10-21-2013 10:34 AM
im building a setup with clearpass (6.2) on a cisco 3560 switch (recent firmware 12.2(48), 12.2(52)) on which both data and voice vlan is configured. according to the cisco documentation it should be possible to do dot1x authentication for both of them. the voice device (alcatel lucent ip touch phone) supports dot1x (with MD5 and TLS).
cisco global config
aaa authentication dot1x default group radius
cisco interface config
switchport mode access
switchport access vlan 10
switchport voice vlan 20
dot1x port-control auto
this works fine without dot1x, once i enable dot1x radius authentication succeeds (the phone even mentions this) but the device remains in the data vlan.
according to cisco you have to do the following to support this multi domain dot1x:
cisco switch interface
dot1x host-mode multi-domain
send the string "device-traffic-class=voice" as a Cisco Attribute-Value (AV) pair. (like this: http://community.arubanetworks.com/aruba/attachments/aruba/aaa-nac-guest-access-byod/3078/1/Capture.JPG)
which i have done both, but it seems the switch doesn't react, when i do # show authentication sessions i keep seeing Domain DATA.
does anyone has experience with this setup? did you do anything else next to what i wrote above? have something to debug on the cisco to get if it recieves the extra attribute?
Solved! Go to Solution.
10-21-2013 12:55 PM
What does access tracker in CPPM show?
Consulting Systems Engineer - ACCX, ACDX, ACMX
If you found my post helpful, please give kudos
10-21-2013 02:19 PM
Make sure you run the following commands on the Cisco switch:
The first is just a best practice to give voice traffic higher QoS, IIRC. The second is required for the device-traffic-class=voice operation to work successfully. The switch needs to see the LLDP info for the phone before it will allow it on the voice vlan. Speaking of which, you need to send back the vlan with the device-traffic-class=voice. VLAN can be named "voice" on the switch, and you can just pass back the name instead of the number.
Also, which authentication host-mode are you using on the port?
10-23-2013 11:57 AM
the tracker showed a positive result, and it showed the correct radius attribute being send.
the phone is finding the correct vlan without dot1x so i believe the lldp part is fine, qos i personally always have my doubts about if it is needed on a regular LAN, not really an issue here anymore. the host-mode command i used was:
authentication host-mode multi-domain
anyway, after some more reading Cisco documentation (what a mess, at least 4 documents saying different things) i found i missed a command to make sure the switch accepts using the voice VLAN.
aaa authorization network group radius
now it works like it should, pretty cool i must say.