cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1790
Views
15
Helpful
7
Replies
eperezb
Beginner

AVAYA phone does not authenticate with the attribute to LLDP CISCO ISE

Hello, I bring another interesting topic, I have ISE 2.4 and I am trying to authenticate avaya phones using the LLDP attribute, however it does not work. I leave the configuration and see if it is possible that the same thing happened to someone

 

interface GigabitEthernet1/0/20
switchport access vlan 58
switchport mode access
switchport voice vlan 158
authentication event fail action next-method
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast

 

device-sensor filter-list lldp list lldp-list
tlv name system-name
tlv name system-capabilities
device-sensor filter-spec lldp include list lldp-list
device-sensor accounting
device-sensor notify all-changes

 

 

ISE 

 

 

7 REPLIES 7
Rob Ingram
VIP Mentor

@eperezb 

Do you have aaa accounting configured correctly? Please provide the output of "show run aaa"

Take a packet capture on ISE, filter on the NAD the phone is connected to. Check the output to confirm the switch sends the information.

Go to the endpoint database and find the mac address of a profiled avaya phone, what Endpoint Policy has been applied?

And what was the "Total Certainy Factor"?

balaji.bandi
VIP Master

check below thread may help you :  ( what you see ISE Live Logs ?) and what model of the switch and IOS ? - is there any phone works ?

 

https://community.cisco.com/t5/network-access-control/cisco-ise-2960x-mab-avaya-ip-phone/td-p/3089750

https://community.cisco.com/t5/network-access-control/endoint-profile-avaya/td-p/3487509

 

with out ISE did the phone works?

BB

***** Rate All Helpful Responses *****

How to Ask The Community for Help

saxenanitesh8522
Enthusiast

Hi,

 

Just want to understand one more question what happens to the device? does the MAB work? or the avaya phones restarts after 59 secs?

eperezb
Beginner

Captura4.PNGThe SW has LLDP enabled, when trying to authenticate it marks an error in the ISE and in the SW it appears in DROP status, the phone does not restart, it only tries to authenticate every x time but it does not succeed

All this started, since a vulnerability came out in which a user could clone their mac from their Avaya phone and with that they could enter the network

 

 

 

Captura.PNGCaptura4.PNGCaptura3.PNGCaptura2.PNG

Hi 

Can you try this policy --> IdentityGroup:Name Equals Endpoint Identity Group:Profiled:Avaya-Devices

 

Also in the Authorization profile should have voice permission given to do the same.

thomas
Cisco Employee

You should try the recommended device-sensor configuration from the ISE Secure Wired Access Prescriptive Deployment Guide :

lldp run
!
device-sensor filter-list dhcp list DHCP-LIST
 option name host-name
 option name requested-address
 option name parameter-request-list
 option name class-identifier
 option name client-identifier
!
device-sensor filter-list lldp list LLDP-LIST
 tlv name system-name
 tlv name system-description
 tlv name system-capabilities
!
device-sensor filter-list cdp list CDP-LIST
 tlv name device-name
 tlv name address-type
 tlv name capabilities-type
 tlv name version-type
 tlv name platform-type
!
device-sensor filter-spec dhcp include list DHCP-LIST
device-sensor filter-spec lldp include list LLDP-LIST
device-sensor filter-spec cdp include list CDP-LIST
!
device-sensor accounting
device-sensor notify all-changes
!
mitchp75
Beginner

One often overlooked feature that is missed is DHCP Snooping which solved my problem with profiling data not making its way to ISE.

 

https://community.cisco.com/t5/network-access-control/ise-and-dhcp-snooping/td-p/2473425  

 

Its not to tricky to configure on an Access Switch but should fix your problem if you have ISE configured correctly.

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars



Did you miss a previous ISE webinar?

CiscoISE YouTube Channel