08-06-2013 06:27 AM - edited 03-10-2019 08:44 PM
Hi everyone.
I'm implemeinting ISE and the customer has Cisco IP-Phone.
I'd like to know if I need to put all the cisco phone mac address inside the ISE (making a MAB) or there is a way, for example creating an Authorization Profile that match Cisco IP Phone and automatically the phone has access to the network.
Thank you!
08-06-2013 07:13 AM
Milton,
We currently are using quite a few models of Cisco IP Phones within our ISE deployment. ISE utilizes CDP which should recognize the phones as being Cisco IP Phones, and place them in that Profile. You can create a DACL to assign to the Cisco Phones Profile automatically, so when one is plugged in, it has exactly the access you desire.
Under Policy Elements, Results, Authorization, then Authorization Profiles, you can see the list of created Profiles, and assign the access in there.
I hope this helps.
08-06-2013 08:23 AM
Hi David.
I have created an Authorization Profile as below:
Authz_Cisco_IP_Phones
Access Type = ACCESS_ACCEPT
DACL = PERMIT_ALL_TRAFFIC
cisco-av-pair = device-traffic-class=voice
The Policy Authorization I have created as below:
AuthP-Cisco-Phone
If Cisco-IP-Phone then Authz_Cisco_IP_Phones
The Cisco-IP-Phone I can see in "EndPoint Identity Group --> Profiled"
But even with this configuration, the telefone goes to the last Policy Authorization that I have a CWA.
If you have any link about this case, please let me know.
Thank you in advance.
08-07-2013 06:59 PM
http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_sw_cnfg.html
need to check with the steps and may help to address the issue.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide