Security

 View Only
Back to discussions
Expand all | Collapse all

Port-access multi-domain auth using DUR from ClearPass

This thread has been viewed 82 times

  • 1.  Port-access multi-domain auth using DUR from ClearPass

    Posted Aug 25, 2025 08:04 PM
    Edited by cochranes Aug 27, 2025 07:54 PM

    Hello,

    I am working to improve the way we authenticate VoIP with attached data devices using multi-domain with downloadable user roles from ClearPass. The problem I am running into, is that depending on which device auths first there seems to be inconsistency with which role is assigned to the port. Ultimately, I would like the DURs applied tandemly with the phone applying a trunk role and the data being allowed on said trunk.

    Here is the Voice DUR:

    class ip VOIP-Traffic
    1 match tcp any any eq 5060
    2 match udp any any eq 5060
    exit
    class ip AnyTraffic
    match ip any any
    exit
    port-access policy voip-traffic
        class ip VOIP-Traffic action dscp EF
    11 class ip AnyTraffic
    exit
    port-access role DUR-EIP_NETWORK-TEST-SC_Voice-2
    associate policy voip-traffic
    poe-priority critical
    trust-mode dscp
    auth-mode multi-domain-mode
    device-traffic-class voice
    mtu 9198
    vlan trunk allowed name Voice
    vlan trunk allowed name Building
    vlan trunk native name Building
    client-inactivity timeout none
    exit

    Here is the Data DUR:
    class ip data
    match any any any
    exit
    port-access policy data
    1 class ip data
    exit
    port-access role DUR-EIP_-Public_Non-Segmented
    associate policy data
    poe-priority high
    trust-mode none
    auth-mode multi-domain-mode
    mtu 9198
    vlan access name Public
    client-inactivity timeout none
    exit

    Port config:
        mtu 9198

        no routing

        vlan access XX

        port-access fallback-role Building-VLAN

        port-access onboarding-method concurrent enable

        aaa authentication port-access auth-mode multi-domain

        aaa authentication port-access dot1x authenticator

            reauth

            enable

        aaa authentication port-access mac-auth

            reauth

            enable

        client track ip enable

        exit



    -------------------------------------------



  • 2.  RE: Port-access multi-domain auth using DUR from ClearPass

    Posted Aug 26, 2025 10:13 AM

    What mode is the port in when the role is applied?

    Have you tried building out the configuration using local roles first?



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 3.  RE: Port-access multi-domain auth using DUR from ClearPass

    Posted Aug 27, 2025 02:50 PM
    Edited by cochranes Aug 27, 2025 07:52 PM

    Hi Carson,

    I have not tried the LUR since we do not intend to proceed with that method.

    I am not seeing an auth mode listed, but I am now seeing this error:
      Authorization Details
      ----------------------
        Role   : DUR_EIP__Public_Non_Segmented-3185-9
        Status : Download Failed


    Role Information:

    Name  : DUR_EIP__Public_Non_Segmented-3185-9
    Type  : clearpass

    Status: Failed, Role Parsing Failed

    -------------------------------------------

    Original Message


  • 4.  RE: Port-access multi-domain auth using DUR from ClearPass

    Posted Aug 27, 2025 03:00 PM

    Is DUR working for a less complex role configuration?



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------

    Original Message


  • 5.  RE: Port-access multi-domain auth using DUR from ClearPass

    Posted Aug 27, 2025 03:49 PM
    Edited by cochranes Aug 27, 2025 07:56 PM

    Haha, yeah just reverified that myself out of curiosity. Here is the result of our current VoIP device auth mode role result on the same interface:

    Port Access Client Status Details:

    RADIUS overridden user roles are suffixed with '*'

    Client xx:xx:7f:9d:f5:60, xxxx7f9df560
    ======================================
      Session Details
      ---------------
        Port         : 6/1/43
        Session Time : 251s
        IPv4 Address : x.x.2.1
        IPv6 Address : 
        Device Type  : voice

      VLAN Details
      ------------
        VLAN Group Name : 
        VLANs Assigned  : 1,2
          Access          : 
          Native Untagged : 1
          Allowed Trunk   : 1,2

      Authentication Details
      ----------------------
        Status          : mac-auth Authenticated
        Auth Precedence : dot1x - Unauthenticated, mac-auth - Authenticated
        Auth History    : dot1x - Unauthenticated, Supplicant-Timeout, 241s ago
                          mac-auth - Authenticated, 251s ago

      MACsec Details
      --------------
        MKA Session Status : 
        MACsec Status      : 

      Authorization Details
      ----------------------
        Role   : DUR_EIP_Voice_2_Non_Segmented-3192-24
        Status : Applied


    Role Information:

    Name  : DUR_EIP_Voice_2_Non_Segmented-3192-24
    Type  : clearpass
    Status: Completed
    ----------------------------------------------
        Authentication Mode                 : device-mode
        Client Inactivity Timeout           : None
        Native VLAN Name                    : Building
        Allowed Trunk VLAN Names            : Building,
                                              Voice
        MTU                                 : 9198
        QOS Trust Mode                      : dscp
        PoE Priority                        : critical
        Policy                              : voip-traffic_DUR_EIP_Voice_2_Non_Segmented-3192-24
        Device Type                         : voice


    Access Policy Details:
                                                                   
    Policy Name   : voip-traffic_DUR_EIP_Voice_2_Non_Segmented-3192-24
    Policy Type   : Downloaded
    Policy Status : Applied
    Base Policy   : N/A
    ACL Names     : N/A

