Security

Reply
Occasional Contributor II
Posts: 29
Registered: ‎08-04-2012

Profiling: PC dot1x authentication via IP phone

Hi..

I've configured dot1x wired authentication with MAB through cppm, so that all non dot1x devices will do MAC auth and fall into the vlans and when we connect PC it does dot1x auth with health check.

 

Everything works fine, but here is the challenge! for IP phones we have multiple voice vlans. forcefully i need to configure the ports for voice vlan ( "switchport voice vlan xx") then it works. i dont want to put this command in all switches. i did this way like cppm do profiling and enforce the vlans for IPphones but PC wont work when we connect via IPphone.

 

Is there any way cppm can enforce the voice attribute to IPphones rather than enforcing vlan?

 

Occasional Contributor II
Posts: 29
Registered: ‎08-04-2012

Re: Profiling: PC dot1x authentication via IP phone

i would like to push voice vlan (equivalent cmd in switch is "switchport voice vlan xx") when IP phone does MAC auth via clearpass?

Guru Elite
Posts: 21,491
Registered: ‎03-29-2007

Re: Profiling: PC dot1x authentication via IP phone

Please see the word document in the thread here:  http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/ClearPass-and-ShoreTel-VoIP-Phones/m-p/239695/highlight/true#M20612 for the radius setting up radius attributes to return for a wired Cisco switch to determine the voice vlan.  It also shows you the Cisco switch configuration side.  It says it is about Avaya phones, but it is the same for Cisco phones.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 29
Registered: ‎08-04-2012

Re: Profiling: PC dot1x authentication via IP phone

Hi joseph,

 

i went through this document and it's working fine in this scenario. but i would like to achieve samething without configuing "switchport voice vlan xx" in switch side. since we have so many voice vlans and 400+ switches. it would be difficult for us to identify each port and configure the voice vlan in all switches. 

 

at the end my switch interface configuration will be like below 

 

interface GigabitEthernet1/0/1

switchport access vlan yy("default vlan")
switchport mode access

##switchport voice vlan xx## i removed this from switch and trying to push through clearpass. 

authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout server-timeout 30
dot1x timeout tx-period 10
dot1x max-req 3
dot1x max-reauth-req 3
spanning-tree portfast

 

Am trying to use below attributes in enforcement profile but no luck.

 

cisco-avpair="device-traffic-class=voice",Tunnel-Type=1:VLAN,Tunnel-Medium-Type=1:IEEE_802,Tunnel-Private-Group-ID=1:VOICE-LAN

 

 

 

Guru Elite
Posts: 21,491
Registered: ‎03-29-2007

Re: Profiling: PC dot1x authentication via IP phone

Occasional Contributor II
Posts: 29
Registered: ‎08-04-2012

Re: Profiling: PC dot1x authentication via IP phone

Even i tried this too :(  . but no luck. let me explain where i got stuck. 

 

In my network am using Ipphone and PC will be connected behind IPphone.

 

Lets say i have connected IP phone on switch interface 1/0/1, clearpass will identify and assign the voice vlan y.

 

Now when you connect PC behind this phone, clearpass now change the port to data vlan x. and IP phone will not registered.

 

how do i make it work both without giving "switchport voice vlan yy" in switches :)

 

MVP
Posts: 1,414
Registered: ‎11-30-2011

Re: Profiling: PC dot1x authentication via IP phone

i don't believe this is possible, haven't been able to get it to work, but also haven't spend a lot of time on it. it still feel it is odd, but need a project at a customer with a Cisco support contract to be sure :)

Occasional Contributor II
Posts: 29
Registered: ‎08-04-2012

Re: Profiling: PC dot1x authentication via IP phone

I spent a lot of time and its not possible to do it :) switch doesn't understand this attribute "device-class-traffic=voice" when you dont cofigured "switchport voice vlan " command in switch.

MVP
Posts: 1,414
Registered: ‎11-30-2011

Re: Profiling: PC dot1x authentication via IP phone

ok, that is interesting to know. but still you would wonder if there isn't another way then to overwrite the configured voice vlan ID. i do believe that happens for the access vlan.

 

it would also be nice to just have cisco confirm this and even better add the functionality :)

Search Airheads
Showing results for 
Search instead for 
Did you mean: