09-13-2016 07:12 AM
I'll be deploying wired 802.1x with HP switches and Clearpass and I was just wondering what is the high level process of configuring a port for 802.1x auth when there is a phone (which supports it) and a wire pc to the phone also ?
Since it's 2 different VLANs and different QoS etc.. I'm not sure how to go about this ?
Thank you !
Solved! Go to Solution.
09-19-2016 08:50 AM
So this can be a tough question as you have different possibilities and it depends on the type of the switch. HP switches come with ArubaOS (or its predecessor Provision OS) and both operate slightly different.
Then you have the PC-behind-phone part, where the phone acts more or less like a switch and strips its own data and is transparent to the device behind the phone. The phone typically get the voice traffic tagged in a voice VLAN (and you use LLDP, DHCP or manual setting to provide the phone with its voice VLAN-id, but getting it untagged works as well in most cases.
One of the nice features of running 802.1X (and MAC auth) is that you can, depending on the setting have multiple devices on the same port (or even a hub/dumb switch behind that with multiple devices) and let the switch authenticate each device individually and even place them in different VLANs.
I've done this multiple times, and in most cases it just works. If you have your QoS on the VLAN, you should not really care if the traffic is tagged or untagged.
Many switches have options on how to authenticate, one old-school example is that the first MAC authenticates the port and after that all traffic is allowed on that port. In ArubaOS switches that is called 'port-mode'. Then some switches have a variant where you authenticate one device on the untagged vlan, and one on the tagged voice VLAN, and the most advanced is where you authenticate each device individual, which is called user-mode in Aruba switches (and the default setting).
To get started with ArubaOS switches, please check Aruba Solution Exchange (https://ase.arubanetworks.com/solutions/id/133) and if you really want to have a tagged voice VLAN that is announced via LLDP, check this place: http://networktasks.co.uk/environments/hp/provision/802-1x-port-authentication
If you have more specific questions, send another post on Airheads or speak with Technical support if you can't get the configuration done.
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Re: Wired 802.1x phone and PC
Re: Wired 802.1x phone and PC
01-25-2018 12:36 PM
Herman Robers wrote:
"One of the nice features of running 802.1X (and MAC auth) is that you can, depending on the setting have multiple devices on the same port (or even a hub/dumb switch behind that with multiple devices) and let the switch authenticate each device individually and even place them in different VLANs."
Hi Herman, I am about to get involved in setting up Wired 801.1X on HPE 3800 and have requirement for exactly this type of scenario: VoIP phone with a laptop connected to passthrough port.
Would you be able to share an example of both CPPM (Profiles, Policies, Services) and switch configurations for this specific scenario? Thanks in advance.
NesaM --ACMP, ACCP, CWNA--