Security

Reply
MVP Expert

CPPM - MAC Auth for Cisco with downstream hub/switch

We are using MAC Auth to perform NAC on our Cisco switch infrastructure. It's working well - hardest part is getting folks to correctly register their devices.

 

We have IP telephones (Mitel) and are not using the "voice VLAN," rather we set the phone to "bridge" and let the device behind the phone present its own MAC for Auth. It's working as I expect, the phone's MAC gets sent to VLAN "Voice (8)" while my laptop's MAC get's sent to VLAN "Employee (2)"

 

000as014#sh mac add int gig 1/0/25
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
   2    40b0.3433.f3db    STATIC      Gi1/0/25
   8    0800.0fb1.b334    STATIC      Gi1/0/25
Total Mac Addresses for this criterion: 2

Since that works, my point-of-sale team come to me to solve their "device with a mini-switch" problem.

 

There's a 4-port hub/switch at the end of the cable from the NAC enabled switch, and the first device which presents a MAC address gets assigned to it's appropriate VLAN, and then the second device receives a RADIUS response from CPPM telling it to use a different VLAN and the switch puts that MAC into a "DROP" status in the prior device's VLAN.

 

188as198#sh mac add int fa 1/0/11
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
  30    000b.4f92.e785    STATIC      Fa1/0/11
  30    88ae.1d13.c69a    DYNAMIC     Drop
Total Mac Addresses for this criterion: 2

What's so special about the IP-Phone that its bridged MACs get correctly mapped, while another product's bridged MACs don't?

 

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: