on the device trigger a CoA that re-authenticates the client and then in the new authentication returns the proper access.

 

This video describes how I tend to do such a workflow:

https://www.youtube.com/watch?v=DA8Bm7m2drM

 

In the video, I do the VLAN change and in that case the port-bounce is used to let the attached device do a new dhcp request for an IP in the new, changed VLAN. It looks like a port-bounce is not transferred through the phone, so again a reason to prevent VLAN changes.

 

It is really hard to remotely troubleshoot your situation, if you have access to Aruba TAC, I would contact them.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: