This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
Hello, I bring another interesting topic, I have ISE 2.4 and I am trying to authenticate avaya phones using the LLDP attribute, however it does not work. I leave the configuration and see if it is possible that the same thing happened to someone
switchport access vlan 58
switchport mode access
switchport voice vlan 158
authentication event fail action next-method
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
dot1x pae authenticator
dot1x timeout tx-period 10
device-sensor filter-list lldp list lldp-list
tlv name system-name
tlv name system-capabilities
device-sensor filter-spec lldp include list lldp-list
device-sensor notify all-changes
Do you have aaa accounting configured correctly? Please provide the output of "show run aaa"
Take a packet capture on ISE, filter on the NAD the phone is connected to. Check the output to confirm the switch sends the information.
Go to the endpoint database and find the mac address of a profiled avaya phone, what Endpoint Policy has been applied?
And what was the "Total Certainy Factor"?
check below thread may help you : ( what you see ISE Live Logs ?) and what model of the switch and IOS ? - is there any phone works ?
with out ISE did the phone works?
The SW has LLDP enabled, when trying to authenticate it marks an error in the ISE and in the SW it appears in DROP status, the phone does not restart, it only tries to authenticate every x time but it does not succeed
All this started, since a vulnerability came out in which a user could clone their mac from their Avaya phone and with that they could enter the network
Can you try this policy --> IdentityGroup:Name Equals Endpoint Identity Group:Profiled:Avaya-Devices
Also in the Authorization profile should have voice permission given to do the same.
You should try the recommended device-sensor configuration from the ISE Secure Wired Access Prescriptive Deployment Guide :
lldp run ! device-sensor filter-list dhcp list DHCP-LIST option name host-name option name requested-address option name parameter-request-list option name class-identifier option name client-identifier ! device-sensor filter-list lldp list LLDP-LIST tlv name system-name tlv name system-description tlv name system-capabilities ! device-sensor filter-list cdp list CDP-LIST tlv name device-name tlv name address-type tlv name capabilities-type tlv name version-type tlv name platform-type ! device-sensor filter-spec dhcp include list DHCP-LIST device-sensor filter-spec lldp include list LLDP-LIST device-sensor filter-spec cdp include list CDP-LIST ! device-sensor accounting device-sensor notify all-changes !
One often overlooked feature that is missed is DHCP Snooping which solved my problem with profiling data not making its way to ISE.
Its not to tricky to configure on an Access Switch but should fix your problem if you have ISE configured correctly.