topic Re: Double dynamic vlan assignement on interface ISE MAB in Network Access Control

Double dynamic vlan assignement on interface ISE MAB

Louey — Wed, 05 Apr 2023 09:18:50 GMT

Hello

We are implementing mab for our IP-Phones.

I made an authorization policy to assign a dynamic vlan to them once authenticated. The authencation passed and authorization policy matched but in addition to the dynamic vlan, they are getting the default vlan 1 also as shown below :

Vlan Mac Address Type Ports
---- ----------- -------- -----
1 70ca.9b9f.2a42 STATIC Gi1/0/33
1022 70ca.9b9f.2a42 STATIC Gi1/0/33

This make the phones not getting an IP in the designed vlan and not getting reachable.

Any helps for that please ?

Regards

Re: Double dynamic vlan assignement on interface ISE MAB

Mark Elsen — Wed, 05 Apr 2023 10:53:10 GMT

- Check ISE (live) logs for the particular authentication(s) and observe if the policy works as intended or not (to start with) ,

Re: Double dynamic vlan assignement on interface ISE MAB

Louey — Wed, 05 Apr 2023 11:26:57 GMT

It is matching the right authentication policy and authentication is passed. Even the authZ policy is okay it is just that the phone is not getting an ip address on the configured dynamic voice vlan. the dynamic vlan is 1022 (which is a voice vlan) and I checked also "voice domain permission" on hte AuthZ policy.

The phone is not reachable as getting the wrong IP or no IP at all, and two vlans appear on the switchport.

Re: Double dynamic vlan assignement on interface ISE MAB

Mark Elsen — Wed, 05 Apr 2023 11:37:42 GMT

- Check interface configuration according to : https://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_aaa/configuration/15-2mt/sec-config-mab.html (and or review the examples)

Re: Double dynamic vlan assignement on interface ISE MAB

thomas — Sat, 08 Apr 2023 22:14:42 GMT

You have not shared any switch configurations so it is impossible to know what you may or may not be doing wrong with your VLAN or more likely your 802.1X/MAB switchport authentications. We have best practice configurations documented in the including details for the phones.

Please see to provide enough details to help us help you with troubleshooting.

Re: Double dynamic vlan assignement on interface ISE MAB

Louey — Tue, 11 Apr 2023 08:57:35 GMT

Here is the switchport configuration :

switchport mode access
device-tracking attach-policy IPDT_POLICY
ip flow monitor dnacmonitor input
ip flow monitor dnacmonitor output
load-interval 30
access-session inherit disable interface-template-sticky
access-session inherit disable autoconf
dot1x timeout tx-period 7
dot1x max-reauth-req 3
no macro auto processing

dot1x pae authenticator
dot1x timeout supp-timeout 7
dot1x max-req 3
switchport mode access
switchport voice vlan 2046
mab
access-session closed
access-session port-control auto
authentication periodic
authentication timer reauthenticate server
service-policy type control subscriber PMAP_DefaultWiredDot1xClosedAuth_1X_MAB

spanning-tree portfast
spanning-tree bpduguard enable
service-policy input DNA-MARKING_IN
service-policy output DNA-dscp#APIC_QOS_Q_OUT
ip nbar protocol-discovery

The dynamic vlan is the 1022 (voice vlan) with a DHCP server pool.

the 2046 vlan is a voice vlan included in the cisco Closed wired authentication template on the port with no IP pool.

As my understanding, the Phone is not able to have an IP from the voice vlan IP pool, so it is put in the vlan 1 (default) and the voice vlan, but as there is no pool associated it does not get any IP. When I add a data vlan on the switchport with a dhcp IP pool, the Phone gets an IP address on this vlan and is working.

Here is the mac table for the phone port :

Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
1 0004.f271.7a12 STATIC Gi1/0/14
1022 0004.f271.7a12 STATIC Gi1/0/14

Re: Double dynamic vlan assignement on interface ISE MAB

Nancy Saini — Tue, 11 Apr 2023 17:50:22 GMT

Can you try "access-session host-mode multi-auth" because a voice device first gets learnt in data VLAN and then moves to voice VLAN so to allow both voice and data VLAN use host-mode multi-auth.

Reference : https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_8021x/configuration/15-mt/sec-user-8021x-15-mt-book/sec-ieee-802x-multi-auth.html

Hope this helps.

Re: Double dynamic vlan assignement on interface ISE MAB

Octavian Szolga — Thu, 13 Apr 2023 15:00:41 GMT

Hi,

I belive you have a 'standard' IP Phone. This means you need a voice VLAN on switch port + your phone sends its own traffic tagged.
When you authenticate your phone, ISE has to return voice VLAN permissions (voice vlan in the authorization profile) so that your phone can belong to the voice domain. If this does not happen, you phone will not work.

You cannot combine dynamic vlan assignment with voice vlan permissions. What I'm trying to tell you is that even though you're pushing VLAN 1022 to your switch, that VLAN is a data VLAN from your switch's perspective, not a voice VLAN and the tagged traffic your phone is sending to the switch is dropped.

Please check this similar post:

Dynamic voice VLAN assignment when different phone systems are in play - Cisco Community

Like Arne Bier mentioned, you can combine voice domain permissions with an interface templace.

As an alternative you can use a macro locally defined on the switch and refer to that in your authorization profile.

In the end, you get the same result.

BR,

Octavian