12-17-2018 07:28 AM - edited 12-17-2018 08:55 AM
ISE2.3 Patch 5, Cisco 3650 16.3.7, Avaya 1608
So I have this 3650 and I run a heavy port config without any templates. I don't run 'switchport access vlan XXX' or 'switchport voice vlan YYY', I assign those values via ISE authorization profile. I'm not running any ACL's either, pretty open setup. And for every data vlan this is working great.
However when I plug an Avaya IP Phone, the only phone at my disposal, into the port I get "Authorization failed or unapplied for client".
[Port Config]
interface GigabitEthernet1/0/47
switchport mode access
device-tracking attach-policy TRACKING_POLICY
authentication periodic
authentication timer reauthenticate server
access-session port-control auto
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 2
storm-control broadcast level bps 1m 500k
auto qos trust
spanning-tree portfast
spanning-tree bpduguard enable
service-policy type control subscriber POLICY_RADIUS
service-policy input AutoQos-4.0-Trust-Cos-Input-Policy
service-policy output AutoQos-4.0-Output-Policy
ip dhcp snooping limit rate 100
end
[Auth Pro]
Access Type = ACCESS_ACCEPT
Tunnel-Private-Group-ID = 1:110
Tunnel-Type = 1:13
Tunnel-Medium-Type = 1:6
cisco-av-pair = device-traffic-class=voice
TAC is telling me that I have to have 'switchport voice vlan XXX' on the switchport or this will never work. But if thats the case then why does ISE have 'voice domain permission' (cisco-av-pair = device-traffic-class=voice) in the authorization profile? This works fine with data but for some reason I can't assign the voice vlan off a Authorization Profile.... even though it seems like ISE is designed to do exactly this.
EDIT* Tested, also a problem on 16.6.4, 16.9.2. Identical verbage in debugs.
Solved! Go to Solution.
12-17-2018 09:28 AM
So a thought comes to mind after reviewing RFC 3580. Your tunnel attributes look fine, but how does the switch know that this is for the voice vlan and not the data vlan. The RFC does not have a defined method for voice vs data, so it wouldn't surprise me that it will only work for data.
I take it that "device-traffic-class=voice" only applies to a preconfigured voice vlan, which in your case doesn't exist. The switch has no voice vlan configured, the tunnel attributes apply to the standard data vlan config, so the switch can't authorize the endpoint in to a non existent voice vlan.
12-17-2018 07:33 AM
This is most likely an issue with the code running on the 3650. Please continue to work with the TAC to determine why it behaves in that manner.
Regards,
-Tim
12-17-2018 08:02 AM
TAC has already closed my case stating "you have to have switchport voice vlan XXX or this will not work". Are you saying otherwise?
12-17-2018 09:28 AM
So a thought comes to mind after reviewing RFC 3580. Your tunnel attributes look fine, but how does the switch know that this is for the voice vlan and not the data vlan. The RFC does not have a defined method for voice vs data, so it wouldn't surprise me that it will only work for data.
I take it that "device-traffic-class=voice" only applies to a preconfigured voice vlan, which in your case doesn't exist. The switch has no voice vlan configured, the tunnel attributes apply to the standard data vlan config, so the switch can't authorize the endpoint in to a non existent voice vlan.
12-17-2018 10:10 AM
12-17-2018 01:46 PM
[Auth Pro]
Access Type = ACCESS_ACCEPT
Tunnel-Private-Group-ID = 1:110
Tunnel-Type = 1:13
Tunnel-Medium-Type = 1:6
cisco-av-pair = device-traffic-class=voice
which I believe would override the Voice VLAN configured on the switch interface.
I do not think you need Cisco-AVpair for voice, as you mentioned both data and voice using the same VLAN.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide