I'd look at the events log first to see if there is anything interesting showing, past that you might be better off contacting TAC.
Original Message:
Sent: May 29, 2024 05:57 PM
From: barry.stollberg
Subject: laptop (dot1x) and ip-phone DUR on same switch-port
Carson,
Thank you for the information, I had this working last week all of the DUR's were working. Is there a trouble shooting guide that would help me find out what changed that it no longer works?
Original Message:
Sent: May 29, 2024 05:44 PM
From: chulcher
Subject: laptop (dot1x) and ip-phone DUR on same switch-port
There are a few guides for setting up DUR on the switches, including a pretty comprehensive video series by Herman.
The important parts that get missed:
- creating the administrative user in ClearPass with the proper permissions
- adding the ta-profile (root CA) for the HTTPS certificate used by ClearPass
- configuring the username and password for the ClearPass integration
------------------------------
Carson Hulcher, ACEX#110
Original Message:
Sent: May 29, 2024 05:32 PM
From: barry.stollberg
Subject: laptop (dot1x) and ip-phone DUR on same switch-port
I am not getting the DUR from clearPass. ClearPass shows ACCEPT and sends the DUR. The swiitch is not getting it:
Aruba-VSF-2930F(# sho port-access cli
Downloaded user roles are preceded by *
Port Access Client Status
Port Client Name MAC Address IP Address User Role Type VLAN
----- ------------- ----------------- --------------- ----------------- ----- -------------------------------------------------------
1/4 c81fea-bb1ac2 n/a 8021X 99, 1
1/4 c8:1f:ea:b... c81fea-bb1ac2 n/a denyall MAC 99, 1
1/5 2cea7f-2f8271 n/a 8021X 99, 1
1/5 2c:ea:7f:2... 2cea7f-2f8271 n/a denyall MAC 99, 1
1/7 2cea7f-2bcfce n/a 8021X 99, 1
1/7 c81fea-bb1e00 n/a 8021X 99, 1
1/7 2c:ea:7f:2... 2cea7f-2bcfce n/a denyall MAC 99, 1
1/7 c8:1f:ea:b... c81fea-bb1e00 n/a denyall MAC 99, 1
Aruba-VSF-2930F(# sho user-role
detailed Displays all the user roles in detail.
downloaded Displays the downloaded user roles.
NAME-STR The user role to show.
<cr>
Aruba-VSF-2930F(# sho user-role down
Downloaded user roles are preceded by *
Downloaded User Roles
Enabled : Yes
Type Name
---------- ------------------------------------------------------
Aruba-VSF-2930F(# sho crypto pki ta-profile
Profile Name Profile Status CRL OCSP
---------------------------------------------------- --------------- ---- ----
IDEVID_ROOT Installed
default Self-signed No No
COMODO_RSA_CA Installed No No
ARUBA_CA Installed No No
HTTPSRSAServerCertificate Installed No No
Aruba-VSF-2930F(# sh port-access
Original Message:
Sent: May 29, 2024 05:12 PM
From: chulcher
Subject: laptop (dot1x) and ip-phone DUR on same switch-port
No, I don't have a configuration that is shareable. Is there a particular piece you are wanting to see?
------------------------------
Carson Hulcher, ACEX#110
Original Message:
Sent: May 29, 2024 05:05 PM
From: barry.stollberg
Subject: laptop (dot1x) and ip-phone DUR on same switch-port
Carson,
Can you share the entire config with me?
Original Message:
Sent: May 14, 2024 05:31 PM
From: chulcher
Subject: laptop (dot1x) and ip-phone DUR on same switch-port
Ah, I figured you meant using 802.1X for both devices. As long as authenticator and mac-based are configured on the port, both services are available for any devices that connect. Whether or not an EAP authentication (802.1X) happens is based on whether or not the connecting device supports 802.1X.
My starting point for a configuration looks like:
aaa port-access mac-based 1/1-1/48aaa port-access mac-based 1/1-1/48 addr-limit 2aaa port-access mac-based 1/1-1/48 mac-pinaaa port-access mac-based 1/1-1/48 quiet-period 30aaa port-access authenticator 1/1-1/48 client-limit 2aaa port-access authenticator 1/1-1/48 supplicant-timeout 6aaa port-access authenticator 1/1-1/48 tx-period 6aaa port-access authenticator 1/1-1/48 max-requests 2aaa port-access authenticator 1/1-1/48 max-eap-retries 2aaa port-access authenticator 1/1-1/48aaa port-access authenticator activeaaa port-access 1/1-1/48 auth-order authenticator mac-based aaa port-access 1/1-1/48 auth-priority authenticator mac-based
The important piece here is the auth-order
and auth-priority
, that decides which method gets attempted first and which method's result gets applied. When attempting authenticator
first, make sure to tune the process so that a client device doesn't spend two minutes before the MAC auth happens.
------------------------------
Carson Hulcher, ACEX#110
Original Message:
Sent: May 14, 2024 05:13 PM
From: barry.stollberg
Subject: laptop (dot1x) and ip-phone DUR on same switch-port
on the 2930, where do I configure this? Just to be sure the phone will use the mac profile and the laptop will use the dot1x profile?
aaa port-access authenticator 1/2-1/8
aaa port-access authenticator 1/2 tx-period 10
aaa port-access authenticator 1/2 supplicant-timeout 10
aaa port-access authenticator 1/2 client-limit 5
aaa port-access authenticator 1/3 tx-period 10
aaa port-access mac-based 1/2-1/8
aaa port-access mac-based 1/2 addr-limit 4
aaa port-access mac-based 1/3 addr-limit 4
aaa port-access mac-based 1/4 addr-limit 4
aaa port-access mac-based 1/5 addr-limit 4
aa port-access 1/2 mixed
aaa port-access 1/3 mixed
aaa port-access 1/4 mixed
Original Message:
Sent: May 14, 2024 04:04 PM
From: chulcher
Subject: laptop (dot1x) and ip-phone DUR on same switch-port
This is just standard 802.1X configuration, just don't set the port to "device-mode".
------------------------------
Carson Hulcher, ACEX#110
Original Message:
Sent: May 14, 2024 02:41 PM
From: barry.stollberg
Subject: laptop (dot1x) and ip-phone DUR on same switch-port
Is there a good document on using a laptop (dot1x) and ip-phone DUR on same switch-port? I have a ClearPass service for dot1x and another for mac auth.