11-14-2012 11:05 AM
So, I'm sure I'm not the first to run into this and I've been digging around looking for answers but found none. What we are trying to do is have dot1x authentication on dual-mode ports, e.g. IP phones (Avaya) with PC's daisy chained off of them (either domain PC's or guest). I found the configs in the guides but still have a few questions as to why its not working.
So the phones should be authenticated and dropped onto the phone vlan.
Domain PC's should be authenticated using user authentication via dot1x and be put onto the production vlan.
Guest PC's should fail dot1x and be dumped on the guest vlan.
Here are snippets of my config:
vlan production: the port is untagged
vlan voice: the port is tagged
timeout quiet-period 4294967295
enable ethe 0/1/1 to 0/1/47
interface ethernet 0/1/37
dot1x port-control auto
spanning-tree 802-1w admin-edge-port
We are using 2008R2 NPS for our dot1x auth.
How can I authenticate the phones without a ton of administrative overhead, e.g. entering each MAC individually and creating a user account for each? Maybe groups or somehow tell the switch that if a MAC matches a defined range it auto dumps them into the proper vlan?
12-11-2012 01:08 PM
Hi, I was wondering if you ever got this working? I'm trying to do the same, ideally with MAC auth for the phone and user/machine auth for the PC. I can get MAC auth or user auth but not both. Any ideas?
12-11-2012 01:28 PM
Nope sorry, Brocade support was a brick wall. Since we have to implement full posture validation, dot1x wont work for us anyway, our directives have changed. We are going to use a 3rd party product to do NAC for us. The only thing I have come across that was slightly helpful was this document, just search for it on brocades site BRCD-ENTERPRISE 2373. Basicallu uses LLDP for the phone side of things. But I never got to test it out.
Hope things work out for you.
12-13-2012 09:35 AM
You can use LLDP to assign the Voice VLAN using the MED policy. You can also use a better RADIUS server...check this one out:
12-14-2012 04:41 AM
And...you are sending back the appropriate VSAs correct? The idea is that MAC auth fails and then 802.1x auth should occur. What is Access Tracker look like? You know...you can also do a tcpdump within ClearPass and analyze the logs to see what's being sent and received on the wire...