Security

 View Only
last person joined: 14 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

laptop (dot1x) and ip-phone DUR on same switch-port

This thread has been viewed 23 times
  • 1.  laptop (dot1x) and ip-phone DUR on same switch-port

    Posted 29 days ago

    Is there a good document on using a laptop (dot1x) and  ip-phone DUR on same switch-port?  I have a ClearPass service for dot1x and another for mac auth.



  • 2.  RE: laptop (dot1x) and ip-phone DUR on same switch-port

    EMPLOYEE
    Posted 29 days ago

    This is just standard 802.1X configuration, just don't set the port to "device-mode".



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 3.  RE: laptop (dot1x) and ip-phone DUR on same switch-port

    Posted 28 days ago

    on the 2930, where do I configure this?   Just to be sure the phone will use the mac profile and the laptop  will use the dot1x profile?

    aaa port-access authenticator 1/2-1/8
    aaa port-access authenticator 1/2 tx-period 10
    aaa port-access authenticator 1/2 supplicant-timeout 10
    aaa port-access authenticator 1/2 client-limit 5
    aaa port-access authenticator 1/3 tx-period 10

    aaa port-access mac-based 1/2-1/8
    aaa port-access mac-based 1/2 addr-limit 4
    aaa port-access mac-based 1/3 addr-limit 4
    aaa port-access mac-based 1/4 addr-limit 4
    aaa port-access mac-based 1/5 addr-limit 4

    aa port-access 1/2 mixed
    aaa port-access 1/3 mixed
    aaa port-access 1/4 mixed




  • 4.  RE: laptop (dot1x) and ip-phone DUR on same switch-port

    EMPLOYEE
    Posted 28 days ago

    Ah, I figured you meant using 802.1X for both devices.  As long as authenticator and mac-based are configured on the port, both services are available for any devices that connect.  Whether or not an EAP authentication (802.1X) happens is based on whether or not the connecting device supports 802.1X.

    My starting point for a configuration looks like:

    aaa port-access mac-based 1/1-1/48
    aaa port-access mac-based 1/1-1/48 addr-limit 2
    aaa port-access mac-based 1/1-1/48 mac-pin
    aaa port-access mac-based 1/1-1/48 quiet-period 30
    aaa port-access authenticator 1/1-1/48 client-limit 2
    aaa port-access authenticator 1/1-1/48 supplicant-timeout 6
    aaa port-access authenticator 1/1-1/48 tx-period 6
    aaa port-access authenticator 1/1-1/48 max-requests 2
    aaa port-access authenticator 1/1-1/48 max-eap-retries 2
    aaa port-access authenticator 1/1-1/48
    aaa port-access authenticator active
    aaa port-access 1/1-1/48 auth-order authenticator mac-based 
    aaa port-access 1/1-1/48 auth-priority authenticator mac-based

    The important piece here is the auth-order and auth-priority, that decides which method gets attempted first and which method's result gets applied.  When attempting authenticator first, make sure to tune the process so that a client device doesn't spend two minutes before the MAC auth happens.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 5.  RE: laptop (dot1x) and ip-phone DUR on same switch-port

    Posted 13 days ago

    Carson,

    Can you share the entire config with me?




  • 6.  RE: laptop (dot1x) and ip-phone DUR on same switch-port

    EMPLOYEE
    Posted 13 days ago

    No, I don't have a configuration that is shareable.  Is there a particular piece you are wanting to see?



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 7.  RE: laptop (dot1x) and ip-phone DUR on same switch-port

    Posted 13 days ago

    I am not getting the DUR  from clearPass. ClearPass shows ACCEPT and sends the DUR. The swiitch is not getting it:

    Aruba-VSF-2930F(# sho port-access cli
    Downloaded user roles are preceded by *
     
     Port Access Client Status
     
      Port  Client Name   MAC Address       IP Address      User Role         Type  VLAN                                                   
      ----- ------------- ----------------- --------------- ----------------- ----- -------------------------------------------------------
      1/4                 c81fea-bb1ac2     n/a                               8021X 99, 1                                                  
      1/4   c8:1f:ea:b... c81fea-bb1ac2     n/a             denyall           MAC   99, 1                                                  
      1/5                 2cea7f-2f8271     n/a                               8021X 99, 1                                                  
      1/5   2c:ea:7f:2... 2cea7f-2f8271     n/a             denyall           MAC   99, 1                                                  
      1/7                 2cea7f-2bcfce     n/a                               8021X 99, 1                                                  
      1/7                 c81fea-bb1e00     n/a                               8021X 99, 1                                                  
      1/7   2c:ea:7f:2... 2cea7f-2bcfce     n/a             denyall           MAC   99, 1                                                  
      1/7   c8:1f:ea:b... c81fea-bb1e00     n/a             denyall           MAC   99, 1                                                  
     
    Aruba-VSF-2930F(#  sho user-role 
     detailed              Displays all the user roles in detail.
     downloaded            Displays the downloaded user roles.
     NAME-STR              The user role to show.
     <cr>
    Aruba-VSF-2930F(#  sho user-role down
    Downloaded user roles are preceded by *
     
     Downloaded User Roles
     
      Enabled       : Yes
      Type       Name
      ---------- ------------------------------------------------------
     
    Aruba-VSF-2930F(# sho crypto pki ta-profile 
      Profile Name                                         Profile Status  CRL  OCSP
      ---------------------------------------------------- --------------- ---- ----
      IDEVID_ROOT                                          Installed                
      default                                              Self-signed     No   No  
      COMODO_RSA_CA                                        Installed       No   No  
      ARUBA_CA                                             Installed       No   No  
      HTTPSRSAServerCertificate                            Installed       No   No  
     
    Aruba-VSF-2930F(# sh port-access




  • 8.  RE: laptop (dot1x) and ip-phone DUR on same switch-port

    EMPLOYEE
    Posted 13 days ago

    There are a few guides for setting up DUR on the switches, including a pretty comprehensive video series by Herman.

    The important parts that get missed:

    1. creating the administrative user in ClearPass with the proper permissions
    2. adding the ta-profile (root CA) for the HTTPS certificate used by ClearPass
    3. configuring the username and password for the ClearPass integration


    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 9.  RE: laptop (dot1x) and ip-phone DUR on same switch-port

    Posted 13 days ago

    Carson,

    Thank you for the information, I had this working last week all of the DUR's were working. Is there a trouble shooting guide that would help me find out what changed that it no longer works?




  • 10.  RE: laptop (dot1x) and ip-phone DUR on same switch-port

    EMPLOYEE
    Posted 13 days ago

    I'd look at the events log first to see if there is anything interesting showing, past that you might be better off contacting TAC.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------