NAC with Cisco 7940 IP phones

Unanswered Question
Jul 19th, 2010
User Badges:

I have read through this forum for a few hours now trying to get a handle on how to properly configure a Cisco 3310 NAC appliance in an environment in which each end-user PC connects to the network through their Cisco 7940 IP phone.


From what I have gathered, you can configure the NAC appliance to ignore the phones based on their MAC address, which will cause the PCs to have to authenticate properly. Is that correct, or is their a different/better way of accomplishing this?


Also, I seem to have read conflicting information on In-Band vs. Out-Of-Band configurations for this type of architecture (PC->phone->switch). Am I able to use Out-Of-Band, or am I limited to only an In-Band configuration?


Thank you for any help.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Lauren Sullivan Mon, 07/19/2010 - 14:02
User Badges:

There should be no problem in in-band with PCs behind phones.


The problem comes in with OOB situations where the switch is sending SNMP traps to the CAM every time a new MAC address is discovered on a switch port.  So, the switch would send a trap to the CAM for both the PC MAC and the phone MAC.  Depending on your configuration (if you have the settings checked to allow only one MAC address per port, and to reset the VLAN on that port if more than one MAC is detected), the CAM would now think that there are two devices connected to the port that need to be authenticated.  Since the phone will never be able to authenticate via Clean Access, this usually means that users will end up in a login loop (login succesfully, then CAM gets a trap from the phone, and resets the port to unauth VLAN).  What you can do to fix this is put all the phones in the ignore filter and set the port profile to respect the filters.  This way, the switch still sends the traps, but the CAM knows to ignore traps from those MAC addresses and so will only switch the port based on the user MAC addresses.  Clear as mud?

matthewjwilson Tue, 07/20/2010 - 06:23
User Badges:

No, that makes perfect sense. Thanks for clearing that up.


So it is entirely possible to run OOB with the PCs connecting through the phones, assuming you add each phone's MAC address to the ignore filter, correct?


I'm a little concerned with running IB just because that would mean that there would be a new bottleneck in the network if the NAC appliance couldn't process all of the traffic being sent to it. I want to use OOB if possible based on what I have read about the differences between it and IB. My initial thought is to set up the Clean Access Server in an OOB Virtual Gateway operating mode.


From what you know of how the NAC appliances work, would the OOB Virtual Gateway seem like a reasonable choice? I'm still in the planning stages, but I want to make sure I'm not way off in left field.

Lauren Sullivan Wed, 07/21/2010 - 05:49
User Badges:

Yup, for OOB behind IP phones, the ignore filter is pretty much all you have to do.  You'll also want to make sure the port profile is set to not bounce the port when it switches VLANs.


Depending on your topology, OOB VG should work fine; if IB VG will work in your setup, OOB VG will also work, most likely.

Actions

This Discussion