I am having issues with getting my Cisco IP Phones successfully obtaining a DHCP IP address and getting profiled by Clearpass, when I get Clearpass to enforce a new VLAN.
I only have this problem with the IP Phone. If i try with a laptop, it works.
If I manually set the VLAN on the switchport, the IP Phone works.
Any ideas?
Here is my switch config;
aaa authentication port-access eap-radius server-group "NAC-RADIUS"
aaa authentication mac-based chap-radius server-group "NAC-RADIUS"
aaa authentication disable-username
aaa authentication allow-vlan tagged
aaa port-access gvrp-vlans
interface G17
qos trust dscp
service-policy "MARK-LAN-FLOOR" in
tagged vlan 409
untagged vlan 209
aaa port-access authenticator
aaa port-access authenticator client-limit 1
aaa port-access mac-based
aaa port-access mac-based addr-limit 2
aaa port-access mac-based logoff-period 9999999
aaa port-access mac-based reauth-period 86400
aaa port-access mac-based cached-reauth-period 86400
aaa port-access controlled-direction in
aaa port-access mixed
spanning-tree bpdu-protection
exit
======================================
The VLAN being enforced is VLAN700(untagged) and VLAN701(tagged).
And I can see the MAC address is being VLAN enforced;
tty=ansi SYD01ACSW-L09-01# sh port-acc mac-based g17 cli det
Port Access MAC-Based Client Status Detailed
Client Base Details :
Port : G17
Client Status : authenticated Session Time : 4880 seconds
MAC Address : 705a0f-82ff88 Session Timeout : 10800 seconds
IP : n/a
Access Policy Details :
COS Map : Not Defined In Limit Kbps : Not Set
Untagged VLAN : 700 Out Limit Kbps : Not Set
Tagged VLANs : 701
Port Mode : 1000FDx Auth Mode : User-based
RADIUS ACL List : No Radius ACL List
Any help will be great. Thanks.