Aruba ClearPass Workshop (2021) - AOS-CX Wired #6 Wired Device behind phone - AP with tagged VLANs
This video shows two advanced scenarios: Windows client behind an IP Phone, and Instant AP with tagged VLANs on an authenticated port. For the device-behind-phone, both devices are authenticated. The phone with MAC authentication, resulting in a voip role in the voice vlan. The client does 802.1X wired and ends up in a contractor role and in the guest VLAN. We just need to increase the maximum number of clients per port:
interface 1/1/2-1/1/24
aaa authentication port-access client-limit 3
For the Instant AP, it will create a new role, and instead of a single access VLAN, we now configure a trunk native and multiple tagged VLANs. For this, because the IAP already authenticated the devices, we need to dynamically switch to port mode to avoid all clients being authenticated as well on the switch:
port-access role contractor
vlan access name Guest VLAN
port-access role voip
associate policy pol-voip
vlan access name Voice VLAN
port-access role instant-ap
vlan trunk native name Management VLAN
vlan trunk allowed name Corporate VLAN
vlan trunk allowed name Voice VLAN
vlan trunk allowed name Guest VLAN
vlan trunk allowed name Untrusted VLAN
auth-mode device-mode
Workshop video overview, schedule, and discussion can be found on the Airheads Community: community.arub...
⏰Timestamps:
00:00 Intro
00:27 Add port number to Access Tracker view
01:12 Increase client-limit on switch ports
01:55 Connect Windows 10 client behind IP Phone
03:19 AP with tagged VLANs on authenticated port
03:55 Role for instant-ap with VLANs on switch
05:20 Changes to ClearPass for InstantAP authentication
06:50 Connect InstantAP and show result
Пікірлер: 7
Very helpful with direct reference to practice! Keep it up!
Thanks for this series of videos! keep it up :) subscribed to your channel
Hi Herman, excellent videos! do you have a video where you use host-list instead of profiler?
hello Herman, Thank you again for the affirmative videos, I have a question regarding the DACL that used on ISE, I can see that over here you are configuring the ACL on the Switch then create enforcement profile then assign it to a policy and add it to the service, that is fine, but how can I create DACL from ClearPass and assign it to the users to have permit or deny specific ips
Hi Herman! Great video as always! May i know how to achieve the exact same thing ("Windows client behind an IP Phone") but with an "AOS" devices (not CX) ? AOS and CX is different OS and command. Scenario: Windows client behind an IP Phone:- - For the device-behind-phone, both devices are authenticated. - The phone with MAC authentication, resulting in a voip role in the voice vlan. - The client does 802.1X wired and ends up in a contractor role and in the guest VLAN. I really appreciate if can provide any detail guide to achieve this. Thank You!
Hi Herman, do you have an example configuration how we can do this with Cisco switch, Aruba AP and Clearpass? can i do this without roles??
@AirheadsBroadcasting
Жыл бұрын
I'm not a Cisco Switch expert, but NEAT should be the answer to your question: community.cisco.com/t5/security-documents/neat-with-interface-template/ta-p/3642967 which creates an interface template, which can be selected by returning the Cisco-AV-Pair attribute with the value: interface-template-name=