Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

MAB - Cisco Wireless APs and IP Phones

This thread has been viewed 3 times

  • 1.  MAB - Cisco Wireless APs and IP Phones

    Posted Apr 02, 2015 11:32 PM

    I have a large Cisco deployment of Cisco APs and IP Phones.  I am utilizing both Data and Voice VLANs on the switchports.

     

    My basic switchport configuration is:

     

    interface GigabitEthernet0/5
     switchport access vlan 32
     switchport mode access
     switchport voice vlan 34
     authentication host-mode multi-auth
     authentication order dot1x mab
     authentication priority dot1x mab
     authentication port-control auto
     authentication periodic
     authentication timer reauthenticate server
     mab
     dot1x pae authenticator
     dot1x timeout tx-period 10
    end

     

    I am trying to create a MAB service that will Classify a Cisco AP and an IP Phone when they connect to the network for the first time.  Can someone point me in the right direction?

     

    It appears when an IP Phone boots up, you must pass back the following RADIUS attribute.

    Radius:CiscoCisco-AVPair=device-traffic-class=voice

    so the phone will participate on the Voice VLAN correctly.  If not, it gets hung on trying to register the phone because it appears to be stuck in the data vlan, when it needs to be on the voice vlan.

     

    If I pass this attribute back for all Cisco Devices, but the device is now an AP, then the AP thinks it should be on the voice vlan instead of the data vlan.

     

    Is there an easier way to do this and have them profiled so my service policies can simply be:

     

    Authorization:[Endpoints Repository]:Category  EQUALS  VoIP Phone   -----> Cisco Phone

    Authorization:[Endpoints Repository]:Category  EQUALS  Access Point ------> Cisco AP

     

     

     

     



  • 2.  RE: MAB - Cisco Wireless APs and IP Phones

    Posted Sep 21, 2015 02:55 PM

    any update on this? 



  • 3.  RE: MAB - Cisco Wireless APs and IP Phones

    Posted Sep 21, 2015 03:01 PM

    Cisco Device sensor allowed us to profile the device on the fly at first time boot on the network.  ClearPass sees the device as an VoIP Phone or Access Point and our service works as needed.

    We spent dsome time getting the right versions of Cisco code to work with this setup.  Let me know if you need details.



  • 4.  RE: MAB - Cisco Wireless APs and IP Phones

    Posted Sep 23, 2015 02:45 PM

    Curious as to your experience with Cisco Device Sensor.  Never used it before and would love it if you could share how you leveraged this to profile your devices. 



  • 5.  RE: MAB - Cisco Wireless APs and IP Phones

    Posted Sep 22, 2015 06:59 AM

    Hey mtiel,

     

    Could it be that you have to change the host-mode configuration on the switch port. I have had a similar setup and I used multi-domain instead of multi-auth.

     

    Multi-domain mode should be configured if data host is connected through an IP Phone to the port. Multi-domain mode should be configured if the voice device needs to be authenticated.


    Multi-auth mode should be configured to allow up to eight devices behind a hub to obtain secured port access through individual authentication. Only one voice device can be authenticated in this mode if a voice VLAN is configured.


    Multi-host mode also offers port access for multiple hosts behind a hub, but multi-host mode gives unrestricted port access to the devices after the first user gets authenticated.

     

    With multi-domain, you will have a data domain and a voice domain on the switch port. You can check the authentication via "show authentication interface gi<number>" or "show authentication session interface gi<number>.