topic Issues with telepresence devices on ISE in Network Access Control

Issues with telepresence devices on ISE

Chape — Thu, 04 Oct 2018 18:55:00 GMT

My Intouch G2 is set up for profiling in ISE via CDP and OUI conditions.

This profiling policy is part of a logical group, "allowed Telecom"

The logical grouping, "allowed telecom" for these devices are in a MAB policy set, and receives an authorization profile putting it in the same vlan the voice vlan the port is already assigned.

In the ISE console, when i look at the endpoint, it states that authorization was successful. Stating that it received this authorization policy and was given an IP in this VLAN. However when i look on the device, which is configured for autoconfig, it states it received an incorrect network config, which shows as empty.

Any thoughts on what the issue may be?

switchport config pre ise
switchport mode access
switchport voice vlan 42
mls qos trust dscp
spanning-tree portfast
spanning-tree bpduguard enable
service-policy input VOICE_POLICY

switchport config post ise
switchport mode access
switchport voice vlan 42
authentication event fail action next-method
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
mls qos trust dscp
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable
service-policy input VOICE_POLICY

Re: Issues with telepresence devices on ISE

paul — Thu, 04 Oct 2018 20:12:57 GMT

You can't assign the port to the same VLAN as the voice VLAN. That is probably what the switch is complaining about. Why can't the Telepresence device use the voice vlan assigned on the port?

Re: Issues with telepresence devices on ISE

Francesco Molino — Fri, 05 Oct 2018 03:48:56 GMT

Hi

Can you share please the authorization profu your pushing and the authorization log from ise?

Re: Issues with telepresence devices on ISE

Chape — Fri, 05 Oct 2018 12:13:09 GMT

Paul,

The cisco phones are running with this same port config and same auth profile and they work perfectly. I never said the switch is complaining about anything. I'm giving it the same vlan it already has. eventually ill throw a different base vlan across all ports with limited access then allow ise to assign the appropriate vlan

Re: Issues with telepresence devices on ISE

Chape — Fri, 05 Oct 2018 12:43:25 GMT

Authorization Profile - "Cisco IP Phones"

Vlan 42 (which is set as an access vlan currently on the switchport as well)

DACL - "PERMIT_ALL_TRAFFIC" (literally just permit ip any any)

VOICE Domain Permissions

For authorization log are you referring to the steps in the authentication detail or something else? This again shows it is successful. Right now This authorization policy is in the same policy set as a few other test things so theres some needless user lookups. Would the extended machine authorization cause some kind of timeout? Or you think it might be something else?

11001Received RADIUS Access-Request

11017RADIUS created a new session

11027Detected Host Lookup UseCase (Service-Type = Call Check (10))

15049Evaluating Policy Group

15008Evaluating Service Selection Policy

15048Queried PIP - DEVICE.Device Type

15048Queried PIP - Normalised Radius.RadiusFlowType

15041Evaluating Identity Policy

22072Selected identity source sequence - All_User_ID_Stores

15013Selected Identity Source - Internal Users

24210Looking up User in Internal Users IDStore - 00:62:EC:8D:80:E5

24216The user is not found in the internal users identity store

15013Selected Identity Source - All_AD_Join_Points

24432Looking up user in Active Directory - All_AD_Join_Points

24325Resolving identity - 00-62-EC-8D-80-E5

24313Search for matching accounts at join point - DOMAIN.com

24318No matching account found in forest - DOMAIN.com

24322Identity resolution detected no matching account

24352Identity resolution failed - ERROR_NO_SUCH_USER

24412User not found in Active Directory - All_AD_Join_Points

15013Selected Identity Source - Guest Users

24631Looking up User in Internal Guests IDStore

24633The user is not found in the internal guests identity store

15013Selected Identity Source - DOMAINAD

24432Looking up user in Active Directory - DOMAINAD

24325Resolving identity - 00-62-EC-8D-80-E5

24313Search for matching accounts at join point - DOMAIN.com

24318 No matching account found in forest - Domain.com

24322Identity resolution detected no matching account

24352Identity resolution failed - ERROR_NO_SUCH_USER

24412User not found in Active Directory - DOMAINAD

15013Selected Identity Source - Internal Endpoints

24209Looking up Endpoint in Internal Endpoints IDStore - 00:62:EC:8D:80:E5

24211Found Endpoint in Internal Endpoints IDStore

22037Authentication Passed

24715ISE has not confirmed locally previous successful machine authentication for user in Active Directory

15036Evaluating Authorization Policy

24432Looking up user in Active Directory - DOMAINAD

24325Resolving identity - 00-62-EC-8D-80-E5

24313Search for matching accounts at join point - DOMAIN.com

4318No matching account found in forest -DOMAIN.com

24322Identity resolution detected no matching account

24352Identity resolution failed - ERROR_NO_SUCH_USER

24412User not found in Active Directory - DOMAINAD

5048Queried PIP - DOMAIN.ExternalGroups

15048Queried PIP - EndPoints.LogicalProfile

15016Selected Authorization Profile - Cisco_IP_Phones

11022Added the dACL specified in the Authorization Profile

11002Returned RADIUS Access-Accept

Re: Issues with telepresence devices on ISE

Chape — Fri, 05 Oct 2018 13:32:42 GMT

So even though i typed above that was my config. It turns out the port wasn't set to voice vlan 42. it was set to access vlan 42. For some reason they configured it differently. After i switched it to voice vlan 42, it worked with ise. So maybe you were on to something. It had something to do with giving it the same vlan back but as voice instead of data.