05-28-2014 09:59 AM
I have a customer that I am deploying Aruba switches in tunneled-node to the controllers and Clearpass for user/machine auth. They also have Cisco phones. I have CP doing mac auth for the phones by the first 6 of the mac and dot1x for the user. However the customer doesnt care to see the phone mac request in access tracker. The phone vlan is locked down. So I thought I would do a AAA profile on the controller for the wired side with a server group that had the internal database ( for mac auth of the phones ) then fail through to the CP servers. I have this setup but havent been back on site to test. If this works than this will solve the problem with the phones mac authing to access tracker. But that means we will have to add all mac addresses to the internal database of the controller. Is there a way to do mac auth wildcard based access in the internal database so we dont have to add mac addresses to the internal DB?
05-28-2014 11:31 AM
You can use a user-derivation rule to wildcard the phone MAC addresses instead of using the internal user database however since the AAA-Profile has to also accomodate legitimate user/machine auth, you will still get see the MAC Auth from the phone as it will hit the same policy. Perhaps I'm confused on the setup.