Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


AVAYA phone does not authenticate with the attribute to LLDP CISCO ISE

Hello, I bring another interesting topic, I have ISE 2.4 and I am trying to authenticate avaya phones using the LLDP attribute, however it does not work. I leave the configuration and see if it is possible that the same thing happened to someone


interface GigabitEthernet1/0/20
switchport access vlan 58
switchport mode access
switchport voice vlan 158
authentication event fail action next-method
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast


device-sensor filter-list lldp list lldp-list
tlv name system-name
tlv name system-capabilities
device-sensor filter-spec lldp include list lldp-list
device-sensor accounting
device-sensor notify all-changes






Rob Ingram
VIP Mentor


Do you have aaa accounting configured correctly? Please provide the output of "show run aaa"

Take a packet capture on ISE, filter on the NAD the phone is connected to. Check the output to confirm the switch sends the information.

Go to the endpoint database and find the mac address of a profiled avaya phone, what Endpoint Policy has been applied?

And what was the "Total Certainy Factor"?

VIP Master

check below thread may help you :  ( what you see ISE Live Logs ?) and what model of the switch and IOS ? - is there any phone works ?


with out ISE did the phone works?


***** Rate All Helpful Responses *****

How to Ask The Community for Help




Just want to understand one more question what happens to the device? does the MAB work? or the avaya phones restarts after 59 secs?


Captura4.PNGThe SW has LLDP enabled, when trying to authenticate it marks an error in the ISE and in the SW it appears in DROP status, the phone does not restart, it only tries to authenticate every x time but it does not succeed

All this started, since a vulnerability came out in which a user could clone their mac from their Avaya phone and with that they could enter the network






Can you try this policy --> IdentityGroup:Name Equals Endpoint Identity Group:Profiled:Avaya-Devices


Also in the Authorization profile should have voice permission given to do the same.

Cisco Employee

You should try the recommended device-sensor configuration from the ISE Secure Wired Access Prescriptive Deployment Guide :

lldp run
device-sensor filter-list dhcp list DHCP-LIST
 option name host-name
 option name requested-address
 option name parameter-request-list
 option name class-identifier
 option name client-identifier
device-sensor filter-list lldp list LLDP-LIST
 tlv name system-name
 tlv name system-description
 tlv name system-capabilities
device-sensor filter-list cdp list CDP-LIST
 tlv name device-name
 tlv name address-type
 tlv name capabilities-type
 tlv name version-type
 tlv name platform-type
device-sensor filter-spec dhcp include list DHCP-LIST
device-sensor filter-spec lldp include list LLDP-LIST
device-sensor filter-spec cdp include list CDP-LIST
device-sensor accounting
device-sensor notify all-changes

One often overlooked feature that is missed is DHCP Snooping which solved my problem with profiling data not making its way to ISE.  


Its not to tricky to configure on an Access Switch but should fix your problem if you have ISE configured correctly.

Recognize Your Peers
Content for Community-Ad

ISE Webinars

Did you miss a previous ISE webinar?

CiscoISE YouTube Channel