08-07-2018 10:16 AM - edited 03-11-2019 01:47 AM
Hello everyone,
We have a situation where a device is connecting to the network and is unable to tell the switch it should be on the voice vlan, when it should be. Does anyone know if there is a way to tell the switch via ISE that this interface should be set to the voice vlan only?
We enabled the voice permission option on the auth results, and what this does is place the devices mac in both the data and voice domain, however the client stays on the data domain and does not grab a new address on the voice domain.
interface GigabitEthernet0/9
switchport access vlan 2160
switchport mode access
switchport voice vlan 2161 <-- Want the device to only access voice vlan, not access vlan
Vlan Mac Address Type Ports
---- ----------- -------- -----
2160 7845.0101.1635 STATIC Gi0/9 <-- Want this to disapear, keeping the device on vlan 2161 only
2161 7845.0101.1635 STATIC Gi0/9
Total Mac Addresses for this criterion: 2
Thanks in advance!
Solved! Go to Solution.
08-14-2018 01:02 PM
In your ISE Authorization Policy @ Policy > Policy Elements > Results > Authorization > Authorization Profiles you should have a default Cisco_IP_Phones profile included. If you edit it you will see the Voice Domain Permission which is the setting you want! If you scroll to the bottom and look at the Attribute Detail you will see checking that box corresponds to the RADIUS attribute
cisco-av-pair = device-traffic-class=voice
Whatever authorization policy you are assigning for these voice devices, be sure to check that box and that is how ISE tells the switch to put it in the Voice VLAN!
08-07-2018 10:57 AM
Are you authenticating connections on the switch port using RADIUS? If so, this is pretty straight forward using RADIUS attributes.
Policy --> Policy Elements -> Results --> Authorization --> Authorization Profiles
Check VLAN under Common Tasks and include the VLAN number in the ID/Name field.
You should be able to use this in your authorization rules for the the policy set after this. Of course, the switch needs to be configured to accept this attribute and shift the VLAN.
08-07-2018 11:07 AM
08-07-2018 11:15 AM - edited 08-07-2018 11:17 AM
Your post asked if there was anyway to use ISE to accomplish this - sorry for the confusion. Other than configuring the voice vlan on the switchport, I'm not sure what else you could do to force the device into the correct vlan. You might find this post helpful however:
https://community.cisco.com/t5/switching/assign-vlan-based-on-mac/td-p/2622878
08-14-2018 01:02 PM
In your ISE Authorization Policy @ Policy > Policy Elements > Results > Authorization > Authorization Profiles you should have a default Cisco_IP_Phones profile included. If you edit it you will see the Voice Domain Permission which is the setting you want! If you scroll to the bottom and look at the Attribute Detail you will see checking that box corresponds to the RADIUS attribute
cisco-av-pair = device-traffic-class=voice
Whatever authorization policy you are assigning for these voice devices, be sure to check that box and that is how ISE tells the switch to put it in the Voice VLAN!
01-16-2024 07:39 AM
@thomas - How does the Switch know which VLAN on itself is the VOICE VLAN? Is this via the VLAN Name or some other attribute? The Checkbox within ISE is "voice domain permission" but I'm curious how the switch knows which specific VLAN that is defined on itself.
01-16-2024 08:10 AM
@Rob R. : This is an extremely old thread. I suggest asking a new question to the community.
02-02-2024 02:39 AM
It is the VLAN that is specified with the
switchport voice vlan
command under the interface configuration.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide