Security

Reply
Highlighted
Occasional Contributor II

MAC Authentication & Cisco Phones

We are starting to roll out ClearPass and MAC authentication using Cisco switches.

 

We are having problems with Cisco phones and trying to profile them correctly.

 

We have the following config on the ports

Interface gig1/0/1

switchport access vlan 501

switchport mode access

switchport voice vlan 601

device-tracking attach-policy TRACKING

ip access-group DEFAULT-ACL in

authentication host-mode multi-domain

authentication port-control auto

authentication control-direction in.

mab

spanning-tree portfast

 

When the phone first comes onto the network it doesn't have a profile so it gets a role of [other] and we an enforcement profile that pushed down an ACL that allows DHCP so the device can be profiled. After the enforcement profile ClearPass is supposed to send a COA to reauthenticate the device.

 

Here is the problem. In access tracker we see the phone getting the ACL to allow DHCP but nothing happens after that point. No COA is sent from ClearPass

 

Now if I unplug the phone and plug in a PC or another device into the same port the ACL is pushed down from ClearPass and then ClearPass sends a COA command as expected.

 

The only way I can get the phone to be profiled is by also passing down a Radius attribute putting the device in a valid VLAN. Doing this causes all the phones to be profiled correctly and the COA is sent by ClearPass.

 

Any ideas

Highlighted
MVP Guru

Re: MAC Authentication & Cisco Phones

Do you see in Access Tracker that the phone was profiled after the first connect? Do you see the 'Authorization' tab in that Access Tracker entry, which indicates if there was sent/attempted a CoA or not. Can you trigger a CoA manually from Access Tracker?

 

Did the phone get an IP address? In which VLAN?

In which VLAN do you see the phone from your switch at first connect?

 

Please check the ClearPass Solution Guide: Wired Policy Enforcement, which has an extensive section on Cisco as well.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Highlighted
Occasional Contributor II

Re: MAC Authentication & Cisco Phones

When the phone connects I see in access tracker that it get the ACL to only allow DHCP for profiling

 

The phone goes into VLAN 501 but it never gets an IP address. I never see the COA tab come.

 

I can manually trigger ClearPass to do a COA to the client on the switch.

 

Thanks

Highlighted
Contributor I

Re: MAC Authentication & Cisco Phones

Wonder if there's a race condition somewhere. I normally put them in a role that allows DHCP, but also return traffic to get sent to clearpass for profiling info from responses.

 

Do your IP Helpers also forward the DHCP requests to Clearpass? You may want to try something like a session timeout of something like 30 seconds if you're purely doing DHCP so that the session ends and the phone would reauth again then..

 

Not sure that's the best way but you could give it a shot. You could also set that unprofiled role to have a timeout of 3 - 5 minutes and let clearpass run NMAP against the device to do a full profile.

 

Edit: Also to Herman's point, can you verify either at the phone or on the DHCP server that the phone is or isn't receiving an IP Address from DHCP?

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: