Wired Intelligent Edge (Campus Switching and Routing)

Reply
New Contributor

DUR and role assignment with PC behind IPphone

Hi all, a client has 2930F switches along with some Avaya IP phones. They are keen on CPPM and dynamic role assignment through it. Now since laptops/desktops are connected to 2930F through the IP phone inbuilt LAN port and not directly to 2930F, how will the role assignment work? authentication will be done for IP phones and users both so will the same switch port which is connected to IP phone and then to user have multiple role assignments simultaneously and how will the traffic flow?

Please help. Thanks in advance

MVP Expert

Re: DUR and role assignment with PC behind IPphone

Hi,

 

depend of authentification method (by port or by client)

if it is by port all traffic will be considered IP Phone (not recommended...)

if it is by client (a address mac), it will be a first authentification for IP Phone and a second for laptop




PowerArubaSW: Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP... More info


PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...) More info


PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)


PowerArubaIAP: Powershell Module to use Aruba Instant AP




ACMP 6.4 / ACMX #107 / ACCP 6.5
New Contributor

Re: DUR and role assignment with PC behind IPphone

thanks for your reply. Yes we will do client authentication, for user we want to do 802.1x and for IP phones we will do MAC

MVP Expert

Re: DUR and role assignment with PC behind IPphone

and ? don't work ?




PowerArubaSW: Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP... More info


PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...) More info


PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)


PowerArubaIAP: Powershell Module to use Aruba Instant AP




ACMP 6.4 / ACMX #107 / ACCP 6.5

Re: DUR and role assignment with PC behind IPphone

Hi mohanvnegi,

 

DUR is based on "user-based authentication".

So it means that you can assign different user-roles on a same port, in the limit of 32, as each user/device will be individually authenticated.

Once authenticated, the match between the user and the Role/Network Profile, and so the VLAN, is made through its MAC Address.

 

So, your implementation is totally supported :

You can use 2 different user-roles, with 2 different profiles, assigned by 2 different authentication methods, without any issue.

You can even assign your user to a tunnel if you want to use Dynamic Segmentation, and let your IP Phone forward on the legacy network.

 

You can refer to the "Access Security Guide" if you need more informations regarding User-Based and Port-Based Authentication modes.

You can also look at the "ClearPass Solutions Guide: Wired Policy Enforcement"  document.

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: