Security

Hi,

Currently testing Clearpass and so far seem to have everything setup with the laptops and computer certs for AD joined devices and user certs for our test Azure AD only devices, so far so good.

We have Shortel Phones that the users plug their laptops in. We also use Dell N Series switches with a voice and data vlan.

I've set the Phones to use a wired MAC Auth Bypass. However, the phones seemingly only try and authenticate with Clearpass after they have finished their boot sequence.

The phones will try to access Data VLAN for DHCP to get the options to use the Voice VLAN, but fail and get a DHCP time out. The phones will then finish the boot process, have no IP address and stay at requesting service. Then they will register against Clearpass and get authenticated and then be assigned to the Voice Vlan. 

I'm just unsure of how I get the phones to be authenticated before they try DHCP? I'm sure it's something with the switch but if anyone has any suggetions it would be great.

Hi Dave,

Are you seeing DHCP packets from the phone within the data VLAN? When the switch see's a new MAC address it should start the MAC Auth process for that device before it allows traffic to pass. 

Typically Mac Authentication occurs at the switch level and is transparent to the connecting device. It should happen quickly enough so that the client device can proceed with its DHCP discovery successfully. 

There is a note in the Dell Switch N series documentation that states: MAB initiates only after the dot1x guest VLAN period times out. If the client responds to any of the EAPOL identity requests, MAB does not initiate for that client. Could it be that another dot1x process is occurring before Mac Auth Bypass takes place which results in a failed initial DHCP discovery?
Original Message:
Sent: Jan 10, 2023 11:49 AM
From: David Gorman
Subject: Clearpass NAC and Shoretel Phones

Hi,

Currently testing Clearpass and so far seem to have everything setup with the laptops and computer certs for AD joined devices and user certs for our test Azure AD only devices, so far so good.

We have Shortel Phones that the users plug their laptops in. We also use Dell N Series switches with a voice and data vlan.

I've set the Phones to use a wired MAC Auth Bypass. However, the phones seemingly only try and authenticate with Clearpass after they have finished their boot sequence.

The phones will try to access Data VLAN for DHCP to get the options to use the Voice VLAN, but fail and get a DHCP time out. The phones will then finish the boot process, have no IP address and stay at requesting service. Then they will register against Clearpass and get authenticated and then be assigned to the Voice Vlan.

I'm just unsure of how I get the phones to be authenticated before they try DHCP? I'm sure it's something with the switch but if anyone has any suggetions it would be great.

Thanks.

I might try enabled dot1x on the phone with a username and password, just to see if dot1x happens and picks up a DHCP address. It's possible there's some config in the Shoretel phones too, but they were installed before I started here, so need to check.
Original Message:
Sent: Jan 10, 2023 07:58 PM
From: Matthew Sutherland
Subject: Clearpass NAC and Shoretel Phones

Hi Dave,

Are you seeing DHCP packets from the phone within the data VLAN? When the switch see's a new MAC address it should start the MAC Auth process for that device before it allows traffic to pass.

Typically Mac Authentication occurs at the switch level and is transparent to the connecting device. It should happen quickly enough so that the client device can proceed with its DHCP discovery successfully.

There is a note in the Dell Switch N series documentation that states: MAB initiates only after the dot1x guest VLAN period times out. If the client responds to any of the EAPOL identity requests, MAB does not initiate for that client. Could it be that another dot1x process is occurring before Mac Auth Bypass takes place which results in a failed initial DHCP discovery?
Original Message:
Sent: Jan 10, 2023 11:49 AM
From: David Gorman
Subject: Clearpass NAC and Shoretel Phones

Hi,

Currently testing Clearpass and so far seem to have everything setup with the laptops and computer certs for AD joined devices and user certs for our test Azure AD only devices, so far so good.

We have Shortel Phones that the users plug their laptops in. We also use Dell N Series switches with a voice and data vlan.

I've set the Phones to use a wired MAC Auth Bypass. However, the phones seemingly only try and authenticate with Clearpass after they have finished their boot sequence.

The phones will try to access Data VLAN for DHCP to get the options to use the Voice VLAN, but fail and get a DHCP time out. The phones will then finish the boot process, have no IP address and stay at requesting service. Then they will register against Clearpass and get authenticated and then be assigned to the Voice Vlan.

I'm just unsure of how I get the phones to be authenticated before they try DHCP? I'm sure it's something with the switch but if anyone has any suggetions it would be great.