Security

I've just started deploying Clearpass across my campus and have run into an issue with some VoIP phones and printers.  It would appear that the dynamic VLAN assigned by Clearpass is timing out while the printer/phone sleeps and puts them back into the quarantine VLAN.

My setup is using VLAN 666 as a quarantine VLAN assigned to every port on my Aruba 2930 switches.  If Clearpass sees a client connect and it's in our AD it gets the local corporate data VLAN.  If it's MAC is identified as a phone it gets the tagged voice VLAN.  If it's anything else it goes to the local guest VLAN giving them internet access separate from corporate.  This worked fine during testing and when I deployed it across out main HQ offices.  When I started rolling it out on site where there are contractors with their own printers and cheaper VoIP phones I've had it break.

It looks like the VLAN just flips back to 666 relatively quickly because the switch isn't see traffic all the time.  A contractor then tries to call a phone or send a print but the receiving device is no longer on a viable VLAN to receive it.  I had a look through the commands on the switch and tried setting the following...

aaa port-access authenticator cached-reauth-delay 7200

I had hoped this would pin the dynamic VLAN in place for a couple of hours but apparently not.  As a quick fix for the phones I've set them to re-register with the phone server every minute or two.  On the printers I tried finding NTP or something similar to set but with no luck.  I've had to disable Clearpass for now on their ports.

Does anyone have a way around this issue?  How do I get the VLAN assignment to stick around when the device might not actually be talking all the time?

Hi Kenny,
What you are looking for is to set mac-pinning for headless devices which tends to "sleep".
You should set the re-authentication timer (radius attribute) to 0.
This way the switch will pin the MAC address until the port is physically bounced or disconnected.
Original Message:
Sent: Jun 13, 2022 05:36 AM
From: Kenny Mitchell
Subject: Clearpass dynamic VLAN timeout

I've just started deploying Clearpass across my campus and have run into an issue with some VoIP phones and printers.  It would appear that the dynamic VLAN assigned by Clearpass is timing out while the printer/phone sleeps and puts them back into the quarantine VLAN.

My setup is using VLAN 666 as a quarantine VLAN assigned to every port on my Aruba 2930 switches.  If Clearpass sees a client connect and it's in our AD it gets the local corporate data VLAN.  If it's MAC is identified as a phone it gets the tagged voice VLAN.  If it's anything else it goes to the local guest VLAN giving them internet access separate from corporate.  This worked fine during testing and when I deployed it across out main HQ offices.  When I started rolling it out on site where there are contractors with their own printers and cheaper VoIP phones I've had it break.

It looks like the VLAN just flips back to 666 relatively quickly because the switch isn't see traffic all the time.  A contractor then tries to call a phone or send a print but the receiving device is no longer on a viable VLAN to receive it.  I had a look through the commands on the switch and tried setting the following...

aaa port-access authenticator cached-reauth-delay 7200

I had hoped this would pin the dynamic VLAN in place for a couple of hours but apparently not.  As a quick fix for the phones I've set them to re-register with the phone server every minute or two.  On the printers I tried finding NTP or something similar to set but with no luck.  I've had to disable Clearpass for now on their ports.

Does anyone have a way around this issue?  How do I get the VLAN assignment to stick around when the device might not actually be talking all the time?

Hi there,

thank you so much for the reply, it sounds like the ideal fix.  How do I actually apply this?  I know that this can be set in 'roles' on the switch do we not have roles defined on the switches.  If I look at the aaa port-access commands it says the default re-authertication time is already 0.  Do I need to enable mac-pinning first?  I'm only just starting out with Clearpass and learning as I go and I don't see a RADIUS section where I can set the timer.  Thanks again for any help Matan.

Original Message:
Sent: Jun 27, 2022 06:38 AM
From: Matan Tal
Subject: Clearpass dynamic VLAN timeout

Hi Kenny,
What you are looking for is to set mac-pinning for headless devices which tends to "sleep".
You should set the re-authentication timer (radius attribute) to 0.
This way the switch will pin the MAC address until the port is physically bounced or disconnected.
Original Message:
Sent: Jun 13, 2022 05:36 AM
From: Kenny Mitchell
Subject: Clearpass dynamic VLAN timeout

I've just started deploying Clearpass across my campus and have run into an issue with some VoIP phones and printers.  It would appear that the dynamic VLAN assigned by Clearpass is timing out while the printer/phone sleeps and puts them back into the quarantine VLAN.

