I've just started deploying Clearpass across my campus and have run into an issue with some VoIP phones and printers. It would appear that the dynamic VLAN assigned by Clearpass is timing out while the printer/phone sleeps and puts them back into the quarantine VLAN.
My setup is using VLAN 666 as a quarantine VLAN assigned to every port on my Aruba 2930 switches. If Clearpass sees a client connect and it's in our AD it gets the local corporate data VLAN. If it's MAC is identified as a phone it gets the tagged voice VLAN. If it's anything else it goes to the local guest VLAN giving them internet access separate from corporate. This worked fine during testing and when I deployed it across out main HQ offices. When I started rolling it out on site where there are contractors with their own printers and cheaper VoIP phones I've had it break.
It looks like the VLAN just flips back to 666 relatively quickly because the switch isn't see traffic all the time. A contractor then tries to call a phone or send a print but the receiving device is no longer on a viable VLAN to receive it. I had a look through the commands on the switch and tried setting the following...
aaa port-access authenticator cached-reauth-delay 7200I had hoped this would pin the dynamic VLAN in place for a couple of hours but apparently not. As a quick fix for the phones I've set them to re-register with the phone server every minute or two. On the printers I tried finding NTP or something similar to set but with no luck. I've had to disable Clearpass for now on their ports.
Does anyone have a way around this issue? How do I get the VLAN assignment to stick around when the device might not actually be talking all the time?