Wired Intelligent Edge

last person joined: 4 hours ago 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Back to discussions
Expand all | Collapse all

ClearPass assigned Voice VLAN on ArubaOS switches with LLDP-MED

This thread has been viewed 18 times

  • 1.  ClearPass assigned Voice VLAN on ArubaOS switches with LLDP-MED

    Posted Nov 14, 2018 05:22 PM

    We've gotten Wired 802.1x with MAC auth fallback working on our 5400 switches.

     

    We can get ClearPass to assign an tagged VLAN attribute, after being be MAC authenticated.

     

    The problem we are having is since enabling aaa on the ports, LLDP-MED is no longer advertising the tagged Voice VLAN (voice vlan is configured on the switch for the appropriate VLAN).

     

    Is this a supported configuration? Is there a way to achieve this using user roles on the switch?



  • 2.  RE: ClearPass assigned Voice VLAN on ArubaOS switches with LLDP-MED

    Posted Nov 16, 2018 09:58 AM

    I'm working towards the same thing. You are a bit farther along. How do you tag the VLAN?

     

    I seem to recall that the port has to be tagged with the VLAN before LLDP MED can be activated on the port. If this is the case, I wonder if the LLDP MED config can be added after the VLAN is tagged.

     



  • 3.  RE: ClearPass assigned Voice VLAN on ArubaOS switches with LLDP-MED

    Posted Nov 16, 2018 05:25 PM

    We tagged the VLAN using the 'HPE-Egress-VLAN-Name' attribute.

     

    Returning '1VOICE' results in the VLAN with the name 'VOICE' being tagged on the switch port and is also helpful if you use a different voice VLAN on each switch.



  • 4.  RE: ClearPass assigned Voice VLAN on ArubaOS switches with LLDP-MED

    Posted Nov 28, 2018 09:19 AM

    Thanks for the info. One would think there would be a best practice for this type of thing. Have you made any progress?



  • 5.  RE: ClearPass assigned Voice VLAN on ArubaOS switches with LLDP-MED

    MVP GURU
    Posted Nov 28, 2018 09:26 AM
    @rwilsonblue wrote:

    Thanks for the info. One would think there would be a best practice for this type of thing. Have you made any progress?

    There is some change coming on new firmware ;-)



  • 6.  RE: ClearPass assigned Voice VLAN on ArubaOS switches with LLDP-MED

    Posted Nov 28, 2018 03:14 PM

    Any info on what the changes will be? :)



  • 7.  RE: ClearPass assigned Voice VLAN on ArubaOS switches with LLDP-MED

    MVP GURU
    Posted Dec 10, 2018 08:11 AM

     

    @Chris.Denham wrote:

    Any info on what the changes will be? :)

    Look release note about 16.08 :-D



  • 8.  RE: ClearPass assigned Voice VLAN on ArubaOS switches with LLDP-MED

    Posted Dec 10, 2018 03:19 PM

    From the release notes, for posterity:

     

    Bypassing Authentication for VoIP phones With 16.08,

    customers can bypass authentication for certain wired devices such as VoIP phones while still allowing the clients behind the phones to authenticate. For more information, see the Access Security Guide



  • 9.  RE: ClearPass assigned Voice VLAN on ArubaOS switches with LLDP-MED
    Best Answer

    EMPLOYEE
    Posted Dec 10, 2018 03:24 PM
    Bypassing authentication for phones is NOT recommended. You should assign a voice role.


  • 10.  RE: ClearPass assigned Voice VLAN on ArubaOS switches with LLDP-MED

    Posted Dec 10, 2018 03:32 PM

    Thanks Tim, that is what we will be doing :)



  • 11.  RE: ClearPass assigned Voice VLAN on ArubaOS switches with LLDP-MED

    MVP GURU
    Posted Dec 11, 2018 09:05 AM
    @Chris.Denham wrote:

    From the release notes, for posterity:

     

    Bypassing Authentication for VoIP phones With 16.08,

    customers can bypass authentication for certain wired devices such as VoIP phones while still allowing the clients behind the phones to authenticate. For more information, see the Access Security Guide

    I think more to this feature :

     

    Device Attributes for User Roles
To simplify deployment scenarios involving APs, AOS-Switch now allows device level configurations to be added
to User Roles. For more information, see the Access Security Guide

     

    It is possible to make this :

    aaa authorization user-role name “AP”
    vlan-id 101
    vlan-id-tagged 120,121
    device
        port-mode
        admin-edge-port
    exit
exit