last person joined: 4 days ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

MAC Bypass

Jump to Best Answer
This thread has been viewed 8 times
  • 1.  MAC Bypass

    Posted Nov 14, 2012 02:49 PM

    I'm trying to setup a simple MAC bypass service and can't figure out how to enforce a policy if the incoming MAC is listed on a static host list I created.


    Here is what I've done:


    1. I used the wizard to create the service.
    2. Created a static host list called IP Phones and added a few test phone MACs to it.
    3. Under the Authentication tab for the MAC bypass service, I made sure [MAC AUTH] is the authentication method and added the IP Phones static host list as the authentication source.
    4. I created an enforcement profile that will set the VLAN to a VOICE VLAN.


    Now I'm stuck, because I don't know what conditions I'm supposed to use in order to enforce the VOIP policy.  Basically, if the incoming MAC is on the static host list, then enforce the VOIP policy.  Can someone clue me in?

  • 2.  RE: MAC Bypass

    Posted Nov 14, 2012 08:28 PM

    Are you needing assistance with setting up the service rules to kick off the service or how to configure the enforcement policy to act on the fact that those devices are in the static list?  

  • 3.  RE: MAC Bypass

    Posted Nov 15, 2012 09:38 AM

    I need assistance with the Enforcement Policy.  I'm assuming that I use the Enforcement Policy to match the MAC of the client to the static host list and enforce the profile that's been setup???

  • 4.  RE: MAC Bypass

    Posted Nov 15, 2012 04:25 PM

    I'm a little bit further than I was before.  I setup an enforcement policy with the following conditions:


    Tips > Role > EQUALS > [USER Authenticated]

    Authentication > OuterMethod > EQUALS > MAC-AUTH


    I'm no longer receiving a REJECT message in Access Tracker for the test phone, BUT the phone isn't working.  The switchport (on a Cisco 4500) shows "notconnect" for the port and the following syslog message:


    %AUTHMGR-5-FAIL: Authorization failed for client (0004.f2**.****) on Interface Gi3/17


    I'm not sure if the syslog message is indicative of anything.  However, the phone keeps authenticating itself, as I'm seeing an ACCEPT message logged for the phone in Access Tracker every 2 minutes.


    Does anyone know if this is a ClearPass issue or switch issue?

  • 5.  RE: MAC Bypass
    Best Answer

    Posted Nov 15, 2012 06:54 PM

    Try this:


    RADIUS:IETF:Calling-Station-ID BELONGS_TO_GROUP Employee Machine Static Host List

  • 6.  RE: MAC Bypass

    Posted Nov 16, 2012 04:33 PM



    Thanks!  I assume I was supposed to create a role mapping with that info and then reference the role in the enforcement policy to enforce the profile.  While that correctly authenticated the phone, I was still running into the same issue above where the switch showed that the phone wasn't authorized and therefore was not working on the network.  I finally found the explanation for this:


    You must configure the voice VLAN for the IP phone when the host mode is set to multidomain.
    Note: If you use a dynamic VLAN in order to assign a voice VLAN on an MDA-enabled switch port, the voice device fails authorization.



    Once the voice VLAN was configured on the port, the phone showed connected and authorized.  However, since it's a Polycom phone, I had to set the access VLAN so the phone could get it's VLAN from DHCP.

  • 7.  RE: MAC Bypass

    Posted Nov 16, 2012 04:38 PM



    Thank you for that information!


  • 8.  RE: MAC Bypass

    Posted Jun 05, 2018 09:25 AM

    So in order to get the phone to work, you had to manually add the voice vlan to the port config? There's no way to dynamically have a phone and computer on the same port without this on a cisco switch?

  • 9.  RE: MAC Bypass

    Posted Jun 08, 2018 01:37 PM

    I have been working on the same questions - specifically I am personally alergic to the "voice VLAN" config bit, I'd rather call a trunk a trunk or let 802.1x do its thing without relying on a cheat (as I see it).


    I'm getting good results using "host-mode multi-auth" on the ports and letting CPPM assign VLANs to each device on the port.


    My phone gets VLAN 8

    My Laptop gets VLAN 10

    My VM hosted in the laptop gets VLAN 2

    interface GigabitEthernet1/0/47
     description Sabin Testing
     switchport access vlan 111
     switchport mode access
     switchport nonegotiate
     authentication host-mode multi-auth
     authentication order mab
     authentication priority mab
     authentication port-control auto
     authentication timer reauthenticate server
     dot1x pae authenticator
     dot1x timeout tx-period 10
     dot1x timeout supp-timeout 15
     dot1x max-reauth-req 1
     spanning-tree portfast
     spanning-tree bpduguard enable

  • 10.  RE: MAC Bypass

    Posted Jun 08, 2018 01:39 PM

    I actually had to find and remove the DHCP options to tell out Mitel phones NOT to tag their packets, nor those of downstream connections.