Ip Telephony and NAC

Unanswered Question
May 17th, 2009

Hi to all,


I have this situation, my customer is using alacatel ip phones for his Ip Telephony and i already configure a Device Filter list with the MAC of the phone so the NAS can ignore its MAC and also enable the Change vlan acording to device filter list option in the port profile but as soon as the user logs into the network the port change to the authentication vlan again and the user is out the network.


What i've notice is that when the NAM takes control of the switch via SNMP the mac address that are learned from the port that is connected to the ip phone are coming up and down many times, i mean when i perform the command show mac-address-table int f0/1 sometimes the macs are there and sometimes no and i think the switch is sending this trap to the NAM and that's why the vlan comes again to the authentication vlan.


I tought that could be an SNMP issue and i upgrade the IOS in the switch and also tried with a diferent one but is the same situation.


Is there something else that i have to do to have NAC working with users connected to ip phones???


Thanks in advance for your help.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
amritpatek Fri, 05/22/2009 - 12:23

With Cisco NAC Appliance Out-of-Band deployment, the Clean Access Server (CAS) is inline with user traffic only during the process of authentication, assessment and remediation. Following that, user traffic does not pass through the CAS. In OOB deployment, the Clean Access Manager (CAM) uses SNMP to control switches and set VLAN assignments for ports.

gschmitt.ngit Sat, 05/23/2009 - 09:41

Hi Alfonso,


Have had an opportunity to check the chalktalk presentation on CCO for NAC/IP Phone implementation. It covers the routine for this type of deployment very well.


In short, with Cisco IP phones, you use the Data and Voice VLAN commands on the port connected to the IP phone. This is an update to the older configurations where you configured the port as a dot1q trunk.


For other than Cisco IP phones (alactel), you have to configure the port as a trunk. NAC will see the native VLAN as the data VLAN, and change it when doing the OOB switch to the Auth/Access VLAN, leaving you "voice" VLAN alone.


Also, be sure you do not have port bouncing configured for the controlled switch port profile.


Cheers,


Greg

nickbettison Fri, 10/09/2009 - 03:37

Hi There,


I have the same issue (only 1 MAC in switch, lots of SNMP writes from CAM) but with Cisco Phones.


The access switch has ...


switchport access vlan xxx

switchport voice vlan yyy


but as soon as you make a call the PC is put in the un-authenticated VLAN... any ideas?

alfonso.cornejo Fri, 10/09/2009 - 13:04

Hi,


I solved this situation configuring a device filter on tha CAM, exclude the mac-address range of your phones.


Regards,

jagan_240 Sat, 10/10/2009 - 09:29

I have the same issue but with different problem. Can u tell me how did u configured the switch port,i have alcatel 4028 IP Phone. the configuration in switch is


switchport access vlan 10 --> NAC vlan

switchport voice vlan 20


if i configure trunk on switch did i need to configure trunk in IP Phone aswell?

alfonso.cornejo Mon, 10/12/2009 - 06:49

Hi,


I configured the port like this:


switchport access vlan 10 --> NAC vlan

switchport voice vlan 20


And i excluded all the ip phones using a filter in the cam, the nac vlan is the only one that changes during authentication, etc..., the voice vlan remains the same.


jagan_240 Mon, 10/12/2009 - 09:40

Alfonsa,

Hi did the same but, IP Phones are not working, After that i changed the vlan settings in the IPhone as shown below


PC--->IP Phone--->siwtch


here the inteface which is leading to PC from IP Phone is manualy configured for vlan 10(Voice vlan), After this NAC started to give issues. I am comming back to my question did u made any changes to IP Phone settings?. If not can anyone provide solution for the same.


regards,

alfonso.cornejo Mon, 10/12/2009 - 09:47

Hi,


I didn't change anything to the ip phones, just did the filter for the ip phones in the cam in order to exclude them from the nac process.


Regards,


Alfonso

nickbettison Thu, 10/15/2009 - 01:01

What caught me out is after you create the Filter which IRGNORE's IP phone MACs you have to tick the box...


OOB Management > Profiles > Port > Change VLAN according to global device filter list (device must be in list).


in order for it to actually work!


good luck,

Nick

Actions

This Discussion