Security

Hi all,

I have a requirement to enable wired 802.1x with MAC Auth on Cisco switches against ClearPass. Specifically require the following:

1. 1. Domain joined laptops (in 'Domain Computers' group) in will be granted access
   2. VOIP Phones will be dynamically profiled and placed in the VOIP VLAN
   3. All other devices will be placed in an Internet Only VLAN

No. 1 - I am fine with - ClearPass configuration is straight forward.

But I'm not sure how to achieve points 2 and 3.

Can anyone point me to a configuration example that specifically addresses my requirement?

I've gone through the Wired 802.1x Deployment Guides - but they are a little convoluted for what I am trying to achieve.  I'm still in design phase right now - so I don't have any specific technical issues just yet.

Thanks!


------------------------------
Regards,

BrettVerney
------------------------------

Hi Brett,

I had some success with Cisco Phone doing dot1.x.

On your call manager, you can either tell the phone to use their built-in certificate or generate a new one.

Otherwise, you need to configure Mac Authentication Bypass (MAB) on your switch.  It means when you connect a device, it will wait to see if the device speak dot1x and if not revert to MAC authentication.

You will then need to configure a MAC Auth ClearPass service and enable profiling.

------------------------------
Julien Bueffler
------------------------------

Original Message:
Sent: Jan 21, 2021 09:43 PM
From: Brett Verney
Subject: ClearPass & Cisco VOIP phone profiling w/ MAC auth examples

Hi all,

I have a requirement to enable wired 802.1x with MAC Auth on Cisco switches against ClearPass. Specifically require the following:

1. 1. Domain joined laptops (in 'Domain Computers' group) in will be granted access
   2. VOIP Phones will be dynamically profiled and placed in the VOIP VLAN
   3. All other devices will be placed in an Internet Only VLAN

No. 1 - I am fine with - ClearPass configuration is straight forward.

But I'm not sure how to achieve points 2 and 3.

Can anyone point me to a configuration example that specifically addresses my requirement?

I've gone through the Wired 802.1x Deployment Guides - but they are a little convoluted for what I am trying to achieve.  I'm still in design phase right now - so I don't have any specific technical issues just yet.

Thanks!


------------------------------
Regards,

BrettVerney
------------------------------