topic Re: Cisco ISE PC behind the phone issue in Network Access Control

Cisco ISE PC behind the phone issue

Ditter — Wed, 31 Oct 2018 14:02:58 GMT

Dear All,

i am facing the following issue:

I have a cisco 7841 ip phone and i am using its switch in order to connect the user PC behind the phone.

I need to execute MAB (not 802.1x) through ISE but only for the phone and not for the PC (i need PC to be freely connect to the DHCP VLAN).

So i thought if i use the switch command : authentication host-mode multi-host then the phone could get authorized through ISE & MAB and then the PC could connect without the need to pass the authentication/authorization process).

When i have the command authentication host-mode multi-domain then the phone gets authorized from ISE but the PC does not get authorized ( i suppose that it has to do with ISE configuration) but the problem is that as i mentioned i prefer this PC to be connected without passing any mab process.

Any ideas how to do this?

The switch config is as follows:

interface GigabitEthernet4/23
switchport access vlan XXX <--- DHCP VLAN
switchport mode access
switchport voice vlan VVV <-- Voice VLAN
no logging event link-status
authentication host-mode multi-domain
authentication order mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable
end

Thank you ,

Ditter.

Re: Cisco ISE PC behind the phone issue

Tmsna — Wed, 31 Oct 2018 14:05:18 GMT

Hi Ditter,

I think that once you configure a port to authenticate the endpoints, there is no way to authenticate just the phone and not the PC.

But I'm ready to be corrected if I'm wrong.

Regards,

Tmsna

Re: Cisco ISE PC behind the phone issue

pan — Wed, 31 Oct 2018 17:02:10 GMT

Following is the explanation of the multi-host and multi-domain:

multi-host allows multiple mac addresses in DATA domain. Only first one is authenticated.

multi-domain allows Only 1 mac address in DATA domain and only 1 mac address in VOICE domain.

What is happening when you use multi-host?

Re: Cisco ISE PC behind the phone issue

Ditter — Wed, 31 Oct 2018 20:59:06 GMT

Thanks for your answer.

As i look it now i also think the same as you.

What i did a little while ago (after having posted this thread) in order to have the PC also authenticate through MAB was to let the PC to be authorized by the last rule in the authorization tree which is permit access. So now the phone is authorized by MAB and the PC behind the phone is authorized by the default permit.

Re: Cisco ISE PC behind the phone issue

Ditter — Wed, 31 Oct 2018 21:13:06 GMT

Hi Pan, as mentioned above i finally made it to work with MDA but now both devices are authorized with MAB (as mentioned in the beginning of my email , i wanted only the phone to authorize via MAB and not the PC). Now by passing the default permit access i can have also the PC authorized by using MDA on the port.

What i can not understand is how the switch behaves when a port is in MDA mode? How the switch understands that a client is voip phone? By CDP?

Thanks.

Re: Cisco ISE PC behind the phone issue

Ditter — Thu, 01 Nov 2018 09:44:37 GMT

Hi to all,

it seems that the best way of ensuring everything works is by using multi-auth instead of MDA just because of the fact that a vm running on the PC will shutdown the port!

What is your opinion? What we lose if we use multi-auth instead of MDA for a Phone and a PC behind the phone?

Ditter.

Re: Cisco ISE PC behind the phone issue

hslai — Thu, 01 Nov 2018 16:10:15 GMT

Yeah, I agree with you.

Cisco IOS platforms added multi-auth to support more flexibility. MDA is good if strictly enforcing one voice and one data endpoints.

Re: Cisco ISE PC behind the phone issue

howon — Thu, 01 Nov 2018 21:42:21 GMT

Multi-Auth includes all features of MDA plus allows multiple data MAC addresses to connect. For MDA if you want to prevent interface from disabling you can use 'authentication violation' interface command. Default is shutdown and difference between protect and restrict is whether event is logged or not. Restrict will log and alert the event when violation occurs while protect does not, however behavior is the same between the two in terms of access.

3560CX(config-if)#authentication violation ?
protect Protect the port
replace Replace the existing session
restrict Restrict the port
shutdown SHUTDOWN the port

Re: Cisco ISE PC behind the phone issue

Ditter — Fri, 02 Nov 2018 08:25:41 GMT

Hi Howon,

thank you for your answer.

What confuses me is the following:
Suppose that my switch configuration is as follows:

As you can see the port configuration is ready to accept the voice and data devices.

The confusing thing for me is the following:

In ISE there is the option (in Common Tasks section) to define in an authorization profile the two following option:

1.Vlan

2. Voice Domain Permission

Re: Cisco ISE PC behind the phone issue

Cory Peterson — Fri, 02 Nov 2018 11:57:24 GMT

The Voice Domain option authorizes the device to use the voice domain(vlan) that is set on the port.

The VLAN Setting dynamically sets the Data VLAN on the port.

The two options should not be used in the same authorization profile. The VLAN setting should only be used it you want to change the VLAN from what is configured on the port.

Re: Cisco ISE PC behind the phone issue

Ditter — Fri, 02 Nov 2018 14:21:55 GMT

Thank you Cory,

so that means that even if a port is configured with voice vlan , the phone will not be able to use it unless in the authorization profile the VOICE DOMAIN PERMISSION is checked.

I can confirm that , i tested and works the way you described.

I can also confirm that if VLAN and VOICE DOMAIN PERMISSION are both checked in the same authorization profile the data vlan does not seem to change as you also describe. Any idea why is this happening? Why i am not able to do both changes in the same authorization profile?

Thanks,

Ditter.

Re: Cisco ISE PC behind the phone issue

howon — Fri, 02 Nov 2018 17:01:00 GMT

As Cory described voice domain permission allows access to the voice VLAN configured on the switch. When you send down VLAN ID along with the voice domain permission, the switch will dynamically assign voice VLAN for the phone. For older IOS versions (My guess is anything lower than 15.1), this was not the case and assigning both voice vlan permission and VLAN ID would not work on the switch and end up with authorization failure if I recall.

Reading through the notes, it sounds like you are trying to assign permission for the PC behind the phone based on the phone's authentication. This is not possible as authorization profile is applied to the session (Or specific MAC address depending on how you look at it) not to the whole interface. In other words, the set of settings you defined on the phone authorization profile only applies to the phone's session/MAC. The PC has to be assigned its own authorization profile independent of phone's authorization profile by going through authentication on its own.

Now, I technology aside, I do not understand the use case here to permit data access based on phone, but if you share the business requirement, there may be better ways to meet the requirement.

Re: Cisco ISE PC behind the phone issue

Ditter — Thu, 08 Nov 2018 13:54:18 GMT

Hi Howon, sorry for the delay in updating the thread...

My initial intention was the PC to connect to the network without having to pass through a new authorization process. I understood that it was not possible.

I did some tests with a switch running 15.0.2 and i can send in an attached voip phone both Voice Domain parmition as well as change the vlanid where it belongs. Both actions can occur in the same autorization profile.

In another auth profile (only for data this time) i authorize attached PCs connected to the switch port of the voip phone and in this second authorization profile i can also assign dynamically a vlan.

Thank you all for your contributions.

Ditter.