Security

Reply
MVP
Posts: 1,111
Registered: ‎10-11-2011

MAC Bypass

I'm trying to setup a simple MAC bypass service and can't figure out how to enforce a policy if the incoming MAC is listed on a static host list I created.

 

Here is what I've done:

 

  1. I used the wizard to create the service.
  2. Created a static host list called IP Phones and added a few test phone MACs to it.
  3. Under the Authentication tab for the MAC bypass service, I made sure [MAC AUTH] is the authentication method and added the IP Phones static host list as the authentication source.
  4. I created an enforcement profile that will set the VLAN to a VOICE VLAN.

 

Now I'm stuck, because I don't know what conditions I'm supposed to use in order to enforce the VOIP policy.  Basically, if the incoming MAC is on the static host list, then enforce the VOIP policy.  Can someone clue me in?

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Aruba Employee
Posts: 20
Registered: ‎11-17-2011

Re: MAC Bypass

Are you needing assistance with setting up the service rules to kick off the service or how to configure the enforcement policy to act on the fact that those devices are in the static list?  

MVP
Posts: 1,111
Registered: ‎10-11-2011

Re: MAC Bypass

I need assistance with the Enforcement Policy.  I'm assuming that I use the Enforcement Policy to match the MAC of the client to the static host list and enforce the profile that's been setup???

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
MVP
Posts: 1,111
Registered: ‎10-11-2011

Re: MAC Bypass

I'm a little bit further than I was before.  I setup an enforcement policy with the following conditions:

 

Tips > Role > EQUALS > [USER Authenticated]

Authentication > OuterMethod > EQUALS > MAC-AUTH

 

I'm no longer receiving a REJECT message in Access Tracker for the test phone, BUT the phone isn't working.  The switchport (on a Cisco 4500) shows "notconnect" for the port and the following syslog message:

 

%AUTHMGR-5-FAIL: Authorization failed for client (0004.f2**.****) on Interface Gi3/17

 

I'm not sure if the syslog message is indicative of anything.  However, the phone keeps authenticating itself, as I'm seeing an ACCEPT message logged for the phone in Access Tracker every 2 minutes.

 

Does anyone know if this is a ClearPass issue or switch issue?

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Guru Elite
Posts: 21,270
Registered: ‎03-29-2007

Re: MAC Bypass

Try this:

 

RADIUS:IETF:Calling-Station-ID BELONGS_TO_GROUP Employee Machine Static Host List



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 1,111
Registered: ‎10-11-2011

Re: MAC Bypass

cjoseph,

 

Thanks!  I assume I was supposed to create a role mapping with that info and then reference the role in the enforcement policy to enforce the profile.  While that correctly authenticated the phone, I was still running into the same issue above where the switch showed that the phone wasn't authorized and therefore was not working on the network.  I finally found the explanation for this:

 

You must configure the voice VLAN for the IP phone when the host mode is set to multidomain.
Note: If you use a dynamic VLAN in order to assign a voice VLAN on an MDA-enabled switch port, the voice device fails authorization.

 

http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a00808abf2d.shtml

 

Once the voice VLAN was configured on the port, the phone showed connected and authorized.  However, since it's a Polycom phone, I had to set the access VLAN so the phone could get it's VLAN from DHCP.

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Guru Elite
Posts: 21,270
Registered: ‎03-29-2007

Re: MAC Bypass

thecompnerd,

 

Thank you for that information!

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: