We are starting to roll out ClearPass and MAC authentication using Cisco switches.
We are having problems with Cisco phones and trying to profile them correctly.
We have the following config on the ports
Interface gig1/0/1
switchport access vlan 501
switchport mode access
switchport voice vlan 601
device-tracking attach-policy TRACKING
ip access-group DEFAULT-ACL in
authentication host-mode multi-domain
authentication port-control auto
authentication control-direction in.
mab
spanning-tree portfast
When the phone first comes onto the network it doesn't have a profile so it gets a role of [other] and we an enforcement profile that pushed down an ACL that allows DHCP so the device can be profiled. After the enforcement profile ClearPass is supposed to send a COA to reauthenticate the device.
Here is the problem. In access tracker we see the phone getting the ACL to allow DHCP but nothing happens after that point. No COA is sent from ClearPass
Now if I unplug the phone and plug in a PC or another device into the same port the ACL is pushed down from ClearPass and then ClearPass sends a COA command as expected.
The only way I can get the phone to be profiled is by also passing down a Radius attribute putting the device in a valid VLAN. Doing this causes all the phones to be profiled correctly and the COA is sent by ClearPass.
Any ideas