Security

Reply
Highlighted
Occasional Contributor I

CPPM CONFIG FOR WIRED PHONE USING MAC-AUTH

We are testing CPPM for the first time using a Wired mac-auth service.  The enforcement policy is simply:

1.  connection: client-mac-vendor = XXX --> then apply these 3 profiles

- update endpoint known

- allow-all

- assign voice vlan

 

2.  connection: client-mac-vendor != XXX 

--> then apply these 3 profiles

- update endpoint known

- allow-all

- assign data vlan

 

We have a test phone with a PC connected to it and the phone with a wired connection to an Aruba 2930F switch.  The switch is configured to use CPPM for wired mac-auth.  The PC hits this service and gets assigned the data vlan correctly.  However, the phone hits this service, but also gets assigned the data vlan.  The access tracker Input tab does show "connection: client-mac-vendor = XXX" (exactly how the enforcement policy is setup), but for some reason skips over that policy condition and goes to the 2nd condition where the data vlan is applied.

 

Why is this?


Accepted Solutions
MVP Guru

Re: CPPM CONFIG FOR WIRED PHONE USING MAC-AUTH

I would use profiler to determine that it is an IP Phone, but if all phones have the same MAC prefix, that would technically work as well (just not prevent against MAC spoofing).

 

Also, I would use the [Allow All MACAuth] service, so you don't need to mark the Endpoint as 'Known', unless you have another reason to mark the endpoint Known.

 

In all cases so far, in such situations there was a slight difference in what is in the Access Tracker and what is tested in Enforcement or Role Mapping.

 

One thing that I would do, is check the MAC Prefix in a role-mapping, then during Enforcement base your decision on the assigned roles. First benefit is that you can see in Access Tracker which roles are assigned, so you quickly see that it has correctly interpreted the MAC prefix. Second is that you can easily add more prefixes to the role-mapping and/or use profiling as a second option to detect your phones.

 

Also, if you haven't yet, check the ClearPass Solution Guide: Wired Policy Enforcement for best practices for such a scenario. If you prefer content in video, check Aruba ClearPass Workshop - (Video series), which covers a similar scenario as well (just with profiling, not with MAC prefix, but the approach is similar).

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).

View solution in original post

Highlighted
Occasional Contributor I

Re: CPPM CONFIG FOR WIRED PHONE USING MAC-AUTH

Thanks and agree that role mapping is the best way.  Due to other factors, we found out another way to do it without role mapping in the short term.  

 

It appears that CPPM changed the phone vendor we chose in the enforcement policy from ALL CAPS to lower-case; not sure why CPPM does that.  In order to fix that issue, we use the equals-ignore-case option in the policy.  

View solution in original post


All Replies
MVP Guru

Re: CPPM CONFIG FOR WIRED PHONE USING MAC-AUTH

I would use profiler to determine that it is an IP Phone, but if all phones have the same MAC prefix, that would technically work as well (just not prevent against MAC spoofing).

 

Also, I would use the [Allow All MACAuth] service, so you don't need to mark the Endpoint as 'Known', unless you have another reason to mark the endpoint Known.

 

In all cases so far, in such situations there was a slight difference in what is in the Access Tracker and what is tested in Enforcement or Role Mapping.

 

One thing that I would do, is check the MAC Prefix in a role-mapping, then during Enforcement base your decision on the assigned roles. First benefit is that you can see in Access Tracker which roles are assigned, so you quickly see that it has correctly interpreted the MAC prefix. Second is that you can easily add more prefixes to the role-mapping and/or use profiling as a second option to detect your phones.

 

Also, if you haven't yet, check the ClearPass Solution Guide: Wired Policy Enforcement for best practices for such a scenario. If you prefer content in video, check Aruba ClearPass Workshop - (Video series), which covers a similar scenario as well (just with profiling, not with MAC prefix, but the approach is similar).

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).

View solution in original post

Highlighted
Aruba Employee

Re: CPPM CONFIG FOR WIRED PHONE USING MAC-AUTH

Further to Herman's comment. Without the export of the AccessTracker it is very hard to guess why the policy was applied as you indicate. One thing that often trips me up is that the default role-mapping is "Match First" condition: typically I want this to be "Match All". Ironically the Enforcement Policy is "Match All" conditions: typically I want this to be "Match First" as this is more deterministic.

Highlighted
Occasional Contributor I

Re: CPPM CONFIG FOR WIRED PHONE USING MAC-AUTH

Thanks and agree that role mapping is the best way.  Due to other factors, we found out another way to do it without role mapping in the short term.  

 

It appears that CPPM changed the phone vendor we chose in the enforcement policy from ALL CAPS to lower-case; not sure why CPPM does that.  In order to fix that issue, we use the equals-ignore-case option in the policy.  

View solution in original post

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: