We're trying to set up our network so that our Cisco VoIP phones can MAC authenticate against Clearpass. We've run into a problem in that plugging in the phone to our test switch doesn't even seem to trigger MAC authentication. If we plug a laptop into the same port, however, MAC authentication happens.
The configuration of the port looks like this (VLAN 999 is our registration VLAN):
port link-type hybrid
port hybrid vlan 1 999 untagged
port hybrid pvid vlan 999
undo voice-vlan mode auto
mac-vlan enable
undo jumboframe enable
stp edged-port
poe enable
mac-authentication
mac-authentication max-user 2
mac-authentication domain clearpass
mac-authentication re-authenticate server-unreachable keep-online
mac-authentication host-mode multi-vlan
mac-authentication re-authenticate
If I plug in a laptop, then I can see it appear in Access Tracker in Clearpass and the port is assigned the correct VLAN. Running display mac-authentication connection shows the laptops details, including MAC address, authorised VLAN, etc.
If I plug in the Cisco phone then display mac-authentication connection shows "Total connections: 0". However, with the phone plugged in, I can see the MAC address of the phone if I run display lldp neighbor-information list.
This is making me think the problem is something to do with the phone talking to the switch and that at the moment, Clearpass has nothing to do with the problem.
Can anyone help us with this problem? Some more details:
The switch is an HPE 5130 running 7.1.070 R3506P02. The phones are a Cisco 7911 and a newer Cisco 8811.
Any help much appreciated!
------------------------------
Bryan Carpenter
------------------------------