My setup is using VLAN 666 as a quarantine VLAN assigned to every port on my Aruba 2930 switches.  If Clearpass sees a client connect and it's in our AD it gets the local corporate data VLAN.  If it's MAC is identified as a phone it gets the tagged voice VLAN.  If it's anything else it goes to the local guest VLAN giving them internet access separate from corporate.  This worked fine during testing and when I deployed it across out main HQ offices.  When I started rolling it out on site where there are contractors with their own printers and cheaper VoIP phones I've had it break.

It looks like the VLAN just flips back to 666 relatively quickly because the switch isn't see traffic all the time.  A contractor then tries to call a phone or send a print but the receiving device is no longer on a viable VLAN to receive it.  I had a look through the commands on the switch and tried setting the following...

aaa port-access authenticator cached-reauth-delay 7200

I had hoped this would pin the dynamic VLAN in place for a couple of hours but apparently not.  As a quick fix for the phones I've set them to re-register with the phone server every minute or two.  On the printers I tried finding NTP or something similar to set but with no luck.  I've had to disable Clearpass for now on their ports.

Does anyone have a way around this issue?  How do I get the VLAN assignment to stick around when the device might not actually be talking all the time?

if not using roles then set it on the port level

aaa port-access mac-based 9 mac-pin​

Also if you send Radius:IETF attribute of session timeout with the enforcement then remove it so the switch will not trigger a re-auth event for those devices.
Good Luck.
Original Message:
Sent: Jun 27, 2022 08:36 AM
From: Kenny Mitchell
Subject: Clearpass dynamic VLAN timeout

Hi there,

thank you so much for the reply, it sounds like the ideal fix.  How do I actually apply this?  I know that this can be set in 'roles' on the switch do we not have roles defined on the switches.  If I look at the aaa port-access commands it says the default re-authertication time is already 0.  Do I need to enable mac-pinning first?  I'm only just starting out with Clearpass and learning as I go and I don't see a RADIUS section where I can set the timer.  Thanks again for any help Matan.

Original Message:
Sent: Jun 27, 2022 06:38 AM
From: Matan Tal
Subject: Clearpass dynamic VLAN timeout

Hi Kenny,
What you are looking for is to set mac-pinning for headless devices which tends to "sleep".
You should set the re-authentication timer (radius attribute) to 0.
This way the switch will pin the MAC address until the port is physically bounced or disconnected.
Original Message:
Sent: Jun 13, 2022 05:36 AM
From: Kenny Mitchell
Subject: Clearpass dynamic VLAN timeout

I've just started deploying Clearpass across my campus and have run into an issue with some VoIP phones and printers.  It would appear that the dynamic VLAN assigned by Clearpass is timing out while the printer/phone sleeps and puts them back into the quarantine VLAN.

My setup is using VLAN 666 as a quarantine VLAN assigned to every port on my Aruba 2930 switches.  If Clearpass sees a client connect and it's in our AD it gets the local corporate data VLAN.  If it's MAC is identified as a phone it gets the tagged voice VLAN.  If it's anything else it goes to the local guest VLAN giving them internet access separate from corporate.  This worked fine during testing and when I deployed it across out main HQ offices.  When I started rolling it out on site where there are contractors with their own printers and cheaper VoIP phones I've had it break.

It looks like the VLAN just flips back to 666 relatively quickly because the switch isn't see traffic all the time.  A contractor then tries to call a phone or send a print but the receiving device is no longer on a viable VLAN to receive it.  I had a look through the commands on the switch and tried setting the following...

aaa port-access authenticator cached-reauth-delay 7200

I had hoped this would pin the dynamic VLAN in place for a couple of hours but apparently not.  As a quick fix for the phones I've set them to re-register with the phone server every minute or two.  On the printers I tried finding NTP or something similar to set but with no luck.  I've had to disable Clearpass for now on their ports.

Does anyone have a way around this issue?  How do I get the VLAN assignment to stick around when the device might not actually be talking all the time?

Thanks for that info.  I'll set some of the phones ports to mac-pin and put their settings back to normal and see if they operate normally now.
Original Message:
Sent: Jun 28, 2022 04:41 AM
From: Matan Tal
Subject: Clearpass dynamic VLAN timeout

if not using roles then set it on the port level

aaa port-access mac-based 9 mac-pin​

Also if you send Radius:IETF attribute of session timeout with the enforcement then remove it so the switch will not trigger a re-auth event for those devices.
Good Luck.
Original Message:
Sent: Jun 27, 2022 08:36 AM
From: Kenny Mitchell
Subject: Clearpass dynamic VLAN timeout

Hi there,

thank you so much for the reply, it sounds like the ideal fix.  How do I actually apply this?  I know that this can be set in 'roles' on the switch do we not have roles defined on the switches.  If I look at the aaa port-access commands it says the default re-authertication time is already 0.  Do I need to enable mac-pinning first?  I'm only just starting out with Clearpass and learning as I go and I don't see a RADIUS section where I can set the timer.  Thanks again for any help Matan.

Original Message:
Sent: Jun 27, 2022 06:38 AM
From: Matan Tal
Subject: Clearpass dynamic VLAN timeout

Hi Kenny,
What you are looking for is to set mac-pinning for headless devices which tends to "sleep".
You should set the re-authentication timer (radius attribute) to 0.
This way the switch will pin the MAC address until the port is physically bounced or disconnected.
Original Message:
Sent: Jun 13, 2022 05:36 AM
From: Kenny Mitchell
Subject: Clearpass dynamic VLAN timeout

I've just started deploying Clearpass across my campus and have run into an issue with some VoIP phones and printers.  It would appear that the dynamic VLAN assigned by Clearpass is timing out while the printer/phone sleeps and puts them back into the quarantine VLAN.

My setup is using VLAN 666 as a quarantine VLAN assigned to every port on my Aruba 2930 switches.  If Clearpass sees a client connect and it's in our AD it gets the local corporate data VLAN.  If it's MAC is identified as a phone it gets the tagged voice VLAN.  If it's anything else it goes to the local guest VLAN giving them internet access separate from corporate.  This worked fine during testing and when I deployed it across out main HQ offices.  When I started rolling it out on site where there are contractors with their own printers and cheaper VoIP phones I've had it break.

It looks like the VLAN just flips back to 666 relatively quickly because the switch isn't see traffic all the time.  A contractor then tries to call a phone or send a print but the receiving device is no longer on a viable VLAN to receive it.  I had a look through the commands on the switch and tried setting the following...

aaa port-access authenticator cached-reauth-delay 7200

I had hoped this would pin the dynamic VLAN in place for a couple of hours but apparently not.  As a quick fix for the phones I've set them to re-register with the phone server every minute or two.  On the printers I tried finding NTP or something similar to set but with no luck.  I've had to disable Clearpass for now on their ports.

Does anyone have a way around this issue?  How do I get the VLAN assignment to stick around when the device might not actually be talking all the time?

Hi again,

just to confirm that setting mac-pin did indeed cure the issue with the Grandstream IP phones dropping off the network.  I can continue my rollout of Clearpass now.  Thanks.
Original Message:
Sent: Jun 28, 2022 04:41 AM
From: Matan Tal
Subject: Clearpass dynamic VLAN timeout

if not using roles then set it on the port level

aaa port-access mac-based 9 mac-pin​

Also if you send Radius:IETF attribute of session timeout with the enforcement then remove it so the switch will not trigger a re-auth event for those devices.
Good Luck.
Original Message:
Sent: Jun 27, 2022 08:36 AM
From: Kenny Mitchell
Subject: Clearpass dynamic VLAN timeout

Hi there,

thank you so much for the reply, it sounds like the ideal fix.  How do I actually apply this?  I know that this can be set in 'roles' on the switch do we not have roles defined on the switches.  If I look at the aaa port-access commands it says the default re-authertication time is already 0.  Do I need to enable mac-pinning first?  I'm only just starting out with Clearpass and learning as I go and I don't see a RADIUS section where I can set the timer.  Thanks again for any help Matan.

