Security

hi,

 

we have an issue while we are trying to configure cppm with cisco voip on cisco port switch,

 

we've created mac auth service, and did all configuration on port for mab and dot1x,

 

once we plug the voip its authenticated and authorizde but after 2 minte it keeps try to reauthenticate and reauthorized again and again ,

 

how to stop it

thank you

Can you please share the port config and the enforcement profile ?

hi,

 

aaa new-model
radius-server host 10.239.16.34 key aruba123
dot1x system-auth-control
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa server radius dynamic-author
client 10.239.16.37 server-key aruba123
port 3799
auth-type all
ip dhcp snooping
ip device tracking
radius-server vsa send authenticat
exit
********************************************************************************
(config)interface vlan 1
ip address 10.239.17.38 255.255.252.0
ip helper-address 10.239.61.18
ip helper-address 10.239.16.37
exit

*************************************************************
interface gig 1/0/1
switchport access vlan 1
switchport mode access
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout server-timeout 30
dot1x timeout tx-period 10
dot1x timeout supp-timeout 30
dot1x max-req 3
dot1x max-reauth-req 10
spanning-tree portfast
lldp transmit
lldp receive
exit
exit

 

enforcment prfoule it just vlan assignment 

and  

rasdius:cisco   /  cisco:avpair  /   device-traiffice-class-voice

Config looks good. Most common issue is that the phone can not talk to the pbx so it will reboot to try again. Make sure it can route correctly on the vlan. 

ip phone working fine and getting ip also,

the problem it doesnt getting right vlan ip from my enforcment profile

 

its getting ip from default vlan on the port,

 

Then you need to enable debug on the switch and see if it is getting the correct vlan. If it's getting the default then the void vlan is not in the switch Config or you're enforcement profile is incorrect. Post a screen shot of access tracker and each of the tabs

Under the interface do the following:
switchport voice vlan <VOICE VLAN>

we've already added it,

voip getting ip address, but from default access vlan,its not redirecting to enforcment vlan

 

Hi , 

 

I understand that you are only using cisco phone to mac auth with clear pass. You mention 802.1x ..Please elaborate .

 

Can you share me the enforcement profile  which you did in clear Pass. I want to verify that if you are sending the correct attributes COA to the cisco switch ?

 

Regards

Khalid Shaikh 

ACCP   ACMA    ACMP   CCIE R&S

 

 

i solved  it buddy,

authorization command was missing, and you have to delete switchport voice also, in order to send ur vlan assignment :D

Are you sending the voice-vlan ?