05-17-2009 02:27 PM - edited 02-21-2020 03:27 AM
Hi to all,
I have this situation, my customer is using alacatel ip phones for his Ip Telephony and i already configure a Device Filter list with the MAC of the phone so the NAS can ignore its MAC and also enable the Change vlan acording to device filter list option in the port profile but as soon as the user logs into the network the port change to the authentication vlan again and the user is out the network.
What i've notice is that when the NAM takes control of the switch via SNMP the mac address that are learned from the port that is connected to the ip phone are coming up and down many times, i mean when i perform the command show mac-address-table int f0/1 sometimes the macs are there and sometimes no and i think the switch is sending this trap to the NAM and that's why the vlan comes again to the authentication vlan.
I tought that could be an SNMP issue and i upgrade the IOS in the switch and also tried with a diferent one but is the same situation.
Is there something else that i have to do to have NAC working with users connected to ip phones???
Thanks in advance for your help.
05-22-2009 12:23 PM
With Cisco NAC Appliance Out-of-Band deployment, the Clean Access Server (CAS) is inline with user traffic only during the process of authentication, assessment and remediation. Following that, user traffic does not pass through the CAS. In OOB deployment, the Clean Access Manager (CAM) uses SNMP to control switches and set VLAN assignments for ports.
05-23-2009 09:41 AM
Hi Alfonso,
Have had an opportunity to check the chalktalk presentation on CCO for NAC/IP Phone implementation. It covers the routine for this type of deployment very well.
In short, with Cisco IP phones, you use the Data and Voice VLAN commands on the port connected to the IP phone. This is an update to the older configurations where you configured the port as a dot1q trunk.
For other than Cisco IP phones (alactel), you have to configure the port as a trunk. NAC will see the native VLAN as the data VLAN, and change it when doing the OOB switch to the Auth/Access VLAN, leaving you "voice" VLAN alone.
Also, be sure you do not have port bouncing configured for the controlled switch port profile.
Cheers,
Greg
10-09-2009 03:37 AM
Hi There,
I have the same issue (only 1 MAC in switch, lots of SNMP writes from CAM) but with Cisco Phones.
The access switch has ...
switchport access vlan xxx
switchport voice vlan yyy
but as soon as you make a call the PC is put in the un-authenticated VLAN... any ideas?
10-09-2009 01:04 PM
Hi,
I solved this situation configuring a device filter on tha CAM, exclude the mac-address range of your phones.
Regards,
10-10-2009 09:29 AM
I have the same issue but with different problem. Can u tell me how did u configured the switch port,i have alcatel 4028 IP Phone. the configuration in switch is
switchport access vlan 10 --> NAC vlan
switchport voice vlan 20
if i configure trunk on switch did i need to configure trunk in IP Phone aswell?
10-12-2009 06:49 AM
Hi,
I configured the port like this:
switchport access vlan 10 --> NAC vlan
switchport voice vlan 20
And i excluded all the ip phones using a filter in the cam, the nac vlan is the only one that changes during authentication, etc..., the voice vlan remains the same.
10-12-2009 09:40 AM
Alfonsa,
Hi did the same but, IP Phones are not working, After that i changed the vlan settings in the IPhone as shown below
PC--->IP Phone--->siwtch
here the inteface which is leading to PC from IP Phone is manualy configured for vlan 10(Voice vlan), After this NAC started to give issues. I am comming back to my question did u made any changes to IP Phone settings?. If not can anyone provide solution for the same.
regards,
10-12-2009 09:47 AM
Hi,
I didn't change anything to the ip phones, just did the filter for the ip phones in the cam in order to exclude them from the nac process.
Regards,
Alfonso
10-15-2009 01:01 AM
What caught me out is after you create the Filter which IRGNORE's IP phone MACs you have to tick the box...
OOB Management > Profiles > Port > Change VLAN according to global device filter list (device must be in list).
in order for it to actually work!
good luck,
Nick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: