This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC!
We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
Hello everyone,
We have a situation where a device is connecting to the network and is unable to tell the switch it should be on the voice vlan, when it should be. Does anyone know if there is a way to tell the switch via ISE that this interface should be set to the voice vlan only?
We enabled the voice permission option on the auth results, and what this does is place the devices mac in both the data and voice domain, however the client stays on the data domain and does not grab a new address on the voice domain.
interface GigabitEthernet0/9
switchport access vlan 2160
switchport mode access
switchport voice vlan 2161 <-- Want the device to only access voice vlan, not access vlan
Vlan Mac Address Type Ports
---- ----------- -------- -----
2160 7845.0101.1635 STATIC Gi0/9 <-- Want this to disapear, keeping the device on vlan 2161 only
2161 7845.0101.1635 STATIC Gi0/9
Total Mac Addresses for this criterion: 2
Thanks in advance!
Solved! Go to Solution.
In your ISE Authorization Policy @ Policy > Policy Elements > Results > Authorization > Authorization Profiles you should have a default Cisco_IP_Phones profile included. If you edit it you will see the Voice Domain Permission which is the setting you want! If you scroll to the bottom and look at the Attribute Detail you will see checking that box corresponds to the RADIUS attribute
cisco-av-pair = device-traffic-class=voice
Whatever authorization policy you are assigning for these voice devices, be sure to check that box and that is how ISE tells the switch to put it in the Voice VLAN!
Are you authenticating connections on the switch port using RADIUS? If so, this is pretty straight forward using RADIUS attributes.
Policy --> Policy Elements -> Results --> Authorization --> Authorization Profiles
Check VLAN under Common Tasks and include the VLAN number in the ID/Name field.
You should be able to use this in your authorization rules for the the policy set after this. Of course, the switch needs to be configured to accept this attribute and shift the VLAN.
Your post asked if there was anyway to use ISE to accomplish this - sorry for the confusion. Other than configuring the voice vlan on the switchport, I'm not sure what else you could do to force the device into the correct vlan. You might find this post helpful however:
https://community.cisco.com/t5/switching/assign-vlan-based-on-mac/td-p/2622878
In your ISE Authorization Policy @ Policy > Policy Elements > Results > Authorization > Authorization Profiles you should have a default Cisco_IP_Phones profile included. If you edit it you will see the Voice Domain Permission which is the setting you want! If you scroll to the bottom and look at the Attribute Detail you will see checking that box corresponds to the RADIUS attribute
cisco-av-pair = device-traffic-class=voice
Whatever authorization policy you are assigning for these voice devices, be sure to check that box and that is how ISE tells the switch to put it in the Voice VLAN!