topic ip phone and pc VLAN security issue - ISE 1.0 in Network Access Control

ip phone and pc VLAN security issue - ISE 1.0

cbecerrayr — Mon, 11 Mar 2019 02:07:34 GMT

Hello there.

We are about to implement IP phones to our current network and during testing I have found 2 issues.

1- ip phone connects to a protected port using ISE mab authentication for the data network.

The voice VLAN is set up static on the port. The pc VLAN is given by ISE profiling.

Then the issue is that once the pc connects to the VLAN it belongs to from the ip phone it leaves open that vlan on that port which means that if I connect another pc it will get the original VLAN the port had open up the connection with. This is a big security issue as computers that should not be allowed on specific VLAN can access them this way.

2- once the connection is up and running on the port for both the phone and the pc, there is re-authentication Happening every minute to ISE. The Authentication logs are getting so many messages for just one port. So once we convert from 2 ip phones to 500, that is definitely going to generate a lot of unnecessary traffic.

Let me know your thoughts...thanks

Port config info....below

interface GigabitEthernet0/2

description Extra port by Camilos Desk

switchport mode access

switchport voice vlan 220

srr-queue bandwidth share 1 30 35 5

priority-queue out

authentication event fail action next-method

authentication event server alive action reinitialize

authentication host-mode multi-auth

authentication open

authentication order mab dot1x

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

mab

mls qos trust cos

snmp trap mac-notification change added

auto qos trust

spanning-tree portfast

end

ip phone and pc VLAN security issue - ISE 1.0

Philip Vilhelmsson — Mon, 10 Jun 2013 12:58:01 GMT

Hi Camilo,

Did you find a solution to your problems?

I am looking at doing the same implementation as you.

//Philip

ip phone and pc VLAN security issue - ISE 1.0

cbecerrayr — Mon, 10 Jun 2013 13:20:10 GMT

On # 1

You have the make sure that

"authentication host-mode multi-domain" command is under each port

This will allow one voice vlan and only one PC vlan at any given time. If you disconnect a PC and connect onother PC mac address to it, the phone will reinitialize to accept or reject the new mac based on its profile.

On #2

I have not found a solution. But what I have found after deployment is that it has happend only on 2 VOIP phones, out of 70 that we have as of now. So it might to be related to ISE.

On the other hand we are not using Cisco phones but mitel. So this might be a whole issueon itself.

Hope this helps.