Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

MAC Authentication & Cisco Phones

This thread has been viewed 7 times

  • 1.  MAC Authentication & Cisco Phones

    Posted Feb 10, 2020 01:00 PM

    We are starting to roll out ClearPass and MAC authentication using Cisco switches.

     

    We are having problems with Cisco phones and trying to profile them correctly.

     

    We have the following config on the ports

    Interface gig1/0/1

    switchport access vlan 501

    switchport mode access

    switchport voice vlan 601

    device-tracking attach-policy TRACKING

    ip access-group DEFAULT-ACL in

    authentication host-mode multi-domain

    authentication port-control auto

    authentication control-direction in.

    mab

    spanning-tree portfast

     

    When the phone first comes onto the network it doesn't have a profile so it gets a role of [other] and we an enforcement profile that pushed down an ACL that allows DHCP so the device can be profiled. After the enforcement profile ClearPass is supposed to send a COA to reauthenticate the device.

     

    Here is the problem. In access tracker we see the phone getting the ACL to allow DHCP but nothing happens after that point. No COA is sent from ClearPass

     

    Now if I unplug the phone and plug in a PC or another device into the same port the ACL is pushed down from ClearPass and then ClearPass sends a COA command as expected.

     

    The only way I can get the phone to be profiled is by also passing down a Radius attribute putting the device in a valid VLAN. Doing this causes all the phones to be profiled correctly and the COA is sent by ClearPass.

     

    Any ideas



  • 2.  RE: MAC Authentication & Cisco Phones

    EMPLOYEE
    Posted Feb 11, 2020 04:11 AM

    Do you see in Access Tracker that the phone was profiled after the first connect? Do you see the 'Authorization' tab in that Access Tracker entry, which indicates if there was sent/attempted a CoA or not. Can you trigger a CoA manually from Access Tracker?

     

    Did the phone get an IP address? In which VLAN?

    In which VLAN do you see the phone from your switch at first connect?

     

    Please check the ClearPass Solution Guide: Wired Policy Enforcement, which has an extensive section on Cisco as well.



  • 3.  RE: MAC Authentication & Cisco Phones

    Posted Feb 11, 2020 08:44 AM

    When the phone connects I see in access tracker that it get the ACL to only allow DHCP for profiling

     

    The phone goes into VLAN 501 but it never gets an IP address. I never see the COA tab come.

     

    I can manually trigger ClearPass to do a COA to the client on the switch.

     

    Thanks



  • 4.  RE: MAC Authentication & Cisco Phones

    Posted Feb 11, 2020 09:09 AM

    Wonder if there's a race condition somewhere. I normally put them in a role that allows DHCP, but also return traffic to get sent to clearpass for profiling info from responses.

     

    Do your IP Helpers also forward the DHCP requests to Clearpass? You may want to try something like a session timeout of something like 30 seconds if you're purely doing DHCP so that the session ends and the phone would reauth again then..

     

    Not sure that's the best way but you could give it a shot. You could also set that unprofiled role to have a timeout of 3 - 5 minutes and let clearpass run NMAP against the device to do a full profile.

     

    Edit: Also to Herman's point, can you verify either at the phone or on the DHCP server that the phone is or isn't receiving an IP Address from DHCP?