Security

 View Only

ClearPass VLAN Enforcement and Cisco IP Phones Issue

This thread has been viewed 2 times
  • 1.  ClearPass VLAN Enforcement and Cisco IP Phones Issue

    Posted May 30, 2019 09:46 PM

    I am having issues with getting my Cisco IP Phones successfully obtaining a DHCP IP address and getting profiled by Clearpass, when I get Clearpass to enforce a new VLAN.

    I only have this problem with the IP Phone. If i try with a laptop, it works.

    If I manually set the VLAN on the switchport, the IP Phone works.

     

    Any ideas?

     

    Here is my switch config;

    aaa authentication port-access eap-radius server-group "NAC-RADIUS" 
    aaa authentication mac-based chap-radius server-group "NAC-RADIUS"
    aaa authentication disable-username
    aaa authentication allow-vlan tagged
    aaa port-access gvrp-vlans

     

    interface G17
    qos trust dscp
    service-policy "MARK-LAN-FLOOR" in
    tagged vlan 409
    untagged vlan 209
    aaa port-access authenticator
    aaa port-access authenticator client-limit 1
    aaa port-access mac-based
    aaa port-access mac-based addr-limit 2
    aaa port-access mac-based logoff-period 9999999
    aaa port-access mac-based reauth-period 86400
    aaa port-access mac-based cached-reauth-period 86400
    aaa port-access controlled-direction in
    aaa port-access mixed
    spanning-tree bpdu-protection
    exit

    ======================================

     

    The VLAN being enforced is VLAN700(untagged) and VLAN701(tagged).

    And I can see the MAC address is being VLAN enforced;

     

    tty=ansi SYD01ACSW-L09-01# sh port-acc mac-based g17 cli det

    Port Access MAC-Based Client Status Detailed

    Client Base Details :
    Port : G17
    Client Status : authenticated Session Time : 4880 seconds
    MAC Address : 705a0f-82ff88 Session Timeout : 10800 seconds
    IP : n/a

    Access Policy Details :
    COS Map : Not Defined In Limit Kbps : Not Set
    Untagged VLAN : 700 Out Limit Kbps : Not Set
    Tagged VLANs : 701
    Port Mode : 1000FDx Auth Mode : User-based
    RADIUS ACL List : No Radius ACL List

     

     

     

     

     

    Any help will be great. Thanks.