    SEQUENCE    CLASS                        TYPE ACTION
    ----------- ---------------------------- ---- ----------------------------------
    10          VOIP-Traffic_DUR_EIP_Voic... ipv4 dscp EF 
    11          AnyTraffic_DUR_EIP_Voice_... ipv4 permit                            


    Class Details:

    class ip VOIP-Traffic_DUR_EIP_Voice_2_Non_Segmented-3192-24
        1 match tcp any any eq 5060
        2 match udp any any eq 5060
    class ip AnyTraffic_DUR_EIP_Voice_2_Non_Segmented-3192-24
        10 match any any any

    -------------------------------------------

    Original Message


  • 6.  RE: Port-access multi-domain auth using DUR from ClearPass

    Posted Aug 27, 2025 04:10 PM

    So there is something in those other roles that isn't valid for a DUR, I'd guess the attempt to specify two named and tagged VLANs but you might need to check with TAC to figure this one out.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------

    Original Message


  • 7.  RE: Port-access multi-domain auth using DUR from ClearPass

    Posted Aug 27, 2025 04:16 PM
    Edited by cochranes Aug 27, 2025 04:18 PM

    That was going to be my next step.
    The only diff from Prod role and Test, aside from the data role inclusion, is:
    Prod = auth-mode device

    Test = auth-mode multi-domain


    I will update here if solved
    Thanks Carson!

    -------------------------------------------

    Original Message


  • 8.  RE: Port-access multi-domain auth using DUR from ClearPass

    Posted Aug 27, 2025 07:49 PM
    Edited by cochranes Aug 27, 2025 07:57 PM

    Ok I figured out the problem (before I had to get TAC thankfully), there may be other combinations that work as well, but this one is solid so far:
    Interface = multi domain
    Voip DUR = Client-mode - Native VLAN Name Building, Allowed VLAN Name = Building and Voice
    Data DUR = Client-mode - Access VLAN name

    Result (Public VLAN 3 is data device)

    (config-if)# show vlan port 6/1/43

    -------------------------------------------------------------------------------
    VLAN  Name                            Mode            Mapping                  
    -------------------------------------------------------------------------------
    1    Building                        native-untagged port-access,mbv          
    3   Public                   access          mbv                      
    2   Voice                           trunk           port-access 

    (config-if)# show mac-address-table port 6/1/43
    MAC age-time            : 300 seconds
    Number of MAC addresses : 3

    MAC Address          VLAN     Type                      Port      
    --------------------------------------------------------------
    xx:xx:7f:9d:f5:60    1       port-access-security      6/1/43     
    xx:xx:67:aa:fb:e8    3       port-access-security      6/1/43     
    xx:xx:7f:9d:f5:60    2      port-access-security      6/1/43    

    (config-if)# show port-access clients inter 6/1/43 detail

      Authorization Details
      ----------------------
        Role   : DUR_EIP__Public_Non_Segmented-3185-27
        Status : Applied


    Role Information:

    Name  : DUR_EIP__Public_Non_Segmented-3185-27
    Type  : clearpass
    Status: Completed

      Authorization Details
      ----------------------
        Role   : DUR_EIP_NETWORK_TEST_SC_Voice_2-3196-22
        Status : Applied


    Role Information:

    Name  : DUR_EIP_NETWORK_TEST_SC_Voice_2-3196-22
    Type  : clearpass
    Status: Completed

    -------------------------------------------

    Original Message


  • 9.  RE: Port-access multi-domain auth using DUR from ClearPass

    Posted Sep 03, 2025 02:31 PM
    Edited by cochranes Mar 26, 2026 06:52 PM

    For completeness of reference, here is what I have found from different auth setting combinations, given the above base interface config:


    The following were all conducted using a power cycle of the phone between tests.

    Auth combinations for VoIP pass-thru:
    Interface - multi-domain-mode & Both DURs - client-mode = Both devices auth correctly
    Interface - multi-domain-mode, phone dur - client-mode, data - multi-domain-mode = Only phone auths and gets an IP, Data DUR fails
    Interface - multi-domain-mode, phone dur - client-mode, data - device-mode = Only Data DUR applies and both devices get ip from data VLAN
    Interface - multi-domain-mode, phone dur - multi-domain-mode, data - device-mode = Only Data DUR applies and both devices get ip from data VLAN
    Interface - multi-domain-mode, phone dur - multi-domain-mode, data - client-mode = Only Data DUR applies - PC gets an IP, phone does not.
    Interface - client-mode & Both DURs - client-mode = Only phone auths and gets an IP, pass-thru fails
    Interface - device-mode & Both DURs - client-mode = Only phone auths and gets an IP, pass-thru fails
    Interface - any - phone DUR - device-mode, data - any = Phone auth only with building VLAN pass-thru
    Interface - client-mode, Phone DUR - client-mode, data - any-mode Only phone auths and gets an IP, pass-thru fails
    Interface - client-mode, Phone DUR - multi-domain-mode, data - client-mode = DUR Fails, port dead
    Interface - client-mode, Phone DUR - multi-domain-mode, data - multi-domain-mode = DUR Fails, port dead
    Interface and Both DURS - multi-domain-mode = DUR Fails, port dead



    -------------------------------------------

    Original Message


  • 10.  RE: Port-access multi-domain auth using DUR from ClearPass

    Posted Sep 10, 2025 08:29 AM

    Expected behaviour. Port can be in data or client mode, not both. It's not vlan but port property. 

    Best, Gorazd



    ------------------------------
    Gorazd Kikelj
    MVP Guru 2025
    ------------------------------

    Original Message


Related Content