Security

Reply
MVP
Posts: 1,405
Registered: ‎11-30-2011

clearpass configuring cisco switch data and voice vlan both with dot1x

im building a setup with clearpass (6.2) on a cisco 3560 switch (recent firmware 12.2(48), 12.2(52)) on which both data and voice vlan is configured. according to the cisco documentation it should be possible to do dot1x authentication for both of them. the voice device (alcatel lucent ip touch phone) supports dot1x (with MD5 and TLS).

 

cisco global config

  aaa authentication dot1x default group radius

  dot1x system-auth-control

 

cisco interface config

  switchport mode access

  switchport access vlan 10

  switchport voice vlan 20

  dot1x port-control auto

 

this works fine without dot1x, once i enable dot1x radius authentication succeeds (the phone even mentions this) but the device remains in the data vlan.

 

according to cisco you have to do the following to support this multi domain dot1x:

 

cisco switch interface

  dot1x host-mode multi-domain

 

clearpass

  send the string "device-traffic-class=voice" as a Cisco Attribute-Value (AV) pair. (like this: http://community.arubanetworks.com/aruba/attachments/aruba/aaa-nac-guest-access-byod/3078/1/Capture.JPG)

 

which i have done both, but it seems the switch doesn't react, when i do # show authentication sessions i keep seeing Domain DATA.

 

does anyone has experience with this setup? did you do anything else next to what i wrote above? have something to debug on the cisco to get if it recieves the extra attribute?

Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: clearpass configuring cisco switch data and voice vlan both with dot1x

What does access tracker in CPPM show?

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Aruba Employee
Posts: 571
Registered: ‎04-17-2009

Re: clearpass configuring cisco switch data and voice vlan both with dot1x

Make sure you run the following commands on the Cisco switch:

 

mls qos

lldp run

 

The first is just a best practice to give voice traffic higher QoS, IIRC. The second is required for the device-traffic-class=voice operation to work successfully. The switch needs to see the LLDP info for the phone before it will allow it on the voice vlan. Speaking of which, you need to send back the vlan with the device-traffic-class=voice. VLAN can be named "voice" on the switch, and you can just pass back the name instead of the number.

 

Also, which authentication host-mode are you using on the port?

Thanks,

Zach Jennings
MVP
Posts: 1,405
Registered: ‎11-30-2011

Re: clearpass configuring cisco switch data and voice vlan both with dot1x

the tracker showed a positive result, and it showed the correct radius attribute being send.

 

the phone is finding the correct vlan without dot1x so i believe the lldp part is fine, qos i personally always have my doubts about if it is needed on a regular LAN, not really an issue here anymore. the host-mode command i used was:

authentication host-mode multi-domain

 

anyway, after some more reading Cisco documentation (what a mess, at least 4 documents saying different things) i found i missed a command to make sure the switch accepts using the voice VLAN.

 

that was:

aaa authorization network group radius

 

now it works like it should, pretty cool i must say.

Search Airheads
Showing results for 
Search instead for 
Did you mean: