Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3473
Views
15
Helpful
6
Replies

Phones prefer to connect to Data domain instead of Voice domain

Go to solution
Ditter
Level 3
Level 3

‎03-05-2019 05:18 AM

Dear All,

 

a quick question for which i would like to have your opinion.

 

I am using MAB Authentication/Authorization for Cisco IP phones as well as the network PCs.

 

The problem is that the first time i plug a new phone in the network it gets connected as data domain device and it stacks in "Detecting network..." 

 

Then i unplug the phone, re-plug it  and it connects correctly to voice domain (as it should in the first place) and from that points onward it works OK, proceeds and connects to Call Manager downloading firmware and phone profile. 

 

Any idea why the phone does not get in the voice domain from the first time ?

 

Is there by any chance the phone not  able to be profiled correctly from the beginning in order to connect to voice domain? 

 

And why is the phone capable of connecting to the voice domain after the reboot?

 

Please find attached my authorization policy.

 

Lastly the switch port config is as follows:

 

interface GigabitEthernet5/35
switchport access vlan 10
switchport mode access
switchport voice vlan 90
no logging event link-status
authentication control-direction in
authentication event server dead action authorize vlan 10
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order mab
authentication priority mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
no snmp trap link-status
auto qos voip cisco-phone
dot1x pae authenticator
qos trust device cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
end

 

Thank you,

 

Ditter

 

Preview file
22 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul
Level 10
Level 10
In response to Ditter

‎03-12-2019 06:26 AM

So here is what is happening when a new phone connects:

 

  1. Phone connects and ISE only learns the MAC address and profiles it as a Cisco-Device.  Your Cisco-Device profile may not have a rule or if it does have a rule it doesn't have the voice VLAN set.  Let's assume you have a rule but no voice domain for a generic Cisco-Device.
  2. The phone will get authorized and Data domain set.
  3. The phone doesn't know or care about the Data domain set that is a switch setting.  The phone will learn the voice VLAN via CDP and attempt to talk on the voice VLAN.
  4. The switch will deny the phones access to the voice VLAN and the phone gets stuck in detecting network.
  5. CDP from the phone is sent to ISE or ISE polls the switch to learn CDP information to reprofile the phone as a Cisco-IP-Phone.
  6. What is supposed to happen assuming you have CoA set to Reauth (Administration->System->Settings->Profiling) is ISE is supposed to send a CoA when it reprofiles the phone, but that was broken until patch 6 which just came out.
  7. Because CoA on reprofile was broken the phone eventually reboots and then the next time it authenticates it hits the phone rule and life is good.

So the morale of the story is, install patch 6 and it should fix your issue.

View solution in original post

6 Replies 6

Go to solution
ognyan.totev
Level 5
Level 5

‎03-05-2019 05:47 AM

Hi,

The port config looks like ok ,you allow only mab on port but if this is your solution looks like ok.

First device connect maybe in ISE you can see it is profiled like Cisco Device  and after some time  the switch must reproffile it like cisco ip phone . In my deployment i authenticate phones with dot1x and i never seen to be not profiled correctly .

Go to solution
Ditter
Level 3
Level 3
In response to ognyan.totev

‎03-06-2019 11:14 AM

Thanks Ognyan,

 

to answer your first question , yes i am only using MAB because  i have two kinds of phones 7841 & 3905 and the latter does not support dot1x and i want to have one policy for all phones, hence MAB.

 

it is true that this situation happens only for the first time the phones are connected in the network , out of the box and ISE did not have the chance to profile them.

 

Do you see any way to go around this problem?

 

Thanks again,

 

Ditter.

 

0 Helpful

Go to solution
mnagired
Cisco Employee
Cisco Employee

‎03-06-2019 04:36 PM

Hi

 

Configuration looks good and you using the right mode(MDA) for ip telephony.. Usually the phone falling back to Data vlan is know thing, but once it is authenticated to ISE and when ISE sends back device-traffic-class=voice VSA, it should fallback to Voice VLAN automatically..

 

How about CDP or LLDP, is CDP Enabled on ports? Through CDP/LLDP , Cisco iP Phone should learn the VOICE VLAN..

The first CDP frame received from the Cisco IP phone allows the switch to realize that a Cisco IP phone is actually connected to the port so that the right information, such as power level, voice VLAN ID (VVID), and so on) can then be delivered to the phone.

Go to solution
Ditter
Level 3
Level 3
In response to mnagired

‎03-12-2019 02:55 AM

Thanks Mnagired,

 

yes lldp and cdp are both configured and enabled to all ports.

 

The strange thing is that the phone (as mentioned a phone picked out-of-the-box) gets stacked in "detecting Network" as it it authenticated as a data device and only after a reboot registers to voice domain.

 

It is like the phone is not recognized as voice device from "moment 0"  but as a data device.

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to Ditter

‎03-12-2019 06:26 AM

So here is what is happening when a new phone connects:

 

  1. Phone connects and ISE only learns the MAC address and profiles it as a Cisco-Device.  Your Cisco-Device profile may not have a rule or if it does have a rule it doesn't have the voice VLAN set.  Let's assume you have a rule but no voice domain for a generic Cisco-Device.
  2. The phone will get authorized and Data domain set.
  3. The phone doesn't know or care about the Data domain set that is a switch setting.  The phone will learn the voice VLAN via CDP and attempt to talk on the voice VLAN.
  4. The switch will deny the phones access to the voice VLAN and the phone gets stuck in detecting network.
  5. CDP from the phone is sent to ISE or ISE polls the switch to learn CDP information to reprofile the phone as a Cisco-IP-Phone.
  6. What is supposed to happen assuming you have CoA set to Reauth (Administration->System->Settings->Profiling) is ISE is supposed to send a CoA when it reprofiles the phone, but that was broken until patch 6 which just came out.
  7. Because CoA on reprofile was broken the phone eventually reboots and then the next time it authenticates it hits the phone rule and life is good.

So the morale of the story is, install patch 6 and it should fix your issue.

Go to solution
Ditter
Level 3
Level 3
In response to paul

‎03-14-2019 07:39 AM

Hi Paul !

 

so glad i am part of this community.

 

You seem to know your stuff :-)

 

I had to patch the PSNs to patch no.6 that is the reason i did no reply earlier. 

 

It worked perfectly, the phone was firsty profiled as cisco device, then CoA worked fine and a moment later the phone was correctly profiled as part of my custom Cisco Phone logical profile group and voice authorization profile with voice domain was applied.

 

Thank you for your help in solving the problem.

 

Ditter.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents