Security

last person joined: 14 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Comware switch Voice Vlan issue on Clearpass

This thread has been viewed 1 times

  • 1.  Comware switch Voice Vlan issue on Clearpass

    Posted Jun 19, 2019 01:53 PM

    I've searched many posts about integrating Comware5 with Clearpass and it has many issues about compatibility.

     

    But this time, there is some issue with Voice Vlan.

     

    I'm implementing Wired 802.1x and Mac-auth on Comware 5 switch and Clearpass.

    The Comware 5 switch interface has configured as below.

     

    interface GigabitEthernet1/0/1
     port link-mode bridge 
     port link-type hybrid
     undo port hybrid vlan 1
     port hybrid vlan 83 tagged
     port hybrid vlan 82 untagged
     port hybrid pvid vlan 82
     undo voice vlan mode auto
     voice vlan 83 enable
     stp edged-port enable
     mac-authentication
     mac-authentication domain CPPM
     undo dot1x handshake
     dot1x mandatory-domain CPPM
     undo dot1x multicast-trigger
     dot1x

     

    VLAN 82 - Data vlan

    VLAN 83 - Voice vlan

     

    When I connect PC to interfaces, it authenticates to Clearpass which it shows allowed or denied.

    Besides, IP Phones never authenticates to Clearpass, but it has tagged Vlan 83 which it has configured in the interfaces as above.

     

    Nothing has shown on Access tracker from Clearpass, but IP Phone already had IP address through Vlan 83 network without any authentications.

     

    The IP Phones can be managed even with the voice vlan has configured on Cisco switches. So then I could provide the enforcement to those IP Phones.

     

    I have tested on HPE5500 and HPE5120 which known as Comware 5 series switches and IP Phone vendor was "Mitel(aastra)".

     

    Is it possible to manage Comware switch voice vlan traffic with the Clearpass?



  • 2.  RE: Comware switch Voice Vlan issue on Clearpass

    EMPLOYEE
    Posted Aug 29, 2019 08:22 PM

    Did you ever get to the bottom of this. I just stumbled across this post.

    Don't use Hybrid ports, just use Trunk ports. Tag the Voice VLAN and untag the User VLAN.

     

    Excluding ClearPass does your phone system work?



  • 3.  RE: Comware switch Voice Vlan issue on Clearpass

    Posted Aug 30, 2019 01:50 AM

    Hi David,

     

    Yes, the phone system works without Clearpass.

     

    This issue hasn't solved with the voice vlan command.

    But Trunk port works well and mac-auth on Clearpass as well.

     

    This is my result of the test on Comware5 and 7 when using voice vlan command.

     

    [Clearpass Mac-Authentication for VoIP] - Comware5/7

     

    1. Interface that has configured voice vlan

      > IP-Phone assigns voice vlan.

     

    2. Interface that has configured mac-auth with voice vlan

      > IP-Phone never attempt mac-auth but assigns voice vlan. 

      > Nothing shows above details on Clearpass access tracker.

     

    3. Interface that has configured mac-auth with Tagged vlan

      > IP-Phone attempt mac-auth and assigns voice vlan.

      > Above attempt shows on Clearpass access tracker.

      > Possible to assign Enforcement profiles.

     

    I'm sure this issue caused by Comware switches.

    Never seen this kind of issue from Cisco, Juniper and Huawei switches that I have experienced.