I'm trying to setup a simple MAC bypass service and can't figure out how to enforce a policy if the incoming MAC is listed on a static host list I created.
Here is what I've done:
Now I'm stuck, because I don't know what conditions I'm supposed to use in order to enforce the VOIP policy. Basically, if the incoming MAC is on the static host list, then enforce the VOIP policy. Can someone clue me in?
Are you needing assistance with setting up the service rules to kick off the service or how to configure the enforcement policy to act on the fact that those devices are in the static list?
I need assistance with the Enforcement Policy. I'm assuming that I use the Enforcement Policy to match the MAC of the client to the static host list and enforce the profile that's been setup???
I'm a little bit further than I was before. I setup an enforcement policy with the following conditions:
Tips > Role > EQUALS > [USER Authenticated]
Authentication > OuterMethod > EQUALS > MAC-AUTH
I'm no longer receiving a REJECT message in Access Tracker for the test phone, BUT the phone isn't working. The switchport (on a Cisco 4500) shows "notconnect" for the port and the following syslog message:
%AUTHMGR-5-FAIL: Authorization failed for client (0004.f2**.****) on Interface Gi3/17
I'm not sure if the syslog message is indicative of anything. However, the phone keeps authenticating itself, as I'm seeing an ACCEPT message logged for the phone in Access Tracker every 2 minutes.
Does anyone know if this is a ClearPass issue or switch issue?
RADIUS:IETF:Calling-Station-ID BELONGS_TO_GROUP Employee Machine Static Host List
Thanks! I assume I was supposed to create a role mapping with that info and then reference the role in the enforcement policy to enforce the profile. While that correctly authenticated the phone, I was still running into the same issue above where the switch showed that the phone wasn't authorized and therefore was not working on the network. I finally found the explanation for this:
You must configure the voice VLAN for the IP phone when the host mode is set to multidomain.Note: If you use a dynamic VLAN in order to assign a voice VLAN on an MDA-enabled switch port, the voice device fails authorization.
Once the voice VLAN was configured on the port, the phone showed connected and authorized. However, since it's a Polycom phone, I had to set the access VLAN so the phone could get it's VLAN from DHCP.
Thank you for that information!
So in order to get the phone to work, you had to manually add the voice vlan to the port config? There's no way to dynamically have a phone and computer on the same port without this on a cisco switch?
I have been working on the same questions - specifically I am personally alergic to the "voice VLAN" config bit, I'd rather call a trunk a trunk or let 802.1x do its thing without relying on a cheat (as I see it).
I'm getting good results using "host-mode multi-auth" on the ports and letting CPPM assign VLANs to each device on the port.
My phone gets VLAN 8
My Laptop gets VLAN 10
My VM hosted in the laptop gets VLAN 2
description Sabin Testing
switchport access vlan 111
switchport mode access
authentication host-mode multi-auth
authentication order mab
authentication priority mab
authentication port-control auto
authentication timer reauthenticate server
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x timeout supp-timeout 15
dot1x max-reauth-req 1
spanning-tree bpduguard enable
I actually had to find and remove the DHCP options to tell out Mitel phones NOT to tag their packets, nor those of downstream connections.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.