04-02-2015 08:32 PM
I have a large Cisco deployment of Cisco APs and IP Phones. I am utilizing both Data and Voice VLANs on the switchports.
My basic switchport configuration is:
switchport access vlan 32
switchport mode access
switchport voice vlan 34
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication timer reauthenticate server
dot1x pae authenticator
dot1x timeout tx-period 10
I am trying to create a MAB service that will Classify a Cisco AP and an IP Phone when they connect to the network for the first time. Can someone point me in the right direction?
It appears when an IP Phone boots up, you must pass back the following RADIUS attribute.
so the phone will participate on the Voice VLAN correctly. If not, it gets hung on trying to register the phone because it appears to be stuck in the data vlan, when it needs to be on the voice vlan.
If I pass this attribute back for all Cisco Devices, but the device is now an AP, then the AP thinks it should be on the voice vlan instead of the data vlan.
Is there an easier way to do this and have them profiled so my service policies can simply be:
Authorization:[Endpoints Repository]:Category EQUALS VoIP Phone -----> Cisco Phone
Authorization:[Endpoints Repository]:Category EQUALS Access Point ------> Cisco AP
09-21-2015 12:00 PM
Cisco Device sensor allowed us to profile the device on the fly at first time boot on the network. ClearPass sees the device as an VoIP Phone or Access Point and our service works as needed.
We spent dsome time getting the right versions of Cisco code to work with this setup. Let me know if you need details.
09-22-2015 03:58 AM
Could it be that you have to change the host-mode configuration on the switch port. I have had a similar setup and I used multi-domain instead of multi-auth.
Multi-domain mode should be configured if data host is connected through an IP Phone to the port. Multi-domain mode should be configured if the voice device needs to be authenticated.
Multi-auth mode should be configured to allow up to eight devices behind a hub to obtain secured port access through individual authentication. Only one voice device can be authenticated in this mode if a voice VLAN is configured.
Multi-host mode also offers port access for multiple hosts behind a hub, but multi-host mode gives unrestricted port access to the devices after the first user gets authenticated.
With multi-domain, you will have a data domain and a voice domain on the switch port. You can check the authentication via "show authentication interface gi<number>" or "show authentication session interface gi<number>.