Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

clearpass configuring cisco switch data and voice vlan both with dot1x

This thread has been viewed 16 times

  • 1.  clearpass configuring cisco switch data and voice vlan both with dot1x

    Posted Oct 21, 2013 01:35 PM

    im building a setup with clearpass (6.2) on a cisco 3560 switch (recent firmware 12.2(48), 12.2(52)) on which both data and voice vlan is configured. according to the cisco documentation it should be possible to do dot1x authentication for both of them. the voice device (alcatel lucent ip touch phone) supports dot1x (with MD5 and TLS).

     

    cisco global config

      aaa authentication dot1x default group radius

      dot1x system-auth-control

     

    cisco interface config

      switchport mode access

      switchport access vlan 10

      switchport voice vlan 20

      dot1x port-control auto

     

    this works fine without dot1x, once i enable dot1x radius authentication succeeds (the phone even mentions this) but the device remains in the data vlan.

     

    according to cisco you have to do the following to support this multi domain dot1x:

     

    cisco switch interface

      dot1x host-mode multi-domain

     

    clearpass

      send the string "device-traffic-class=voice" as a Cisco Attribute-Value (AV) pair. (like this: http://community.arubanetworks.com/aruba/attachments/aruba/aaa-nac-guest-access-byod/3078/1/Capture.JPG)

     

    which i have done both, but it seems the switch doesn't react, when i do # show authentication sessions i keep seeing Domain DATA.

     

    does anyone has experience with this setup? did you do anything else next to what i wrote above? have something to debug on the cisco to get if it recieves the extra attribute?



  • 2.  RE: clearpass configuring cisco switch data and voice vlan both with dot1x

    EMPLOYEE
    Posted Oct 21, 2013 03:56 PM

    What does access tracker in CPPM show?



  • 3.  RE: clearpass configuring cisco switch data and voice vlan both with dot1x

    EMPLOYEE
    Posted Oct 21, 2013 05:19 PM

    Make sure you run the following commands on the Cisco switch:

     

    mls qos

    lldp run

     

    The first is just a best practice to give voice traffic higher QoS, IIRC. The second is required for the device-traffic-class=voice operation to work successfully. The switch needs to see the LLDP info for the phone before it will allow it on the voice vlan. Speaking of which, you need to send back the vlan with the device-traffic-class=voice. VLAN can be named "voice" on the switch, and you can just pass back the name instead of the number.

     

    Also, which authentication host-mode are you using on the port?



  • 4.  RE: clearpass configuring cisco switch data and voice vlan both with dot1x
    Best Answer

    Posted Oct 23, 2013 02:57 PM

    the tracker showed a positive result, and it showed the correct radius attribute being send.

     

    the phone is finding the correct vlan without dot1x so i believe the lldp part is fine, qos i personally always have my doubts about if it is needed on a regular LAN, not really an issue here anymore. the host-mode command i used was:

    authentication host-mode multi-domain

     

    anyway, after some more reading Cisco documentation (what a mess, at least 4 documents saying different things) i found i missed a command to make sure the switch accepts using the voice VLAN.

     

    that was:

    aaa authorization network group radius

     

    now it works like it should, pretty cool i must say.