topic Re: Dynamic voice VLAN assignment when different phone systems are in in Network Access Control

Dynamic voice VLAN assignment when different phone systems are in play

Christopher Bell — Tue, 11 Apr 2023 18:46:24 GMT

First, understand I have no control over the different types of phones systems. This is a very large enterprise that is a child of an even larger enterprise (50K plus users). The parent organization uses a Cisco phone system while the child organization (the one I'm in) uses an NEC phone system. The child org is health care while the parent is EDU. The parent org has networks within our org that must be separated by vrf because of HIPPA. One of those scenarios is voice. Whenever the parent needs to place a voice network on one of our switches that already has our voice network on it, we have to start manually configuring ports for different voice vlans instead of just setting a default voice vlan on all the switchports. This causes all kinds of issues with automation as you can imagine.

My question is simply this, using Cisco ISE (3.0+) can I dynamically assign the voice VLAN for each port based on the type of device that's connecting (using either MAB or 802.1x). I've been trying to test this but I'm not getting anywhere.

Re: Dynamic voice VLAN assignment when different phone systems are in

Arne Bier — Tue, 11 Apr 2023 21:00:08 GMT

Hello @Christopher Bell

Let's first discuss the Cisco switch 'domain concept' - DATA and VOICE domains. Cisco switches will partition the interface and place the learned Ethernet MAC addresses in one of two 'domains' for isolation purposes (I think ... not sure why TBH).

Voice Domain:

The MAC address in the voice domain is tagged with an 802.1Q tag and sent to the phone - the phone is expected to tag its own frames with 802.1Q to communicate with the switch in the voice domain
The voice domain only allows 1 MAC address
The voice VLAN is defined statically on the switch and cannot be dynamically assigned via AAA

You can dynamically assign a VLAN with ISE, which a Cisco switch will then apply to that interface in the DATA domain. Therefore, some customers may want to operate the voice handsets in the DATA domain instead. I have seen this on Avaya handsets which in my experience have had some really odd bugs that prevented them from playing nicely with NAC. The most recent bug I saw is that LLDP on the phone didn't work. This meant that the phone would never learn its voice VLAN via LLDP. The solution was to disable 'voice permission' in ISE and then let the phone live in the DATA domain. Avaya uses DHCP options to learn the voice VLAN. The end result was that the phone's MAC address remained in the DATA domain and the frames were tagged with 802.1Q. The attached PC was sending frames as normal as untagged. This solution does work. Of course you need to use multi-auth mode on the switchport to allow more than one MAC in the data domain.

I have tried and exhausted myself trying to get dynamic voice vlan assignment - and the IOS just doesn't allow it.

Tip: You might be able to achieve this using dynamic interface templates however, those templates must be defined and exist on the switch - but if you have a few common voice VLANs, then that might be easy to achieve. ISE can authorize the endpoint and then apply an interface template name - e.g.

template arne switchport voice vlan 10

In ISE AuthZ you can return the template by name - and that will apply the commands in the template to that interface as long as the session is authorized.

Re: Dynamic voice VLAN assignment when different phone systems are in

thomas — Tue, 11 Apr 2023 21:22:36 GMT

Yes, you could do this either with profiling (Advanced License) or static group based assignment by MAC or custom endpoint attributes:

▷ User & Endpoint Custom Attributes

03:09 Endpoint Profiles, Endpoint Groups versus Custom Attributes
06:10 Defining Endpoint Custom Attributes and their Common Uses
13:51 Demo: Customize 802.1X Authorization Policy using Custom Attributes
15:20 Demo: Edit User Custom Attribute and Authenticate with Custom Attribute
16:51 Demo: Endpoint Custom Attributes
19:29 Demo: Custom Attribute Policies for IOT Endpoints
30:43 Demo: Authorize Raspberry Pi using 'Department' Custom Attribute

Re: Dynamic voice VLAN assignment when different phone systems are in

Christopher Bell — Thu, 13 Apr 2023 17:41:53 GMT

Hey Thomas, thanks for the reply. You're the first person to suggest this is even possible with IP phones. What would the switchport config look like if I had two VLANs like such:

VLAN 2 - NEC_VOICE

VLAN 3 - CISCO_VOICE

I've been trying to get this working with just the MAC addresses of the phones and a static group assignment in ISE for over a week and it fails. I'm passing the VLAN name in the Auth Profile and it matches the name on the switch. I don't believe I'm getting that far though because the switch indicates that authentication and authorization fails in the logs.

Re: Dynamic voice VLAN assignment when different phone systems are in

Christopher Bell — Thu, 13 Apr 2023 17:59:06 GMT

Hey Arne, thanks for the reply. I'm not familiar with interface templates, I'll look into those. How do you apply the interface template from ISE, what's the radius attrib that's being used?

Re: Dynamic voice VLAN assignment when different phone systems are in

Arne Bier — Thu, 13 Apr 2023 22:20:04 GMT

First, you create an Authorization Profile that is applied when ISE Authorizes a particular vendor's phone - e.g. the NEC Phone - whether you match by certificate, EAP-PEAP, MAB - doesn't matter - you apply the profile below and that will assign the interface template to the interface - the interface template option is found under Common Tasks. Make sure the name is exactly as defined on the Cisco switch:

When the phone is authorized, then this template is ADDED to the existing interface config. That should hopefully assign the correct voice VLAN and put the MAC in the voice domain.

On the switch define the VLAN - e.g.

vlan 123 name NEC_VOICE

Then define the template

template interface NEC_PHONE_VLAN switchport voice vlan name NEC_VOICE

Using VLAN names instead of IDs allows you to repeat the template across multiple switches - all you need to alter (if at all) is the VLAN ID on each switch - e.g. "vlan 124 / name NEC_VOICE" etc.

Re: Dynamic voice VLAN assignment when different phone systems are in

Arne Bier — Thu, 13 Apr 2023 22:23:57 GMT

@Christopher Bell wrote:

Hey Thomas, thanks for the reply. You're the first person to suggest this is even possible with IP phones. What would the switchport config look like if I had two VLANs like such:

VLAN 2 - NEC_VOICE

VLAN 3 - CISCO_VOICE

I've been trying to get this working with just the MAC addresses of the phones and a static group assignment in ISE for over a week and it fails. I'm passing the VLAN name in the Auth Profile and it matches the name on the switch. I don't believe I'm getting that far though because the switch indicates that authentication and authorization fails in the logs.

You'll have to share your Policy Set with us to help you determine the issue. Do the RADIUS requests appear in the ISE Live Logs? Errors? What do the errors say?

A good starting point is always

show run interface xxx show run | section radius show run | include aaa

Re: Dynamic voice VLAN assignment when different phone systems are in

hslai — Sun, 16 Apr 2023 13:13:05 GMT

> ... the switch indicates that authentication and authorization fails in the logs.
This usually means that ISE authentication is successful but the returning attributes are unable to apply to the client session on the switch for one reason or another, e.g. bad entries in the DACL. It would help by debugging on the switch side and the debug commands may vary by switches and switch firmwares. One of the following might help.

Re: Dynamic voice VLAN assignment when different phone systems are in

Christopher Bell — Mon, 17 Apr 2023 13:11:46 GMT

So the difference that I see here is you are using the name of the VLAN in the switchport command instead of the VLAN ID. Other than that, I've done exactly what you've laid out. I'll try using the name. Thanks Arne.

Re: Dynamic voice VLAN assignment when different phone systems are in

Christopher Bell — Mon, 17 Apr 2023 13:26:34 GMT

The switch I'm testing on is a 3850 and doesn't have the option to use the VLAN name in the template unfortunately. On the VLAN ID. I'm running 3.6.5, not sure if it's a version thing. I'll try a different switch.

Re: Dynamic voice VLAN assignment when different phone systems are in

Christopher Bell — Mon, 17 Apr 2023 14:25:56 GMT

I tested on a 9300 and the command set you used is there so I tried that. No difference. Logs indicate:

%DOT1X_SWITCH-5-ERR_VLAN_EQ_VVLAN: Data VLAN ^A on port TwoGigabitEthernet1/0/1 cannot be equivalent to the Voice VLAN AuditSessionID

Switchport config is as such:

interface TwoGigabitEthernet1/0/1
switchport mode access
authentication event fail action authorize vlan 630
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
mab
dot1x pae authenticator
spanning-tree portfast
spanning-tree bpduguard enable
end

AAA config is as such:

aaa authentication login default group ISE line
aaa authentication dot1x default group radISE
aaa authorization exec default group ISE if-authenticated
aaa authorization network default group radISE
aaa authorization commands 15 default group ISE if-authenticated
aaa accounting exec default start-stop group ISE
aaa accounting commands 0 default start-stop group ISE
aaa accounting commands 1 default start-stop group ISE
aaa accounting commands 15 default start-stop group ISE
aaa accounting system default start-stop group ISE
!
!
!
!
!
!
radius server radISE1
address ipv4 <redacted> auth-port 1812 acct-port 1813
timeout 5
key 7 <redacted>
!
tacacs server ISE1
address ipv4 <redacted>
key 7 <redacted>
timeout 5
tacacs server ISE2
address ipv4 <redacted>
key 7 <redacted>
timeout 5
!
!
aaa group server radius radISE
server name radISE1
!
aaa group server tacacs+ ISE
server name ISE1
server name ISE2

Re: Dynamic voice VLAN assignment when different phone systems are in

Arne Bier — Mon, 17 Apr 2023 21:59:45 GMT

What does the template look like on the switch (output please) ?

Does ISE return this template name?

Does the Voice VLAN exist in the switch (output please) ?

The DATA vlan on the TwoGigabitEthernet1/0/1 is not defined - which means it will default to VLAN 1 - I hope you're not trying to assign the voice VLAN to Vlan 1 as well? That would explain the error.

In the case where an interface template has been successfully applied to an interface, you won't see the result with a "show run interface" - you will have to use the command "show derived interface" instead.

Re: Dynamic voice VLAN assignment when different phone systems are in

Christopher Bell — Tue, 18 Apr 2023 12:38:45 GMT

The data vlan is not defined because we expect that to also be assigned dynamically when a computer is connected to the phone (for my testing, one is not). We currently do that in production using a FreeRadius solution that will eventually migrate to ISE (hence my testing). I'm trying to leave that aspect out of testing for now to avoid this being too complicated (one piece at a time). The main thing I'm trying to accomplish here is to dynamically assign the voice vlan.

The templates look like this:

template CISCOVOICE
switchport voice vlan 3000
template NECVOICE
switchport voice vlan 2342

The VLANs are installed on the switch as such:

vlan 2
name PROTECTED
vlan 108
name CLOSED
vlan 630
name CRITICAL
vlan 2342
name NECVOIP
vlan 2350
name MGMT
vlan 3000
name CISCOVOIP

The template results in ISE looks like this:

Access Type = ACCESS_ACCEPT
cisco-av-pair = device-traffic-class=voice
cisco-av-pair = interface-template-name=CISCOVOICE

Access Type = ACCESS_ACCEPT
cisco-av-pair = device-traffic-class=voice
cisco-av-pair = interface-template-name=NECVOICE

I don't see the template being passed by the live logs, but it wouldn't if authz is failing. I've read that the phones need to be configured for 802.1x to get authorization profiles passed to them by ISE in some forums? These phones are not configured for 802.1x because I was counting on using MAB. If that's not going to work, I can explore 802.1x on them.

Re: Dynamic voice VLAN assignment when different phone systems are in

Arne Bier — Tue, 18 Apr 2023 23:20:10 GMT

Your config looks correct - you should see the template Cisco AVPair passed in the Access-Accept - but it sounds like the MAB is not working. There is no need for 802.1X. How are you authenticating and authorizing these phones? Perhaps you can show us your Policy Set logic.

Re: Dynamic voice VLAN assignment when different phone systems are in

Christopher Bell — Wed, 19 Apr 2023 15:43:52 GMT

Thanks Arne, here's a screen snip. The Authz profiles were scrubbed in the screenshot to avoid displaying my orgs name.

Re: Dynamic voice VLAN assignment when different phone systems are in

Arne Bier — Thu, 20 Apr 2023 20:18:10 GMT

Do you get hits against those AuthZ rules? And can you see that the Template has been mentioned in the Access-Accept in each case?

Re: Dynamic voice VLAN assignment when different phone systems are in

Christopher Bell — Fri, 21 Apr 2023 16:51:39 GMT

Yes in both cases. Here's the result for one of the NEC phones I'm testing with:

On the switch side, it's complaining there isn't already a voice vlan and it's trying to connect the phone to the data vlan:

%DOT1X_SWITCH-5-ERR_VLAN_EQ_VVLAN: Data VLAN ^A on port TwoGigabitEthernet1/0/5 cannot be equivalent to the Voice VLAN AuditSessionID

And then ends with:

%SESSION_MGR-5-FAIL: Switch 1 R0/0: sessmgrd: Authorization failed or unapplied for client (blah blah) on Interface TwoGigabitEthernet1/0/5 AuditSessionID 0400040A00000018A4B1EC84.

I'll also add that I switch to 802.1x and the phone authenticates using creds we hard coded on it. So authentication is working. What's broken is the interface template being passed back to the switch so the switchport voice command can be applied.

Re: Dynamic voice VLAN assignment when different phone systems are in

Arne Bier — Sun, 23 Apr 2023 23:02:17 GMT

Have you tried putting a voice vlan on the interface (even if it's not the one you might need in the AAA case)? If this doesn't work, then I would assume that dynamic voice domain VLAN assignment just wasn't ever meant to work.

Re: Dynamic voice VLAN assignment when different phone systems are in

Christopher Bell — Wed, 26 Apr 2023 12:48:04 GMT

Yes, I've tried it while using MAB to authenticate but not 802.1x. I'll try that next if I can.

Re: Dynamic voice VLAN assignment when different phone systems are in

MaErre21325 — Wed, 29 Oct 2025 08:57:08 GMT

The voice vlan must be configured in the dot 802.1x port configuration even if it is not used?
i'm getting this error:

DOT1X_SWITCH-5-ERR_VLAN_EQ_VVLAN: Data VLAN 9 on port GigabitEthernet0/16 cannot be equivalent to the Voice VLAN AuditSessionID 0AD24A0E0004411B12E4E0F3

but on the switch where i'm getting the errors we don't use the voice vlan; what should be configured?