Security

Dears

Currently I am conducting a POC on clearpass and a cisco switch, we are facing some problems with authentication.

We are basically doing DOT1X using AD for PCs and Mac Auth all for the IP Phones (avaya)

we have to services one for dot1x and one for mac auth..

We have set up the cisco switch configuration for multi-auth and mab and COA and everything looks fine..

Also port is set to voice vlan and access vlan (Data) 

when a PC connects he is by default in the data vlan and when he's authenticated the CPPM returns another vlan which is the internet and intranet vlan and he's authenticated..

When a ip phone connects, it authenticates using Mac auth and the CPPM returns cisco-device-class=voice (or something like that) and the ip phone is successfully connected to the voice vlan.the problem is the phone can not get its DHCP...

although if I configured the port without any authentication (dot1x or mac auth) and I set up the port for voice vlan and access vlan, the phone connects and gets its IP normally via dhcp.

I have configured lldp run..

the customer is reluctant to configure anything qos although i doubt it would cause this problem..

The enforcement profile for the phone contains the Vlan assignment plus cisco device traffic, and i tried another one where it returns only cisco device traffic and it gave the ip phone its vlan even faster.

I have rules in enforcement policies based on device category and they're all working fine and the phone and pcs are all profiled and even printers worked fine and were profiled.

I have configured ip helper addresses of cource (The phone gets ip address on an unauthenticated port)

I can't think of something that may cause this problem except some specific commands on the switch's port or a special VSA that needs to be sent from the clearpass that I can't find anywhere...

So please, urgent help is needed and appreciated

P.S. I didn't open a case because they take too long, i'm still awaiting reply since 2 days about a failure to profile a Sun thin client so I matched based on mac vendor and I still haven't received any replies..

Cisco switch model is 3750 pd ef 48 ports..version is 15.0.2se

clearpass is 6.5 on an evaluation VM

Actually, we are an aruba partner..

What is your 802.1X timeout?

Can you post the configuration from one of your ports?

interface GigabitEthernet1/0/2 //or any port that you want to be authenticated

 description HOST-PORT

 switchport access vlan 250

 switchport mode access

 switchport nonegotiate

 switchport voice vlan 109

 speed auto

 duplex full

 authentication order dot1x mab

 authentication priority dot1x mab

 authentication port-control auto

authentication mode multi-auth

 authentication periodic

 authentication timer reauthenticate server

 mab     

 dot1x pae authenticator

 dot1x timeout server-timeout 30

 dot1x timeout tx-period 10

 dot1x max-reauth-req 3

 spanning-tree portfast

 spanning-tree bpduguard enable

!

you say it connects correctly to the voice VLAN, how do you know it does when DHCP afterwards doesn't work? did you do a packetcapture on the port, do you see DHCP discovers being send?

do you only send that extra =voice option? because i don't believe you can actually send the voice vlan, if you send a vlan assignment in the accept packet it will set the data vlan.

I know it connects to the voice vlan, because the phone says its in vlan 102 which is the voice, it starts with vlan 0 then after the CPPM sends its vlan it goes to vlan 102, i have tried sending an enforcement policy with device-traffic-class = voice + vlan assignment and just device-traffic-class=voice without vlan assignment and they both have placed it in its vlan.

then the ip phone's lcd says its doing DHCP Requests, and it keeps increasing a counter until 60 seconds and then fails to get its IP and reboots...

When i connect the phone in a normal port with just this config

switchport access vlan 2

switchport voice vlan 102

switchport mode access

the ip phone gets its ip in just 3 seconds as well as the vlan.

I haen't done a packet capture yet

also when I "show vlan" on the cisco switch I see the Phone's port in both the voice vlan and data vlan(PC is also connected)

what do you get when you do: show authentication sessions

you are a running a new version so it might be different, but with the 12.x versions im quite sure that you can't set the voice VLAN and if you earlier posted config is correct and you set the voice VLAN there then that is what is going to be used i believe.

I don't have the output with me right now but it shows success or authenticated

also on the access tracker I get success and no alerts and everything is just as it should except the ip phone got no IP Address

the domain part is what interests me.

ClearPass will show a success when authentication passes and it is able to send the accept to the switch. it doesn't check if the things you send to the switch make sense to the switch or not.

this is something you will have to debug on the switch side. look up the dot1x debug commands and see if the switch mentions it doesn't like something you send.

I am already debugging radius as I had a problem with redirection and I clearly notice all the debug messages, everything looked normal and authentication is successful..

The domain part is just for PCs using dot1x, IP phones are all accepted based on a mac auth all until we collect all ip phones then we will start to restrict a bit.

I am suspecting something, maybe the ip phones in the live working environment aren't using COS, but when the clearpass returns a device-traffic-class=voice, the ip phone sends a dhcp request tagged with a dot1p class of service  = 5, so the dhcp server doesn't respond to the request as its not configured for it, 

this could be this or the complete opposite, the dhcp server is expecting dot1p and the ip phone is sending without it, thats the guess i have in my mind..

Hi Waleed,

We are having the same issue as yours. Did you find any solution for this ?

Hi Waleed,

We are having the same issue, did you find any solution for this ?

We are having the same issue, did you find any solution for this ?

We had this issue with NEC phones when connected to Clearpass. What we did was change the RX Waiting time under lldp settings on the phone to 30 seconds instead of the default 15 seconds. This added about 5 seconds give or take between initializing and log in than we would have on a non 802.1x interface.

We ran into the same issue with the Cisco 2960x models.

The fix is outlined in this Bug detail:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvb22409

basically authorization over the voice vlan fails when certain av-pairs are present on the attributes,

“If one of the attributes is missing and/or dynamic vlan assignment is NOT required but the at least one of av-pair is present in the Radius access-accept the switch will fail authorization for the Voice Vlan on the port.”

from the capture we can see that “Tunnel-Type” and “Tunnel-Medium-Type” are present.

I removed those attributes and am good on the 2960x MAB is successful with phones not having DHCP issues.



HOWEVER,

we are now seeing similar symptoms with a Cisco 4500 chassis and Avaya phones.

Phones authenticate with healthy logs on CPPM and the switch logs, but the phones do NOT receive a DHCP address.

Strangely, there are ARP entries present for the phone..

Please help!!