Cisco Community
English
Register
Great changes are coming to Cisco Community in July. LEARN MORE
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

4585
Views
15
Helpful
4
Replies
JHarris6117
Beginner
Beginner
‎08-07-2018 10:16 AM
‎08-07-2018 10:16 AM

Can you use ISE to force a device to Voice Vlan

Hello everyone,

 

We have a situation where a device is connecting to the network and is unable to tell the switch it should be on the voice vlan, when it should be.  Does anyone know if there is a way to tell the switch via ISE that this interface should be set to the voice vlan only?

 

We enabled the voice permission option on the auth results, and what this does is place the devices mac in both the data and voice domain, however the client stays on the data domain and does not grab a new address on the voice domain.

 

interface GigabitEthernet0/9
switchport access vlan 2160
switchport mode access
switchport voice vlan 2161 <-- Want the device to only access voice vlan, not access vlan

 

Vlan Mac Address Type Ports
---- ----------- -------- -----
2160 7845.0101.1635 STATIC Gi0/9 <-- Want this to disapear, keeping the device on vlan 2161 only
2161 7845.0101.1635 STATIC Gi0/9 
Total Mac Addresses for this criterion: 2

 

Thanks in advance!

 

1 ACCEPTED SOLUTION

Accepted Solutions
thomas
Cisco Employee
Cisco Employee
‎08-14-2018 01:02 PM
‎08-14-2018 01:02 PM

In your ISE Authorization Policy @ Policy > Policy Elements > Results > Authorization > Authorization Profiles you should have a default Cisco_IP_Phones profile included. If you edit it you will see the Voice Domain Permission which is the setting you want! If you scroll to the bottom and look at the Attribute Detail you will see checking that box corresponds to the RADIUS attribute

cisco-av-pair = device-traffic-class=voice

 

Whatever authorization policy you are assigning for these voice devices, be sure to check that box and that is how ISE tells the switch to put it in the Voice VLAN!

 

View solution in original post

4 REPLIES 4
Christopher Bell
Enthusiast
Enthusiast
‎08-07-2018 10:57 AM
‎08-07-2018 10:57 AM

Are you authenticating connections on the switch port using RADIUS?  If so, this is pretty straight forward using RADIUS attributes. 

 

Policy --> Policy Elements -> Results --> Authorization --> Authorization Profiles

Check VLAN under Common Tasks and include the VLAN number in the ID/Name field. 

 

You should be able to use this in your authorization rules for the the policy set after this.  Of course, the switch needs to be configured to accept this attribute and shift the VLAN. 

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.
0 Helpful
JHarris6117
Beginner
Beginner
In response to Christopher Bell
‎08-07-2018 11:07 AM
‎08-07-2018 11:07 AM

Chris,

Thanks for the response.. I'd like to accomplish this without needing to put a vlan number in the ISE configuration. We have 40 + IDF's each with different voice vlans,, you could imagine the number of results / profiles would be pretty large. Is there any way to tell the switch port to force this device to the voice vlan thats already configured, and not use the data (access) Vlan?

Thanks,
0 Helpful
Christopher Bell
Enthusiast
Enthusiast
In response to JHarris6117
‎08-07-2018 11:15 AM
‎08-07-2018 11:15 AM

Your post asked if there was anyway to use ISE to accomplish this - sorry for the confusion. Other than configuring the voice vlan on the switchport, I'm not sure what else you could do to force the device into the correct vlan.  You might find this post helpful however:

https://community.cisco.com/t5/switching/assign-vlan-based-on-mac/td-p/2622878

 

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.
0 Helpful
thomas
Cisco Employee
Cisco Employee
‎08-14-2018 01:02 PM
‎08-14-2018 01:02 PM

In your ISE Authorization Policy @ Policy > Policy Elements > Results > Authorization > Authorization Profiles you should have a default Cisco_IP_Phones profile included. If you edit it you will see the Voice Domain Permission which is the setting you want! If you scroll to the bottom and look at the Attribute Detail you will see checking that box corresponds to the RADIUS attribute

cisco-av-pair = device-traffic-class=voice

 

Whatever authorization policy you are assigning for these voice devices, be sure to check that box and that is how ISE tells the switch to put it in the Voice VLAN!

 

Latest Contents
Earn $100! Interview with Cisco on Network Risk, Compliance ...
Created by S Nath on 06-27-2022 01:56 PM
0
0
0
0
Are you responsible for risk management, compliance management and auditing of a network?    If so, we’d like to speak with you to learn your current processes of enforcing compliance and managing risk to help us develop services that will ... view more
Converting Cisco Secure Endpoint Connectors from Audit to Pr...
Created by Sohaib Ahmed on 06-23-2022 05:19 PM
0
0
0
0
Once you've expanded Cisco Secure Endpoint connector deployment to about 50% of your licensed count (check out this article that shows you how to do that), it's time to put those connectors to action i.e. convert them to Protect from Audit mode for vari... view more
🧦💚 Tell us about your ZTNA journey in exchange for a pair ...
Created by betswang on 06-23-2022 03:05 PM
0
15
0
15
  Hello! I’m Betsy, UX Researcher, on the Cisco+ Secure Connect Now team. Nice to meet you all .We have a short survey to learn about your Zero Trust Network Access (ZTNA) journey. Whether you have, plan to, or have not implemented a ... view more
Cisco ASA Access-list ACL using network object
Created by Meddane on 06-23-2022 06:59 AM
0
0
0
0
  A set of interface access rules can cause the Cisco Adaptive Security Appliance to permit or deny a designated host to access another particular host with a specific network application (service). When there is only one client, one host and one se... view more
How To: Cisco ISE Captive Portals with Aruba Wireless
Created by ahollifield on 06-22-2022 06:23 PM
4
10
4
10
How To: Cisco ISE Captive Portals with Aruba Wireless Authors: Adam Hollifield, Brad Johnson IntroductionPrerequisitesMinimum RequirementsComponents UsedConfigurationAruba Wireless ControllerWLAN CreationAuthentication ConfigurationRole & Policy Confi... view more
Ask a Question
Create
+ Discussion
+ Blog
+ Document
+ Video
+ Project Story
Find more resources
Discussions
Blogs
Documents
Events
Videos
Project Gallery
New Community Member Guide
Related support document topics
Recognize Your Peers
Spotlight Award Nomination
Content for Community-Ad

ISE Webinars

Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube