Make sure nothing is blocking UDP 1645/1645 (or move to the actual RADIUS ports of UDP 1812/1813), try a packet capture from ClearPass to see if the server is receiving anything, try creating the server group and assigning MAC auth to the server group. If none of those work, I'm running out of options, you'll probably want to contact TAC.
Original Message:
Sent: Oct 24, 2024 01:37 PM
From: gmann101
Subject: MAB Authencation For VOIP Phones
Thanks Carson. I have applied the command above to enable MAC auth, bounced the interface which the phone is connected to, but still don't show anything with the access tracker. Further to this, I don't show any MAC address on the switch port itself either, but the phone is plugged in.
Original Message:
Sent: Oct 23, 2024 07:31 PM
From: chulcher
Subject: MAB Authencation For VOIP Phones
Not a requirement, no, but you do need to enable the MAC auth.
aaa authentication mac-based (chap-radius|pap-radius)
------------------------------
Carson Hulcher, ACEX#110
Original Message:
Sent: Oct 23, 2024 07:22 PM
From: gmann101
Subject: MAB Authencation For VOIP Phones
Here is what I have configured on the switches so far:
I don't have a AAA server group configured:
aaa server-group radius "cppm_radius" host ###RADIUSIP###
aaa authentication port-access eap-radius server-group cppm_radius
aaa authentication mac-based chap-radius server-group cppm_radius
aaa accounting network start-stop radius server-group cppm_radius
Is a server group required? Thanks
Original Message:
Sent: Oct 23, 2024 06:23 PM
From: chulcher
Subject: MAB Authencation For VOIP Phones
You've configured the RADIUS servers and server group and told the switch which server group to use?
Some basic switch configuration items:
radius-server cppm identity ###CPPMDURUSER### key ###CPPMDURPSWD###
radius-server host ###RADIUSIP### key ###RADIUSKEY### clearpass
radius-server host ###RADIUSIP### dyn-authorization
aaa server-group radius "cppm_radius" host ###RADIUSIP###
ip dns domain-name "###DOMAINNAME###"
ip dns server-address priority 1 ###DNSSERVER###
timesync ntp
ntp unicast
ntp server ###NTPIP### iburst
ntp server-name "###NTPSERVERNAME###" iburst
ntp enable
no telnet-server
time daylight-time-rule continental-us-and-canada
time timezone ###TXOFFSETinMINUTES###
web-management ssl
no web-management plaintext
ip authorized-managers 0.0.0.0 0.0.0.0 access manager access-method snmp
ip authorized-managers 0.0.0.0 0.0.0.0 access manager access-method ssh
ip authorized-managers 0.0.0.0 0.0.0.0 access manager access-method web
ip authorized-managers 0.0.0.0 0.0.0.0 access manager access-method tftp
ip ssh filetransfer
ip source-interface all vlan ###MGMTVLAN###
no tftp client
no tftp server
no banner motd
no banner exec
aaa authentication port-access eap-radius server-group cppm_radius
aaa authentication mac-based chap-radius server-group cppm_radius
aaa accounting network start-stop radius server-group cppm_radius
aaa accounting update periodic 10
aaa authorization user-role enable
aaa authorization user-role enable download
aaa port-access mac-based 1/1-1/48
aaa port-access mac-based 1/1-1/48 addr-limit 2
aaa port-access mac-based 1/1-1/48 mac-pin
aaa port-access mac-based 1/1-1/48 quiet-period 30
aaa port-access authenticator 1/1-1/48 client-limit 2
aaa port-access authenticator 1/1-1/48 supplicant-timeout 6
aaa port-access authenticator 1/1-1/48 tx-period 6
aaa port-access authenticator 1/1-1/48 max-requests 2
aaa port-access authenticator 1/1-1/48 max-eap-retries 2
aaa port-access authenticator 1/1-1/48
aaa port-access authenticator active
aaa port-access 1/1-1/48 auth-order authenticator mac-based
aaa port-access 1/1-1/48 auth-priority authenticator mac-based
------------------------------
Carson Hulcher, ACEX#110
Original Message:
Sent: Oct 23, 2024 06:05 PM
From: gmann101
Subject: MAB Authencation For VOIP Phones
Hi Carson, the request does not appear to be reaching Clearpass, and I don't see anything in the event viewer showing any unknown NAD errors. The switch is added within Clear Pass, as 802.1x wired authentication appears to be working.
Original Message:
Sent: Oct 23, 2024 06:01 PM
From: chulcher
Subject: MAB Authencation For VOIP Phones
Do you even see the request reaching ClearPass? Is there anything about an unclassified request? Or does the event viewer show any errors for unknown NAD?
------------------------------
Carson Hulcher, ACEX#110
Original Message:
Sent: Oct 23, 2024 03:29 PM
From: gmann101
Subject: MAB Authencation For VOIP Phones
Hello, I am in the process of configuring a MAB Service for our VOIP phones, but am not sure where the issue lies, as I don't show any ACCEPT or REJECT requests once the phone is plugged into one of the switchports that is configured for MAB. Here is my configuration within ClearPass.