Security

last person joined: 2 days ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

CPPM profiling not working with IP phone

This thread has been viewed 8 times

  • 1.  CPPM profiling not working with IP phone

    Posted Jun 29, 2016 01:27 AM

    CPPM profiling not working with LLDP-MED or basic LLDP enabled on HPE switch port.

    HPE switch

    Mitel handset

    Anyone had issues with profiling IP phones from CPPM ?



  • 2.  RE: CPPM profiling not working with IP phone

    EMPLOYEE
    Posted Jun 29, 2016 05:45 AM

    We need more information.  You are talking about two functions:  Profiling, which is identification via CPPM using DHCP signatures and identification using the switch via LLDP.  Which one is not working, and how do you have things configured to identify both?



  • 3.  RE: CPPM profiling not working with IP phone

    Posted Jun 29, 2016 10:44 AM
    @cjoseph wrote:

    We need more information.  You are talking about two functions:  Profiling, which is identification via CPPM using DHCP signatures and identification using the switch via LLDP.  Which one is not working, and how do you have things configured to identify both?

    Fair point. My bad.

    Let's start again.

     

    DHCP method used for profiling.

    Special 'quarantine vlan' is set and helper of CPPM is applied to this SVI/RVI/subnet.

    Service of 'Allow all MAC Auth' is used with enforcement profile to push this quarantine vlan, and the profiling option, plus CoA. 

    The mindset is, allow mac, update endpoint DB, and profile, push CoA, then the next service is condition matched (with a rule that says 'Username EXISTS', the allow all mac auth is 'Username DOES NOT EXIST'.. obviously).

    This works fine for printers, workstations, etc.

    Not the case for phones.

    Now,.. I think because LLDP, LLDP-MED is enforced on the switch ports carrying phones, this quarantine vlan is never pushed.. so it's actually/maybe/probably not the profiling function that's at fault.. it's the the fact that the quarantine vlan is not pushed.. though a simple 'show vlan' on the port on the HPE switch indicates that the port is pushed the quarantine vlan.

    But to add insult to injury.. the port has got the ole' tagged and untagged vlan (for the whole daisy chained phone + pc scenario)..

    So, static port configuration on switch side before this profiling/quarantine vlan enforcement is pushed by CPPM, is 210 vlan for voice (tagged), and 113 for data (untagged).

    When CPPM service 'Allow All MAC Auth and profile' fires.. I check vlan assignment on port, and, appropriately, 210 remains as tagged, but 4000 appears as the untagged (the quarantine vlan)... everything working great so far.

     

    Problem is profiling takes ages.. and I don't think CoA is ever sent.  And that's with non LLDP-MED enabled.  With LLDP-MED enabled it doesn't work period.  Because it's trumping the push of this quarantine/4000 vlan ..

     

    Does all that make sense now ?



  • 4.  RE: CPPM profiling not working with IP phone

    Posted Jun 30, 2016 12:32 AM

    I think.. rather than trying to do a vlan enforcement onto this quarantine vlan.... because LLDP-MED is trumping the RADIUS send, I think i'll need to profile the voice vlan ? 

    Keen to hear what the community has to think..

     

    And, from a RADIUS perspective, can a RADIUS vlan enforcement trump CDP/LLDP or not.



  • 5.  RE: CPPM profiling not working with IP phone

    Posted Jul 01, 2016 09:48 AM

    Do you need to use LLDP-MED??

    Can you not provide the required information from RADIUS attributes ClearPass sends back to the switch?



  • 6.  RE: CPPM profiling not working with IP phone

    Posted Jul 01, 2016 10:16 AM

    Because with LLDP-MED the switch and phone can exchange info on power levels, automate QoS configuration, etc, etc.  More benefits to using it (strictly speaking with respect to IP telephony) then not using it.

    But it seemingly gets in the way from RADIUS pushing a vlan. 

    On a separate note, I've added CPPM address as helper on this voice vlan anyway.. as directed to from Aruba support.. as they also alluded to the fact that most likely LLDP-MED is 'trumping' whatever RADIUS vlan enforcement is attempting to do.



  • 7.  RE: CPPM profiling not working with IP phone

    EMPLOYEE
    Posted Jul 01, 2016 10:32 AM

    So why don't you choose one method or the other?

     



  • 8.  RE: CPPM profiling not working with IP phone

    Posted Jul 01, 2016 10:41 AM

    Yes... I've just tied in vlan enforcement along with profiling for a range of devices.. i.e. workstations/printers, all in one service.

    I just have to split out service doing profiling AND vlan enforcement to do the dedicated 'quarantine' vlan, for workstations and printers, and instead just do a profile (minus vlan pivoting) for the phones (... remember .. I have to profile.. that's the constant/given.. but I can't profile phones on the dedicated vlan for profiling, so will have to profile this additional vlan)



  • 9.  RE: CPPM profiling not working with IP phone
    Best Answer

    Posted Jul 06, 2016 10:18 AM

    Just needed to reboot the phones to trigger DHCP (shutting ports wasn't enough as it seems..).. and then profiling was fine.

    However, profiling occurring with LLDP-MED handling vlan enforcement (thus CPPM helper address assigned to that SVI/RVI vlan also.. not just my 'quarantine' vlan) ..switch side.. can't push from RADIUS/CPPM.. (where I had a designated 'quarantine vlan' to profile.. )

    All in all.. happy with that.



  • 10.  RE: CPPM profiling not working with IP phone

    Posted Jun 29, 2016 05:49 AM

    Does the HP switch show the correct make/model info in the LLDP information?

    Is CPPM set to gather information using SNMP from the switch?

    What information does CPPM show for the device MAC?