topic Voice VLAN Dynamic Assignment in Network Access Control

Voice VLAN Dynamic Assignment

sholley — Tue, 28 Jun 2016 01:22:55 GMT

We have a situation where when ISE does a dynamic VLAN assignment for the voice VLAN, the voice device doe snot auth like it should. From what we can tell ISE is doing it's job. Auth logs on ISE show the phone being properly identified and assigned the VLAN/DACL/VOICE domain as expected. RADIUS debug on the switch confirms that the switch is getting the correct VLAN, but the switch appears not to apply it properly.

The switches that we are using are 2960S & 2960X switches with at the 15.2.2.e4 as the code level. Per the documentation you need to be at least at version 15.2.2.e3 to support ISE. We see this behavior on both models of 2960's.

We have tried the following:

- No voice VLAN defined: this resulted in the auth session being put in
the voice domain, but not applying the vlan that ISE assigned and the
status was "Unauth" rather than the usual "Auth" status.

- Voice VLAN defined as quarantine VLAN: same result as above

- Voice VLAN defined as usual/correct VLAN for the switch: works
great. But we're trying to avoid having to manually specify the voice
VLAN on all switch ports.

- Removed voice domain from the ISE authorization policy. This,
surprisingly, worked-- kinda. The switch used the VLAN specified by ISE
for the phone's auth session, but in the data domain. But this won't
play nice with "multi-domain" authorization-- since the phone and the
workstation behind it are both put in the "data" domain, only one of
them will function at a time.

Looking over documentation and others trials and tribulations, this should work with the voice domain checked from the ISE authentication policy, The phone never gets authed, but on the data side all appears to work as expected.

Has anyone had this work as expected with the data & voice both being dynamically assigned.

Thanks,

Sam

Re: Voice VLAN Dynamic Assignment

Craig Hyps — Tue, 28 Jun 2016 02:53:30 GMT

Make sure port is configured for MDA (authentication host-mode multi-domain) and not multi-auth. Also, be sure to still send Voice VLAN permission in authorization. You may need to also set some default Voice VLAN on port, but you can verify in testing.

Also, a point of clarification...

IOS 15.2(2)E4 is not the minimum required IOS version, but the minimum recommended version.

/Craig

Re: Voice VLAN Dynamic Assignment

sholley — Tue, 28 Jun 2016 03:03:22 GMT

Yes, we have MDA and not multi-auth set on the port and we are sending the voice VLAN permission in the authorization. We have also tried with and without a default voice vlan set on the port, and still see the same result.

Sam

Re: Voice VLAN Dynamic Assignment

Craig Hyps — Tue, 28 Jun 2016 03:49:14 GMT

Recommendation would be to open a TAC case. It does not sound like an ISE issue, but behavior specific to switch model/version.

Re: Voice VLAN Dynamic Assignment

thomas — Tue, 28 Jun 2016 06:38:59 GMT

Per Craig's comment about recommended switch version... ignore the ISE Compatibility Guides' recommended switch IOS version at your own peril. If it doesn't work and it's not an ISE-recommended version, it's probably a switch bug.

Re: Voice VLAN Dynamic Assignment

vibobrov — Tue, 28 Jun 2016 17:54:41 GMT

I don't think this is possible. Network devices don't take voice vlan assignment via RADIUS. Voice VLAN has to be configured statically on the switch. You can try to use auto smart ports to set the voice vlan: Auto Smartport with Custom Trigger Configuration Example - Cisco.

The phone may take extra time to register in that case because it would have to wait for a CDP update and then re-ip on a new voice vlan.

Re: Voice VLAN Dynamic Assignment

Craig Hyps — Tue, 28 Jun 2016 19:13:36 GMT

Viktor,

Dynamic Voice VLAN as the name implies is the ability to set Voice VLAN from AAA server. For more info, can review Catalyst IOS Configuration Guides, or nice session here from Shelly Cadora in 2012 at Cisco Live: Advanced IEEE 802.1X (2012 San Diego)

Regards,

Craig