Security

Reply
Frequent Contributor II

IP Phone Repository for ClearPass

During the initial roll out of 802.1x in our corporate environment we are testing IP Phones and how they authenticate against ClearPass.  We've found that it may be best to perform MAB against a local repository that we populate with IP phone MAC addresses to start with, then at some point in the future move to enabling 802.1x on the phones (if possible) and load them with certificates.

 

We'd like to have the phones use the voice vlan assigned on each port, as we'll have numerous branch offices with different voice vlans at each attempting to authenticate.  In that scenario we can't send back a unique voice vlan and would like to just send the [Allow Access Profile].

 

My question then is - is it a best practice to use the original [Endpoints Repository] or should we create a unique one for IP Phones specifically (then one for printers, access points, etc)?

rwin = 0
Guru Elite

Re: IP Phone Repository for ClearPass

Any manual endpoints should use Device Registration.

What kind of switches?

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Frequent Contributor II

Re: IP Phone Repository for ClearPass

Cisco 3650/3850 access layer switches.

rwin = 0
Guru Elite

Re: IP Phone Repository for ClearPass

Take a look at the ClearPass Solution Guide for Wired Policy Enforcement. When you return the voice class via RADIUS VSA, the switch will use the locally defined voice VLAN for that session.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Frequent Contributor II

Re: IP Phone Repository for ClearPass

Thanks Tim! I will take a look and reply with any further updates or the resolution.

rwin = 0
Contributor I

Re: IP Phone Repository for ClearPass

In our testing with MAB and Cisco 3850's, if the port has a voice vlan setup the cisco phone will get that vlan no matter if you send the device-traffic-class=voice or not. At least with auth mode of multi-auth.

Frequent Contributor II

Re: IP Phone Repository for ClearPass

I followed the solution guide noted by Tim and found a lot of good information on setting up this service.  Using device-traffic-class=voice also allowed our IP Phones to be placed on the correct local voice vlan rather than the data vlan.

rwin = 0
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: