Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4771
Views
15
Helpful
7
Replies

AVAYA phone does not authenticate with the attribute to LLDP CISCO ISE

Go to solution
eperezb
Level 1
Level 1

‎07-19-2021 12:14 PM

Hello, I bring another interesting topic, I have ISE 2.4 and I am trying to authenticate avaya phones using the LLDP attribute, however it does not work. I leave the configuration and see if it is possible that the same thing happened to someone

 

interface GigabitEthernet1/0/20
switchport access vlan 58
switchport mode access
switchport voice vlan 158
authentication event fail action next-method
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast

 

device-sensor filter-list lldp list lldp-list
tlv name system-name
tlv name system-capabilities
device-sensor filter-spec lldp include list lldp-list
device-sensor accounting
device-sensor notify all-changes

 

 

ISE 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mitchp75
Level 1
Level 1

‎08-04-2021 03:17 PM

One often overlooked feature that is missed is DHCP Snooping which solved my problem with profiling data not making its way to ISE.

 

https://community.cisco.com/t5/network-access-control/ise-and-dhcp-snooping/td-p/2473425  

 

Its not to tricky to configure on an Access Switch but should fix your problem if you have ISE configured correctly.

View solution in original post

7 Replies 7

Go to solution
Rob Ingram
VIP
VIP

‎07-19-2021 12:36 PM

@eperezb 

Do you have aaa accounting configured correctly? Please provide the output of "show run aaa"

Take a packet capture on ISE, filter on the NAD the phone is connected to. Check the output to confirm the switch sends the information.

Go to the endpoint database and find the mac address of a profiled avaya phone, what Endpoint Policy has been applied?

And what was the "Total Certainy Factor"?

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎07-19-2021 12:39 PM - edited ‎07-19-2021 12:40 PM

check below thread may help you :  ( what you see ISE Live Logs ?) and what model of the switch and IOS ? - is there any phone works ?

 

https://community.cisco.com/t5/network-access-control/cisco-ise-2960x-mab-avaya-ip-phone/td-p/3089750

https://community.cisco.com/t5/network-access-control/endoint-profile-avaya/td-p/3487509

 

with out ISE did the phone works?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
saxenanitesh8522
Level 4
Level 4

‎07-19-2021 01:34 PM

Hi,

 

Just want to understand one more question what happens to the device? does the MAB work? or the avaya phones restarts after 59 secs?

Go to solution
eperezb
Level 1
Level 1

‎07-19-2021 02:50 PM - edited ‎07-19-2021 02:51 PM

Captura4.PNGThe SW has LLDP enabled, when trying to authenticate it marks an error in the ISE and in the SW it appears in DROP status, the phone does not restart, it only tries to authenticate every x time but it does not succeed

All this started, since a vulnerability came out in which a user could clone their mac from their Avaya phone and with that they could enter the network

 

 

 

Captura.PNGCaptura4.PNGCaptura3.PNGCaptura2.PNG

0 Helpful

Go to solution
saxenanitesh8522
Level 4
Level 4
In response to eperezb

‎07-24-2021 10:07 AM

Hi 

Can you try this policy --> IdentityGroup:Name Equals Endpoint Identity Group:Profiled:Avaya-Devices

 

Also in the Authorization profile should have voice permission given to do the same.

Go to solution
thomas
Cisco Employee
Cisco Employee

‎08-04-2021 12:43 PM

You should try the recommended device-sensor configuration from the ISE Secure Wired Access Prescriptive Deployment Guide :

lldp run
!
device-sensor filter-list dhcp list DHCP-LIST
 option name host-name
 option name requested-address
 option name parameter-request-list
 option name class-identifier
 option name client-identifier
!
device-sensor filter-list lldp list LLDP-LIST
 tlv name system-name
 tlv name system-description
 tlv name system-capabilities
!
device-sensor filter-list cdp list CDP-LIST
 tlv name device-name
 tlv name address-type
 tlv name capabilities-type
 tlv name version-type
 tlv name platform-type
!
device-sensor filter-spec dhcp include list DHCP-LIST
device-sensor filter-spec lldp include list LLDP-LIST
device-sensor filter-spec cdp include list CDP-LIST
!
device-sensor accounting
device-sensor notify all-changes
!
0 Helpful

Go to solution
mitchp75
Level 1
Level 1

‎08-04-2021 03:17 PM

One often overlooked feature that is missed is DHCP Snooping which solved my problem with profiling data not making its way to ISE.

 

https://community.cisco.com/t5/network-access-control/ise-and-dhcp-snooping/td-p/2473425  

 

Its not to tricky to configure on an Access Switch but should fix your problem if you have ISE configured correctly.

Customers Also Viewed These Support Documents