Cisco IP-Phone and ISE

milton oliveira vieira · ‎08-06-2013

Hi everyone.

I'm implemeinting ISE and the customer has Cisco IP-Phone.

I'd like to know if I need to put all the cisco phone mac address inside the ISE (making a MAB) or there is a way, for example creating an Authorization Profile that match Cisco IP Phone and automatically the phone has access to the network.

Thank you!

David Pease · ‎08-06-2013

Milton,

We currently are using quite a few models of Cisco IP Phones within our ISE deployment. ISE utilizes CDP which should recognize the phones as being Cisco IP Phones, and place them in that Profile. You can create a DACL to assign to the Cisco Phones Profile automatically, so when one is plugged in, it has exactly the access you desire.

Under Policy Elements, Results, Authorization, then Authorization Profiles, you can see the list of created Profiles, and assign the access in there.

I hope this helps.

milton oliveira vieira · ‎08-06-2013

Hi David.

I have created an Authorization Profile as below:

Authz_Cisco_IP_Phones

Access Type = ACCESS_ACCEPT

DACL = PERMIT_ALL_TRAFFIC

cisco-av-pair = device-traffic-class=voice

The Policy Authorization I have created as below:

AuthP-Cisco-Phone

If Cisco-IP-Phone then Authz_Cisco_IP_Phones

The Cisco-IP-Phone I can see in "EndPoint Identity Group --> Profiled"

But even with this configuration, the telefone goes to the last Policy Authorization that I have a CWA.

If you have any link about this case, please let me know.

Thank you in advance.

blenka · ‎08-07-2013

http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_sw_cnfg.html

need to check with the steps and may help to address the issue.