Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass Profile Cisco IP Phone With Generic

This thread has been viewed 6 times

  • 1.  Clearpass Profile Cisco IP Phone With Generic

    Posted Jan 23, 2018 11:51 AM

    i've manage to profile my Cisco IP phone with aruba switch without any issue but failed to do so with cisco switch. the only way i can make the phone profile is through SNMP

     

    ip helper has been configured correctly at the L3 interface.

     

    image.png

     

    if i connect the same phone, it will be succesfully profiled. all computers able to profiled succesfully with the cisco switches.

     

    Cisco config:

     

    ip dhcp relay information trust-all
    ip dhcp snooping vlan x-y

     

    interface range GigabitEthernet x
    switchport access vlan x
    switchport mode access
    switchport voice vlan x
    authentication event server dead action authorize vlan x
    authentication host-mode multi-domain
    authentication order dot1x mab
    authentication priority dot1x mab
    authentication port-control auto
    authentication periodic
    authentication timer reauthenticate server
    mab
    dot1x pae authenticator
    dot1x timeout server-timeout 30
    dot1x timeout tx-period 10
    dot1x max-req 3
    dot1x max-reauth-req 3
    spanning-tree portfast



  • 2.  RE: Clearpass Profile Cisco IP Phone With Generic

    EMPLOYEE
    Posted Jan 23, 2018 12:21 PM

    What is the fingerprint for the endpoint?



  • 3.  RE: Clearpass Profile Cisco IP Phone With Generic

    Posted Jan 23, 2018 08:56 PM
    As requested:


  • 4.  RE: Clearpass Profile Cisco IP Phone With Generic

    Posted Jun 27, 2018 12:57 PM

    I'm running into a very similar issue.

     

    I have a Catalyst 4500 switch connected (L2) to a Cisco 9K. We're using a guest VLAN terminated on the 9K for all unknown devices. The VLAN on the 9K is in its own VRF, with IP relays setup correctly on the 9K to forward DHCP to our internal AD servers.

     

    When we connect a workstation to the 4500, we get the correct guest VLAN assignment and the DHCP Discover gets forwarded to our domain controller. When we connect an IP phone, it seems that the DHCP discover is not forwared off the 4500.. Despite it also getting the same guest vlan/Data port assignment.


    Has anyone seen this behavior before? I suspect it's something to do with the way the 4500 is handling the VOIP phone.


    Else is there another way I can profile phones?



  • 5.  RE: Clearpass Profile Cisco IP Phone With Generic

    EMPLOYEE
    Posted Jan 01, 2020 04:16 AM

    Facing same issue, any one was able to fix it?



  • 6.  RE: Clearpass Profile Cisco IP Phone With Generic

    Posted Jan 02, 2020 07:48 PM

    Please can you share how you profiled the Cisco IP Phone connected to an Aruba switch on CPPM? I am looking towards profiling my Cisco IP Phones as well, in such a way that as soon as the phones are connected to an Aruba switch port, it gets profiled by CPPM without manual intervention. 

     

    Thanks.



  • 7.  RE: Clearpass Profile Cisco IP Phone With Generic

    Posted Jan 02, 2020 09:23 PM

    Hi DI,

     

    the way cisco phone is being profilled at the aruba end is by using dhcp relay at the L3 interface of the endpoint VLAN



  • 8.  RE: Clearpass Profile Cisco IP Phone With Generic

    Posted Jan 27, 2020 02:37 PM

    Thanks Shaiful,

     

    If I understand you, do you mean "ip helper-address x.x.x.x" under the L3 interface of the Cisco IP Phones VLAN, where "x.x.x.x" is the IP address of CPPM?



  • 9.  RE: Clearpass Profile Cisco IP Phone With Generic

    Posted Jan 27, 2020 09:51 PM
    Yes. Should be under your cisco phone Vlan interface