topic Re: CIsco ISE and dynamic Voice Vlan assigment in Network Access Control

CIsco ISE and dynamic Voice Vlan assigment

swenska — Sat, 09 Mar 2019 03:13:11 GMT

Hello everybody,

we have a ISE deployment with Cisco Catalyst 3560, 3750, 3650 Switches. We use Unify, Avaya and Alcatel Phones and want to seperate them in different voice vlans.

So our idea was to push the voice vlan on to the access ports. Is there are a way to push different voice vlans to the ports?

Our current port config looks like that:

network-policy 713
switchport mode access
ip device tracking maximum 10
authentication control-direction in
authentication event fail action next-method
authentication event server dead action authorize vlan 1
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 8
no lldp med-tlv-select power-management
spanning-tree portfast

network-policy profile 713
voice vlan 13

The ISE is pushing a Authz Result with Voice Permission and a Vlan ID.

The authentication on the switch itself false

MAC Address: aabb.ccdd.eeff
IPv6 Address: Unknown
IPv4 Address: Unknown
User-Name: mschap-username
Status: Unauthorized
Domain: VOICE
Oper host mode: multi-auth
Oper control dir: in
Session timeout: N/A
Restart timeout: N/A
Periodic Acct timeout: N/A
Common Session ID: 0A1BF1E200000101B6B357DF
Acct Session ID: Unknown
Handle: 0x1D00009C
Current Policy: POLICY_INTERFACE

Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

Method status list:
Method State

dot1x Authc Success

and the following event is logged:

Feb 21 11:42:06: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client

Any ideas or suggestions?

Thanky you for your help

Regards

Sven

Re: CIsco ISE and dynamic Voice Vlan assigment

Mohammed al Baqari — Thu, 21 Feb 2019 12:39:26 GMT

Hi, ISE doesn't override voice vlan. It allows the use of voice vlan using
voice domain feature.

Re: CIsco ISE and dynamic Voice Vlan assigment

swenska — Thu, 21 Feb 2019 12:55:56 GMT

Hi Mohammed,

sorry for the misunderstanding. I am aware of the "Voice Permission" parameter.

I need to push the endpoint to the voice domain AND what to push a dynmaic voice vlan id.

Thank you for your help

Regards

Sven

Re: CIsco ISE and dynamic Voice Vlan assigment

howon — Fri, 22 Feb 2019 16:05:46 GMT

Yes, should work but if I recall you need to have the following:

- Default voice VLAN configured on the interface: run 'switchport voice vlan XXX' to assign a default voice VLAN

- Send voice domain permission (Which I believe you are already doing)

- Change the host-mode to multi-domain

- Since using 3rd party phone enable LLDP: Using DHCP to provide voice VLAN ID will be tricky since you have different vendor phones connecting, so will need to use LLDP to share voice VLAN from the switch to the phones

I believe all of the Catalyst models you mentioned should be able to support it, but suggest testing all three independently in case one of the model may not.

Re: CIsco ISE and dynamic Voice Vlan assigment

samuel.heinrich — Sun, 19 Jan 2020 12:24:22 GMT

I think i run into the same issue.

the default port config on the switches look like this

switchport access vlan yyy

switchport mode access

switchport vocie vlan xxx

for voice devices which support vlan discovery via lldp/cdp it works fine to push the "Voice Permission" via ISE.

Unfortunatelly we also have voice devices on the same switches, which need the voice vlan natively (switchport access vlan xxx).

the problem is, that the switch can not apply the access vlan xxx, as long as it has the voice vlan xxx hardcoded on the switchport.

so the idea here was to have the default switchport config look like this

switchport access vlan yyy

switchport mode access

and assign the voice vlan dynamically either with "voice permission" or "natively". but since there is no attribute to push voice vlan ID within the Voice domain, i guess i'll have to move those voice clients to a different vlan.