Security

Reply
Contributor I
Posts: 26
Registered: ‎03-11-2015

clearpass cisco voip

hi,

 

we have an issue while we are trying to configure cppm with cisco voip on cisco port switch,

 

we've created mac auth service, and did all configuration on port for mab and dot1x,

 

once we plug the voip its authenticated and authorizde but after 2 minte it keeps try to reauthenticate and reauthorized again and again ,

 

how to stop it

thank you

MVP
Posts: 4,081
Registered: ‎07-20-2011

Re: clearpass cisco voip

Can you please share the port config and the enforcement profile ?

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Contributor I
Posts: 26
Registered: ‎03-11-2015

Re: clearpass cisco voip

hi,

 

aaa new-model
radius-server host 10.239.16.34 key aruba123
dot1x system-auth-control
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa server radius dynamic-author
client 10.239.16.37 server-key aruba123
port 3799
auth-type all
ip dhcp snooping
ip device tracking
radius-server vsa send authenticat
exit
********************************************************************************
(config)interface vlan 1
ip address 10.239.17.38 255.255.252.0
ip helper-address 10.239.61.18
ip helper-address 10.239.16.37
exit

*************************************************************
interface gig 1/0/1
switchport access vlan 1
switchport mode access
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout server-timeout 30
dot1x timeout tx-period 10
dot1x timeout supp-timeout 30
dot1x max-req 3
dot1x max-reauth-req 10
spanning-tree portfast
lldp transmit
lldp receive
exit
exit

 

enforcment prfoule it just vlan assignment 

and  

rasdius:cisco   /  cisco:avpair  /   device-traiffice-class-voice

Aruba
Posts: 1,536
Registered: ‎06-12-2012

Re: clearpass cisco voip

Config looks good. Most common issue is that the phone can not talk to the pbx so it will reboot to try again. Make sure it can route correctly on the vlan. 

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Contributor I
Posts: 26
Registered: ‎03-11-2015

Re: clearpass cisco voip

ip phone working fine and getting ip also,

the problem it doesnt getting right vlan ip from my enforcment profile

 

its getting ip from default vlan on the port,

 

Aruba
Posts: 1,536
Registered: ‎06-12-2012

Re: clearpass cisco voip

Then you need to enable debug on the switch and see if it is getting the correct vlan. If it's getting the default then the void vlan is not in the switch Config or you're enforcement profile is incorrect. Post a screen shot of access tracker and each of the tabs
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
MVP
Posts: 4,081
Registered: ‎07-20-2011

Re: clearpass cisco voip

Are you sending the voice-vlan ?
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
MVP
Posts: 4,081
Registered: ‎07-20-2011

Re: clearpass cisco voip

Under the interface do the following:
switchport voice vlan <VOICE VLAN>
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Contributor I
Posts: 26
Registered: ‎03-11-2015

Re: clearpass cisco voip

we've already added it,

voip getting ip address, but from default access vlan,its not redirecting to enforcment vlan

 

Occasional Contributor II
Posts: 17
Registered: ‎12-24-2012

Re: clearpass cisco voip

Hi , 

 

I understand that you are only using cisco phone to mac auth with clear pass. You mention 802.1x ..Please elaborate .

 

Can you share me the enforcement profile  which you did in clear Pass. I want to verify that if you are sending the correct attributes COA to the cisco switch ?

 

Regards

Khalid Shaikh 

ACCP   ACMA    ACMP   CCIE R&S

 

 

Regards
Khalid Shaikh
Nesma Telecom and Technology
ACMA ACMP ACCP CCIE R&S
Search Airheads
Showing results for 
Search instead for 
Did you mean: