Wired Intelligent Edge

I've applied port security to a 2930F to use 802.1X and MAC auth with ClearPass as the RADIUS server. ClearPass returns a local user role and the VLANs are configured locally within the switch. 

I'm MAC auth'ing some Mitel VOIP phones to the switch using MAC OUIs within static host lists - which works as expected. 

Due to a lack of switchports a lot of wired desktops are being daisy chained through the VOIP phones for their network connection. The desktops are configured to authenticate using EAP-TLS and receive their client certificate through GPO. In my testing when the desktop is daisy chained through the VOIP phone they can only MAC auth and are not capable of 802.1X. I have the auth priority to be 'authenticator' then 'mac-based' on the switchport so the priority is always 802.1X if the device is capable i.e. has received a client certificate via GPO. When I patch the desktop in directly into the switchport, instead of via the VOIP phone, 802.1X auth is possible and I can see this in the port-access clients list. Is this the expected behaviour? 

Once I either add the MAC address manually into ClearPass or use a static host list with MAC/OUIs the desktops authenticates fine. However, ideally I'd like to be able to avoid this as I'd prefer then to 802.1X instead, but may not be possible via a VOIP phone i.e. MAC auth the VOIP phone and 802.1X the attached desktop. 

Thank you. 

I've applied port security to a 2930F to use 802.1X and MAC auth with ClearPass as the RADIUS server. ClearPass returns a local user role and the VLANs are configured locally within the switch. 

I'm MAC auth'ing some Mitel VOIP phones to the switch using MAC OUIs within static host lists - which works as expected. 

Due to a lack of switchports a lot of wired desktops are being daisy chained through the VOIP phones for their network connection. The desktops are configured to authenticate using EAP-TLS and receive their client certificate through GPO. In my testing when the desktop is daisy chained through the VOIP phone they can only MAC auth and are not capable of 802.1X. I have the auth priority to be 'authenticator' then 'mac-based' on the switchport so the priority is always 802.1X if the device is capable i.e. has received a client certificate via GPO. When I patch the desktop in directly into the switchport, instead of via the VOIP phone, 802.1X auth is possible and I can see this in the port-access clients list. Is this the expected behaviour? 

Once I either add the MAC address manually into ClearPass or use a static host list with MAC/OUIs the desktops authenticates fine. However, ideally I'd like to be able to avoid this as I'd prefer then to 802.1X instead, but may not be possible via a VOIP phone i.e. MAC auth the VOIP phone and 802.1X the attached desktop. 

Thank you. 

Can you send us the port configuration so we can see how it is configured.

Thanks 

I've applied port security to a 2930F to use 802.1X and MAC auth with ClearPass as the RADIUS server. ClearPass returns a local user role and the VLANs are configured locally within the switch. 

I'm MAC auth'ing some Mitel VOIP phones to the switch using MAC OUIs within static host lists - which works as expected. 

Due to a lack of switchports a lot of wired desktops are being daisy chained through the VOIP phones for their network connection. The desktops are configured to authenticate using EAP-TLS and receive their client certificate through GPO. In my testing when the desktop is daisy chained through the VOIP phone they can only MAC auth and are not capable of 802.1X. I have the auth priority to be 'authenticator' then 'mac-based' on the switchport so the priority is always 802.1X if the device is capable i.e. has received a client certificate via GPO. When I patch the desktop in directly into the switchport, instead of via the VOIP phone, 802.1X auth is possible and I can see this in the port-access clients list. Is this the expected behaviour? 

Once I either add the MAC address manually into ClearPass or use a static host list with MAC/OUIs the desktops authenticates fine. However, ideally I'd like to be able to avoid this as I'd prefer then to 802.1X instead, but may not be possible via a VOIP phone i.e. MAC auth the VOIP phone and 802.1X the attached desktop. 

Thank you. 

I've applied port security to a 2930F to use 802.1X and MAC auth with ClearPass as the RADIUS server. ClearPass returns a local user role and the VLANs are configured locally within the switch. 

I'm MAC auth'ing some Mitel VOIP phones to the switch using MAC OUIs within static host lists - which works as expected. 

Due to a lack of switchports a lot of wired desktops are being daisy chained through the VOIP phones for their network connection. The desktops are configured to authenticate using EAP-TLS and receive their client certificate through GPO. In my testing when the desktop is daisy chained through the VOIP phone they can only MAC auth and are not capable of 802.1X. I have the auth priority to be 'authenticator' then 'mac-based' on the switchport so the priority is always 802.1X if the device is capable i.e. has received a client certificate via GPO. When I patch the desktop in directly into the switchport, instead of via the VOIP phone, 802.1X auth is possible and I can see this in the port-access clients list. Is this the expected behaviour? 

Once I either add the MAC address manually into ClearPass or use a static host list with MAC/OUIs the desktops authenticates fine. However, ideally I'd like to be able to avoid this as I'd prefer then to 802.1X instead, but may not be possible via a VOIP phone i.e. MAC auth the VOIP phone and 802.1X the attached desktop. 

Thank you. 

Have you been able to do any tests or do you have the configuration to check it?

I've applied port security to a 2930F to use 802.1X and MAC auth with ClearPass as the RADIUS server. ClearPass returns a local user role and the VLANs are configured locally within the switch. 

I'm MAC auth'ing some Mitel VOIP phones to the switch using MAC OUIs within static host lists - which works as expected. 

Due to a lack of switchports a lot of wired desktops are being daisy chained through the VOIP phones for their network connection. The desktops are configured to authenticate using EAP-TLS and receive their client certificate through GPO. In my testing when the desktop is daisy chained through the VOIP phone they can only MAC auth and are not capable of 802.1X. I have the auth priority to be 'authenticator' then 'mac-based' on the switchport so the priority is always 802.1X if the device is capable i.e. has received a client certificate via GPO. When I patch the desktop in directly into the switchport, instead of via the VOIP phone, 802.1X auth is possible and I can see this in the port-access clients list. Is this the expected behaviour? 

Once I either add the MAC address manually into ClearPass or use a static host list with MAC/OUIs the desktops authenticates fine. However, ideally I'd like to be able to avoid this as I'd prefer then to 802.1X instead, but may not be possible via a VOIP phone i.e. MAC auth the VOIP phone and 802.1X the attached desktop. 

Thank you. 

aaa port-access authenticator 20

aaa port-access authenticator 20 tx-period 5

aaa port-access authenticator 20 supplicant-timeout 5

aaa port-access authenticator 20 max-requests 1

aaa port-access authenticator 20 reauth-period 3600

aaa port-access authenticator 20 client-limit 2

aaa port-access mac-based 20

aaa port-access mac-based 20 addr-limit 2

aaa port-access mac-based 20 addr-moves

aaa port-access mac-based 20 mac-pin

aaa port-access mac-based 20 reauth-period 3600

aaa port-access mac-based 20 server-group "ClearPass"

aaa port-access 20 controlled-direction in

aaa port-access 20 mixed

aaa port-access 20 auth-order authenticator mac-based

aaa port-access 20 auth-priority authenticator mac-based

aaa authorization user-role name VOIP

vlan-id 7

vlan-id-tagged 2-3

aaa authorization user-role name Wired-dot1x

vlan-id 7

Have you been able to do any tests or do you have the configuration to check it?

I've applied port security to a 2930F to use 802.1X and MAC auth with ClearPass as the RADIUS server. ClearPass returns a local user role and the VLANs are configured locally within the switch. 

I'm MAC auth'ing some Mitel VOIP phones to the switch using MAC OUIs within static host lists - which works as expected. 

Due to a lack of switchports a lot of wired desktops are being daisy chained through the VOIP phones for their network connection. The desktops are configured to authenticate using EAP-TLS and receive their client certificate through GPO. In my testing when the desktop is daisy chained through the VOIP phone they can only MAC auth and are not capable of 802.1X. I have the auth priority to be 'authenticator' then 'mac-based' on the switchport so the priority is always 802.1X if the device is capable i.e. has received a client certificate via GPO. When I patch the desktop in directly into the switchport, instead of via the VOIP phone, 802.1X auth is possible and I can see this in the port-access clients list. Is this the expected behaviour? 

Once I either add the MAC address manually into ClearPass or use a static host list with MAC/OUIs the desktops authenticates fine. However, ideally I'd like to be able to avoid this as I'd prefer then to 802.1X instead, but may not be possible via a VOIP phone i.e. MAC auth the VOIP phone and 802.1X the attached desktop. 

Thank you.