Wired Intelligent Edge

Hi all, a client has 2930F switches along with some Avaya IP phones. They are keen on CPPM and dynamic role assignment through it. Now since laptops/desktops are connected to 2930F through the IP phone inbuilt LAN port and not directly to 2930F, how will the role assignment work? authentication will be done for IP phones and users both so will the same switch port which is connected to IP phone and then to user have multiple role assignments simultaneously and how will the traffic flow?

Please help. Thanks in advance

Hi,

depend of authentification method (by port or by client)

if it is by port all traffic will be considered IP Phone (not recommended...)

if it is by client (a address mac), it will be a first authentification for IP Phone and a second for laptop

thanks for your reply. Yes we will do client authentication, for user we want to do 802.1x and for IP phones we will do MAC

and ? don't work ?

Hi mohanvnegi,

DUR is based on "user-based authentication".

So it means that you can assign different user-roles on a same port, in the limit of 32, as each user/device will be individually authenticated.

Once authenticated, the match between the user and the Role/Network Profile, and so the VLAN, is made through its MAC Address.

So, your implementation is totally supported :

You can use 2 different user-roles, with 2 different profiles, assigned by 2 different authentication methods, without any issue.

You can even assign your user to a tunnel if you want to use Dynamic Segmentation, and let your IP Phone forward on the legacy network.

You can refer to the "Access Security Guide" if you need more informations regarding User-Based and Port-Based Authentication modes.

You can also look at the "ClearPass Solutions Guide: Wired Policy Enforcement"  document.