Security

Reply
Trusted Contributor I

MAC Bypass

I'm trying to setup a simple MAC bypass service and can't figure out how to enforce a policy if the incoming MAC is listed on a static host list I created.

 

Here is what I've done:

 

  1. I used the wizard to create the service.
  2. Created a static host list called IP Phones and added a few test phone MACs to it.
  3. Under the Authentication tab for the MAC bypass service, I made sure [MAC AUTH] is the authentication method and added the IP Phones static host list as the authentication source.
  4. I created an enforcement profile that will set the VLAN to a VOICE VLAN.

 

Now I'm stuck, because I don't know what conditions I'm supposed to use in order to enforce the VOIP policy.  Basically, if the incoming MAC is on the static host list, then enforce the VOIP policy.  Can someone clue me in?

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Aruba Employee

Re: MAC Bypass

Are you needing assistance with setting up the service rules to kick off the service or how to configure the enforcement policy to act on the fact that those devices are in the static list?  

Trusted Contributor I

Re: MAC Bypass

I need assistance with the Enforcement Policy.  I'm assuming that I use the Enforcement Policy to match the MAC of the client to the static host list and enforce the profile that's been setup???

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Trusted Contributor I

Re: MAC Bypass

I'm a little bit further than I was before.  I setup an enforcement policy with the following conditions:

 

Tips > Role > EQUALS > [USER Authenticated]

Authentication > OuterMethod > EQUALS > MAC-AUTH

 

I'm no longer receiving a REJECT message in Access Tracker for the test phone, BUT the phone isn't working.  The switchport (on a Cisco 4500) shows "notconnect" for the port and the following syslog message:

 

%AUTHMGR-5-FAIL: Authorization failed for client (0004.f2**.****) on Interface Gi3/17

 

I'm not sure if the syslog message is indicative of anything.  However, the phone keeps authenticating itself, as I'm seeing an ACCEPT message logged for the phone in Access Tracker every 2 minutes.

 

Does anyone know if this is a ClearPass issue or switch issue?

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Guru Elite

Re: MAC Bypass

Try this:

 

RADIUS:IETF:Calling-Station-ID BELONGS_TO_GROUP Employee Machine Static Host List

******************
Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************
Trusted Contributor I

Re: MAC Bypass

cjoseph,

 

Thanks!  I assume I was supposed to create a role mapping with that info and then reference the role in the enforcement policy to enforce the profile.  While that correctly authenticated the phone, I was still running into the same issue above where the switch showed that the phone wasn't authorized and therefore was not working on the network.  I finally found the explanation for this:

 

You must configure the voice VLAN for the IP phone when the host mode is set to multidomain.
Note: If you use a dynamic VLAN in order to assign a voice VLAN on an MDA-enabled switch port, the voice device fails authorization.

 

http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a00808abf2d.shtml

 

Once the voice VLAN was configured on the port, the phone showed connected and authorized.  However, since it's a Polycom phone, I had to set the access VLAN so the phone could get it's VLAN from DHCP.

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Guru Elite

Re: MAC Bypass

thecompnerd,

 

Thank you for that information!

 

******************
Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************
Occasional Contributor II

Re: MAC Bypass

So in order to get the phone to work, you had to manually add the voice vlan to the port config? There's no way to dynamically have a phone and computer on the same port without this on a cisco switch?

MVP

Re: MAC Bypass

I have been working on the same questions - specifically I am personally alergic to the "voice VLAN" config bit, I'd rather call a trunk a trunk or let 802.1x do its thing without relying on a cheat (as I see it).

 

I'm getting good results using "host-mode multi-auth" on the ports and letting CPPM assign VLANs to each device on the port.

 

My phone gets VLAN 8

My Laptop gets VLAN 10

My VM hosted in the laptop gets VLAN 2

interface GigabitEthernet1/0/47
 description Sabin Testing
 switchport access vlan 111
 switchport mode access
 switchport nonegotiate
 authentication host-mode multi-auth
 authentication order mab
 authentication priority mab
 authentication port-control auto
 authentication timer reauthenticate server
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 10
 dot1x timeout supp-timeout 15
 dot1x max-reauth-req 1
 spanning-tree portfast
 spanning-tree bpduguard enable
--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
MVP

Re: MAC Bypass

I actually had to find and remove the DHCP options to tell out Mitel phones NOT to tag their packets, nor those of downstream connections.

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: