View Only
last person joined: 18 hours ago 

MAC-Authenticating Cisco phones on HPE switch

This thread has been viewed 8 times
  • 1.  MAC-Authenticating Cisco phones on HPE switch

    Posted May 09, 2022 12:34 PM
    We're trying to set up our network so that our Cisco VoIP phones can MAC authenticate against Clearpass. We've run into a problem in that plugging in the phone to our test switch doesn't even seem to trigger MAC authentication. If we plug a laptop into the same port, however, MAC authentication happens.

    The configuration of the port looks like this (VLAN 999 is our registration VLAN):
    port link-type hybrid
    port hybrid vlan 1 999 untagged
    port hybrid pvid vlan 999
    undo voice-vlan mode auto
    mac-vlan enable
    undo jumboframe enable
    stp edged-port
    poe enable
    mac-authentication max-user 2
    mac-authentication domain clearpass
    mac-authentication re-authenticate server-unreachable keep-online
    mac-authentication host-mode multi-vlan
    mac-authentication re-authenticate

    If I plug in a laptop, then I can see it appear in Access Tracker in Clearpass and the port is assigned the correct VLAN.  Running display mac-authentication connection shows the laptops details, including MAC address, authorised VLAN, etc.

    If I plug in the Cisco phone then display mac-authentication connection shows "Total connections: 0". However, with the phone plugged in, I can see the MAC address of the phone if I run display lldp neighbor-information list.

    This is making me think the problem is something to do with the phone talking to the switch and that at the moment, Clearpass has nothing to do with the problem.

    Can anyone help us with this problem? Some more details:

    The switch is an HPE 5130 running 7.1.070 R3506P02. The phones are a Cisco 7911 and a newer Cisco 8811.

    Any help much appreciated!

    Bryan Carpenter