Security

Reply
Occasional Contributor II
Posts: 25
Registered: ‎01-07-2015

How to create a 802.1X service for IP Phones and printers

HI,

 

I want to create a 802.1X service to check the device from the static endpoint list and allow VLAN as per the device type like: 

IP Phone –VLAN10

Printer--VLAN20

 

Please help.

 

Regards,

PRASANTH.

MVP
Posts: 4,170
Registered: ‎07-20-2011

Re: How to create a 802.1X service for IP Phones and printers

Add devices to static hosts list group
Then in the enforcement policy create the following rule:
Connection > MAC address > Belongs to group ( static hosts list group) -----send VLAN 20 profile
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II
Posts: 25
Registered: ‎01-07-2015

Re: How to create a 802.1X service for IP Phones and printers

Hi,

 

As per your suggestion, if I create a enforcement policy like 

Connection > MAC address > Belongs to group ( static hosts list group) -----send VLAN 20 profile

 

All the device MAC address added in the static hosts list will get a VLAN 20, here I want to assign VLAN according to the decive type like IP phone or Printer without doing the profiling.​​​​​

MVP
Posts: 4,170
Registered: ‎07-20-2011

Re: How to create a 802.1X service for IP Phones and printers

In order for CPPM to determine the type of device you will need to do profiling .

Are these devices on wired or attached to an Aruba AP ?
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II
Posts: 25
Registered: ‎01-07-2015

Re: How to create a 802.1X service for IP Phones and printers

Is it not possible to assign different enforcement policy without doing profiling?

New Contributor
Posts: 4
Registered: ‎06-15-2015

Re: How to create a 802.1X service for IP Phones and printers

If you were doing 802.1x then yes it would be possible without profiling, you could match on some element of the EAPoL exchange (MS-CHAP username, cert CN etc).  You are saying you want to use just a static endpoint so no two way communication with the phone or printer, therefore device profiling is the only way to glean information about the client device.

MVP
Posts: 4,170
Registered: ‎07-20-2011

Re: How to create a 802.1X service for IP Phones and printers

You can assign different enforcement policies if you use the static host lists by making a Printer group and IP Phone group but you cant make decision based on the type of device since CPPM doesnt have that information in the endpoint database
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
MVP
Posts: 4,170
Registered: ‎07-20-2011

Re: How to create a 802.1X service for IP Phones and printers

 

You can do something like this:

2015-07-29 08_36_46-ClearPass Policy Manager - Aruba Networks.png

2015-07-29 08_35_33-ClearPass Policy Manager - Aruba Networks.png

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II
Posts: 25
Registered: ‎01-07-2015

Re: How to create a 802.1X service for IP Phones and printers

Hi,

 

I have tried configuring the service authentication as follows:

 

Authentication type: MAC

Authentication Source: Static Host List

 

But I am getting the below error:

 

MAC_AUTH: No password in request. Not attempting MAC authentication

Cannot select appropriate authentication method

​​​​​

Guru Elite
Posts: 8,180
Registered: ‎09-08-2010

Re: How to create a 802.1X service for IP Phones and printers

What is the network device you're using? You need to configure it to send the MAC address as the username and password.


Thanks,
Tim

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Search Airheads
Showing results for 
Search instead for 
Did you mean: