Security

last person joined: yesterday 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

ClearPass & Cisco VOIP phone profiling w/ MAC auth examples

  • 1.  ClearPass & Cisco VOIP phone profiling w/ MAC auth examples

    Posted Jan 21, 2021 09:44 PM
    Hi all,

    I have a requirement to enable wired 802.1x with MAC Auth on Cisco switches against ClearPass. Specifically require the following:

      1. Domain joined laptops (in 'Domain Computers' group) in will be granted access
      2. VOIP Phones will be dynamically profiled and placed in the VOIP VLAN
      3. All other devices will be placed in an Internet Only VLAN

    No. 1 - I am fine with - ClearPass configuration is straight forward.

    But I'm not sure how to achieve points 2 and 3.

    Can anyone point me to a configuration example that specifically addresses my requirement?

    I've gone through the Wired 802.1x Deployment Guides - but they are a little convoluted for what I am trying to achieve.  I'm still in design phase right now - so I don't have any specific technical issues just yet.

    Thanks!


    ------------------------------
    Regards,

    BrettVerney
    ------------------------------


  • 2.  RE: ClearPass & Cisco VOIP phone profiling w/ MAC auth examples

    Posted Jan 22, 2021 09:49 AM
    Hi Brett,

    I had some success with Cisco Phone doing dot1.x.

    On your call manager, you can either tell the phone to use their built-in certificate or generate a new one.

    Otherwise, you need to configure Mac Authentication Bypass (MAB) on your switch.  It means when you connect a device, it will wait to see if the device speak dot1x and if not revert to MAC authentication.

    You will then need to configure a MAC Auth ClearPass service and enable profiling.

    ------------------------------
    Julien Bueffler
    ------------------------------