Original Message:
Sent: Jun 27, 2022 06:38 AM
From: Matan Tal
Subject: Clearpass dynamic VLAN timeout

Hi Kenny,
What you are looking for is to set mac-pinning for headless devices which tends to "sleep".
You should set the re-authentication timer (radius attribute) to 0.
This way the switch will pin the MAC address until the port is physically bounced or disconnected.
Original Message:
Sent: Jun 13, 2022 05:36 AM
From: Kenny Mitchell
Subject: Clearpass dynamic VLAN timeout

I've just started deploying Clearpass across my campus and have run into an issue with some VoIP phones and printers.  It would appear that the dynamic VLAN assigned by Clearpass is timing out while the printer/phone sleeps and puts them back into the quarantine VLAN.

My setup is using VLAN 666 as a quarantine VLAN assigned to every port on my Aruba 2930 switches.  If Clearpass sees a client connect and it's in our AD it gets the local corporate data VLAN.  If it's MAC is identified as a phone it gets the tagged voice VLAN.  If it's anything else it goes to the local guest VLAN giving them internet access separate from corporate.  This worked fine during testing and when I deployed it across out main HQ offices.  When I started rolling it out on site where there are contractors with their own printers and cheaper VoIP phones I've had it break.

It looks like the VLAN just flips back to 666 relatively quickly because the switch isn't see traffic all the time.  A contractor then tries to call a phone or send a print but the receiving device is no longer on a viable VLAN to receive it.  I had a look through the commands on the switch and tried setting the following...

aaa port-access authenticator cached-reauth-delay 7200

I had hoped this would pin the dynamic VLAN in place for a couple of hours but apparently not.  As a quick fix for the phones I've set them to re-register with the phone server every minute or two.  On the printers I tried finding NTP or something similar to set but with no luck.  I've had to disable Clearpass for now on their ports.

Does anyone have a way around this issue?  How do I get the VLAN assignment to stick around when the device might not actually be talking all the time?

Try setting


logoff-period 99999

This “fixes” devices that tend to go to sleep.
A


Original Message:
Sent: 6/27/2022 6:39:00 AM
From: Matan Tal
Subject: RE: Clearpass dynamic VLAN timeout

Hi Kenny,
What you are looking for is to set mac-pinning for headless devices which tends to "sleep".
You should set the re-authentication timer (radius attribute) to 0.
This way the switch will pin the MAC address until the port is physically bounced or disconnected.
Original Message:
Sent: Jun 13, 2022 05:36 AM
From: Kenny Mitchell
Subject: Clearpass dynamic VLAN timeout

I've just started deploying Clearpass across my campus and have run into an issue with some VoIP phones and printers.  It would appear that the dynamic VLAN assigned by Clearpass is timing out while the printer/phone sleeps and puts them back into the quarantine VLAN.

My setup is using VLAN 666 as a quarantine VLAN assigned to every port on my Aruba 2930 switches.  If Clearpass sees a client connect and it's in our AD it gets the local corporate data VLAN.  If it's MAC is identified as a phone it gets the tagged voice VLAN.  If it's anything else it goes to the local guest VLAN giving them internet access separate from corporate.  This worked fine during testing and when I deployed it across out main HQ offices.  When I started rolling it out on site where there are contractors with their own printers and cheaper VoIP phones I've had it break.

It looks like the VLAN just flips back to 666 relatively quickly because the switch isn't see traffic all the time.  A contractor then tries to call a phone or send a print but the receiving device is no longer on a viable VLAN to receive it.  I had a look through the commands on the switch and tried setting the following...

aaa port-access authenticator cached-reauth-delay 7200

I had hoped this would pin the dynamic VLAN in place for a couple of hours but apparently not.  As a quick fix for the phones I've set them to re-register with the phone server every minute or two.  On the printers I tried finding NTP or something similar to set but with no luck.  I've had to disable Clearpass for now on their ports.

Does anyone have a way around this issue?  How do I get the VLAN assignment to stick around when the device might not actually be talking all the time?