Security

last person joined: 22 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

802.1x - voice bypass

This thread has been viewed 8 times

  • 1.  802.1x - voice bypass

    Posted Jul 22, 2019 09:48 PM

    Do voice marked vlan devices automically bypass 802.1x?

     

    On my 3810 running WC.16.05.0013 with the following config, the PC attached through the IP Phones goes through an authentication process to my clearpass server, but not the phone itself;

     

    vlan 100
    name "Auth"
    untagged 1-2
    no ip address
    exit
    vlan 101
    name "UnAuth"
    no ip address
    exit
    vlan 111
    name "Voip"
    tagged 1-2
    no ip address
    voice
    exit


    interface 1
    tagged vlan 111
    untagged vlan 100
    aaa port-access authenticator
    aaa port-access authenticator reauth-period 3600
    aaa port-access authenticator auth-vid 100
    aaa port-access authenticator unauth-vid 101

     



  • 2.  RE: 802.1x - voice bypass

    Posted Jul 23, 2019 02:03 AM

    VOICE phones will not bypass 802.1x.

    Do the VOICE phones support 802.1x? If not, you should configure MAC auth to authenticate the devices.

     

    Also, the 802.1x client limit is by default 1. Personally I don't like  the unauth/auth VID. We have ClearPass for this. 

     

    Please read the  wired policy enforcement guide. This gives a lot of details.

     

    https://community.arubanetworks.com/t5/Security/ClearPass-Solution-Guide-Wired-Policy-Enforcement/td-p/298161



  • 3.  RE: 802.1x - voice bypass

    Posted Jul 23, 2019 02:40 AM

    Mixed bag of support for 802.1x on the phones. The newer cisco IP phones support it, the older ones dont.

     

    I have read the wired policy enforcement guide. Whilst I appreciate it captures alot of information, and kudos for Tim providing it - but I found it missing elements, and the format a little jumbled.Maybe a newer release (which was indicated) might clean it up.

     

     

     

     

     



  • 4.  RE: 802.1x - voice bypass

    Posted Jul 23, 2019 02:44 AM

    Please configure a higher client limit. Also enable mac auth at the port.

     

    Example config

     

    aaa port-access authenticator active

    aaa port-access authenticator 1
    aaa port-access authenticator 1 client-limit 2

    aaa port-access mac-based 1
    aaa port-access mac-based 1 addr-limit 2

     

    It's also advisable to use (downloadable) user roles



  • 5.  RE: 802.1x - voice bypass

    Posted Jul 25, 2019 02:17 AM

    WIth regards to assigning a voice role for VoIP devices, is there an equivelant command to authorise the phone in the event the switch is unable to contact the authentication server?

     

    Cisco equiv command would be;

     

    authentication event server dead action authorize voice

     

     



  • 6.  RE: 802.1x - voice bypass

    Posted Jul 25, 2019 02:40 AM

    Aha, found it myself ;)

     

    aaa port-access <PORT-LIST> critical-auth voice-vlan <VLAN-ID>