Security

During the initial roll out of 802.1x in our corporate environment we are testing IP Phones and how they authenticate against ClearPass.  We've found that it may be best to perform MAB against a local repository that we populate with IP phone MAC addresses to start with, then at some point in the future move to enabling 802.1x on the phones (if possible) and load them with certificates.

 

We'd like to have the phones use the voice vlan assigned on each port, as we'll have numerous branch offices with different voice vlans at each attempting to authenticate.  In that scenario we can't send back a unique voice vlan and would like to just send the [Allow Access Profile].

 

My question then is - is it a best practice to use the original [Endpoints Repository] or should we create a unique one for IP Phones specifically (then one for printers, access points, etc)?

Any manual endpoints should use Device Registration.

What kind of switches?

Cisco 3650/3850 access layer switches.

Take a look at the ClearPass Solution Guide for Wired Policy Enforcement. When you return the voice class via RADIUS VSA, the switch will use the locally defined voice VLAN for that session.

Thanks Tim! I will take a look and reply with any further updates or the resolution.

In our testing with MAB and Cisco 3850's, if the port has a voice vlan setup the cisco phone will get that vlan no matter if you send the device-traffic-class=voice or not. At least with auth mode of multi-auth.

I followed the solution guide noted by Tim and found a lot of good information on setting up this service.  Using device-traffic-class=voice also allowed our IP Phones to be placed on the correct local voice vlan rather than the data vlan.