Solved: Re: Cisco IP phone cannot get Voice domain

kelvintan73 · ‎10-20-2020

I have the following setting at the Switch port.

ip access-group ACL_DEFAULT in
authentication event fail action next-method
authentication event server dead action authorize vlan 100
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 2
mab

The problem is something the Cisco IP phone, the authentication cannot get Voice domain and become Data domain.

Temporary method to solve is I need to shutdown and no shutdown the port few times

My switch is WS-C2960XR-48LPD-I (ver 15.2(2)E7

thomas · ‎11-02-2020

Call TAC.

It is hard to know why this is happening without more information such as what authorization profile did ISE apply when the phone failed to go into the Voice Domain. You need to include the ISE authentication details in future requests. This might show that ISE did the correct assignment so the problem may be with the switch or phone.

Additional answers that would help are:

does this happen only for 2960 switches?
only switches with 15.2(2)E7?
are the 10 IP phones the same as all other phones or a different vendor/model/firmware?

View solution in original post

poongarg · ‎10-20-2020

Kelvin,

If you are pushing the voice vlan and voice domain permission (cisco-av-pair = device-traffic-class=voice) from the AAA server, so that switch can understand that this device need to go in voice domain.

kelvintan73 · ‎10-20-2020

Hi,

Thank you for your reply.

My office uses ISE to do authentication.

The problem I face is the Cisco iPhone normally can get the Voice domain,

but sometimes.

May I know how to troubleshoot this? Or any way to solve this

Yesterday I have 10 units of iPhone got this problem.

Mohammed al Baqari · ‎10-20-2020

Check Cisco compatibility matrix to see if you are running tested version
of IOS with ISE. I faced something similar on 4500 which got fixed after
IOS upgrade.

**** please remember to rate useful posts

thomas · ‎11-02-2020

Call TAC.

It is hard to know why this is happening without more information such as what authorization profile did ISE apply when the phone failed to go into the Voice Domain. You need to include the ISE authentication details in future requests. This might show that ISE did the correct assignment so the problem may be with the switch or phone.

Additional answers that would help are:

does this happen only for 2960 switches?
only switches with 15.2(2)E7?
are the 10 IP phones the same as all other phones or a different vendor/model/firmware?

kelvintan73 · ‎11-12-2020

sorry for late respond .

After check the ISE matrix , I upgrade the switch firmware to 15.2(2)E9 first and monitoring first

Mohammed al Baqari · ‎10-20-2020

Hi,

You need to select voice domain from your authorization profile in ISE. Is
that done?

***** please remember to rate useful posts

kelvintan73 · ‎10-20-2020

Yes, in ISE already select the Voice domain.

Do you have the URL for Cisco compatibility matrix?

Mohammed al Baqari · ‎10-20-2020

Hi,

Use this link and select the one according to your ISE version.

https://www.cisco.com/c/en/us/support/security/identity-services-engine/products-device-support-tables-list.html

*** please remember to rate useful posts

kelvintan73 · ‎10-20-2020

https://community.cisco.com/t5/network-access-control/voice-domain-behavior-confirming-behavior/m-p/3689656

I read from about link that Mr Craig Hyps said that "there are reported cases where phone is stuck in data domain"

I think is similar to my problem.

Do you have any solution to solve this besides shutdown & no shutdown the port ?

Peter Koltl · ‎10-22-2020

Check if you have the necessary

aaa authorization network default group <RADIUS-GROUP>

command.

kelvintan73 · ‎10-23-2020

Hi Peter,

I got configure the following at each Switch :

aaa group server radius ise-group
server name pfpt-cisco-ise1
server name pfsg-cisco-ise1
server name pfde-cisco-ise2
deadtime 15

aaa authentication dot1x default group ise-group
aaa authorization network default group ise-group
aaa authorization auth-proxy default group ise-group
aaa accounting dot1x default start-stop group ise-group
aaa accounting update newinfo periodic 2880
aaa accounting system default start-stop group ise-group

Panos Bouras · ‎10-27-2020

Hi

can you provide a packet capture that includes ISE radius reply to the switch?

You can perform such capture from ISE under Operations -> Troubleshoot -> TCP Dump

User filter ip host <NAD/switch IP>

If you can see the reply there including the voice vlan assigment, then I suggest opening a TAC case.

Thank you,Panos.
Please Rate Posts (by clicking on Star) and/or Mark Solutions as Accepted, when applies

Aref Alsouqi · ‎10-28-2020

If this issue happens sporadically, I would think it might be the switch is hitting a bug, I would search if there is any reported bug for this behaviour:

https://www.cisco.com/c/en/us/support/web/tools/bst/bsthelp/index.html