cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1480
Views
5
Helpful
9
Replies

Ip Telephony and NAC

alfonso.cornejo
Level 3
Level 3

Hi to all,

I have this situation, my customer is using alacatel ip phones for his Ip Telephony and i already configure a Device Filter list with the MAC of the phone so the NAS can ignore its MAC and also enable the Change vlan acording to device filter list option in the port profile but as soon as the user logs into the network the port change to the authentication vlan again and the user is out the network.

What i've notice is that when the NAM takes control of the switch via SNMP the mac address that are learned from the port that is connected to the ip phone are coming up and down many times, i mean when i perform the command show mac-address-table int f0/1 sometimes the macs are there and sometimes no and i think the switch is sending this trap to the NAM and that's why the vlan comes again to the authentication vlan.

I tought that could be an SNMP issue and i upgrade the IOS in the switch and also tried with a diferent one but is the same situation.

Is there something else that i have to do to have NAC working with users connected to ip phones???

Thanks in advance for your help.

9 Replies 9

amritpatek
Level 6
Level 6

With Cisco NAC Appliance Out-of-Band deployment, the Clean Access Server (CAS) is inline with user traffic only during the process of authentication, assessment and remediation. Following that, user traffic does not pass through the CAS. In OOB deployment, the Clean Access Manager (CAM) uses SNMP to control switches and set VLAN assignments for ports.

gschmitt.ngit
Level 1
Level 1

Hi Alfonso,

Have had an opportunity to check the chalktalk presentation on CCO for NAC/IP Phone implementation. It covers the routine for this type of deployment very well.

In short, with Cisco IP phones, you use the Data and Voice VLAN commands on the port connected to the IP phone. This is an update to the older configurations where you configured the port as a dot1q trunk.

For other than Cisco IP phones (alactel), you have to configure the port as a trunk. NAC will see the native VLAN as the data VLAN, and change it when doing the OOB switch to the Auth/Access VLAN, leaving you "voice" VLAN alone.

Also, be sure you do not have port bouncing configured for the controlled switch port profile.

Cheers,

Greg

Hi There,

I have the same issue (only 1 MAC in switch, lots of SNMP writes from CAM) but with Cisco Phones.

The access switch has ...

switchport access vlan xxx

switchport voice vlan yyy

but as soon as you make a call the PC is put in the un-authenticated VLAN... any ideas?

Hi,

I solved this situation configuring a device filter on tha CAM, exclude the mac-address range of your phones.

Regards,

jagan_240
Level 1
Level 1

I have the same issue but with different problem. Can u tell me how did u configured the switch port,i have alcatel 4028 IP Phone. the configuration in switch is

switchport access vlan 10 --> NAC vlan

switchport voice vlan 20

if i configure trunk on switch did i need to configure trunk in IP Phone aswell?

Hi,

I configured the port like this:

switchport access vlan 10 --> NAC vlan

switchport voice vlan 20

And i excluded all the ip phones using a filter in the cam, the nac vlan is the only one that changes during authentication, etc..., the voice vlan remains the same.

Alfonsa,

Hi did the same but, IP Phones are not working, After that i changed the vlan settings in the IPhone as shown below

PC--->IP Phone--->siwtch

here the inteface which is leading to PC from IP Phone is manualy configured for vlan 10(Voice vlan), After this NAC started to give issues. I am comming back to my question did u made any changes to IP Phone settings?. If not can anyone provide solution for the same.

regards,

Hi,

I didn't change anything to the ip phones, just did the filter for the ip phones in the cam in order to exclude them from the nac process.

Regards,

Alfonso

What caught me out is after you create the Filter which IRGNORE's IP phone MACs you have to tick the box...

OOB Management > Profiles > Port > Change VLAN according to global device filter list (device must be in list).

in order for it to actually work!

good luck,

Nick

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: