That depends a bit on the switch type/brand you use and the phone. I've not seen issues before, however if your switch is configured to shut the port as soon as multiple devices are connected to the same port, that could be the issue. Many switches, by default, allow just a single authenticated device. I would check the logging of your switch to see if something can be found there, or work with your switch/network partner or vendor support for further troubleshooting.

@hermanrobers thanks so much. I'm a student and rounding up my final project. The company that sponsor our capstone project wanted us to implement Clearpass as NAC. I can share my configuration and Clearpass profile, Service and policy with u. I'll go into the lab in an hour.

Hi Herman, Below is the Cisco Switch config for the interface that has the IP Phone plugged: Switch Version: WS-C3750X-48P 15.0(2)SE5 C3750E-IPBASEK9-M. interface GigabitEthernet1/0/40 switchport mode access switchport port-security maximum 2 authentication host-mode multi-domain authentication order mab dot1x authentication priority dot1x mab authentication port-control auto authentication periodic authentication timer reauthenticate server mab dot1x pae authenticator dot1x timeout server-timeout 30 dot1x timeout tx-period 10 dot1x max-req 3 dot1x max-reauth-req 10 spanning-tree portfast spanning-tree bpduguard enable end

The ip helper / dhcp relay server (same thing, different name) can point to any node in a ClearPass cluster. So, if ClearPass is consolidated in the data center you can point the ip helper on the switches in your branches to the official DHCP server and in addition to one of the ClearPass nodes in your cluster. If you have ClearPass local on the branch, it makes more sense to point it local, but for functioning it does not matter where you point it to.

@@hermanrobers ok great. Another great explanation. Thank you.

So I tested MAC Auth with a Cisco 7942 IP Phone but it didn't get authenticated until I removed the "Authorization:[Endpoints Repository]: Category EQUALS VoIP Phone" and used only "Authorization:[Endpoints Repository]: MAC Vendor Cisco Systems, Inc" under the Enforcement Policy. Because the phone was not originally profiled, when I checked Endpoints, all I noticed was that CPPM was able to understand the phone's MAC address as a Cisco product. Any advice on how CPPM can automatically profile Cisco IP Phones?

Andrew, in a legacy network the voice VLAN has to be tagged because the VLAN is the only method to distinguish the traffic from the phone from the traffic from the connected device. With authentication, MAC and/or 802.1X, you can have untagged multiple VLANs on the same port for the different attached devices, so no reason to have the voice VLAN tagged. In fact in most cases in legacy networks, the voice VLAN is not only tagged, but also announced to the phone so it knows which VLAN to tag its traffic on. That is typically done by either LLDP/CDP or via an DHCP option; and you want to have that dynamic as in most environments the voice VLAN is different building by building or even floor by floor. By far the easiest way is, if you have deployed ClearPass/NAC/port authentication, to get rid of the traditional voice VLAN tagged and just have it 'native' and authenticate all devices individually. Your switches should support multiple authenticated devices per switch port, which most enterprise switches do these days.

The helper address in the video is the CPPM address. Just so the CPPM device will get information about the device in question.

That depends a bit on the network device. If you trigger a port bounce, the port will be bounced for all devices. Then some switches will bounce the power to the phone as well, others don't. Some phones might restart if they see the link go down others don't. You should really test this, and I would assume the phone is affected by a port-bounce unless you test otherwise.