10-20-2020 10:09 PM
I have the following setting at the Switch port.
ip access-group ACL_DEFAULT in
authentication event fail action next-method
authentication event server dead action authorize vlan 100
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 2
mab
The problem is something the Cisco IP phone, the authentication cannot get Voice domain and become Data domain.
Temporary method to solve is I need to shutdown and no shutdown the port few times
My switch is WS-C2960XR-48LPD-I (ver 15.2(2)E7
Solved! Go to Solution.
11-02-2020 09:12 PM
Call TAC.
It is hard to know why this is happening without more information such as what authorization profile did ISE apply when the phone failed to go into the Voice Domain. You need to include the ISE authentication details in future requests. This might show that ISE did the correct assignment so the problem may be with the switch or phone.
Additional answers that would help are:
10-20-2020 10:14 PM
Kelvin,
If you are pushing the voice vlan and voice domain permission (cisco-av-pair = device-traffic-class=voice) from the AAA server, so that switch can understand that this device need to go in voice domain.
10-20-2020 10:25 PM
Hi,
Thank you for your reply.
My office uses ISE to do authentication.
The problem I face is the Cisco iPhone normally can get the Voice domain,
but sometimes.
May I know how to troubleshoot this? Or any way to solve this
Yesterday I have 10 units of iPhone got this problem.
10-20-2020 10:39 PM
11-02-2020 09:12 PM
Call TAC.
It is hard to know why this is happening without more information such as what authorization profile did ISE apply when the phone failed to go into the Voice Domain. You need to include the ISE authentication details in future requests. This might show that ISE did the correct assignment so the problem may be with the switch or phone.
Additional answers that would help are:
11-12-2020 07:03 PM
sorry for late respond .
After check the ISE matrix , I upgrade the switch firmware to 15.2(2)E9 first and monitoring first
10-20-2020 10:33 PM
10-20-2020 11:02 PM
Yes, in ISE already select the Voice domain.
Do you have the URL for Cisco compatibility matrix?
10-20-2020 11:16 PM
10-20-2020 11:53 PM
I read from about link that Mr Craig Hyps said that "there are reported cases where phone is stuck in data domain"
I think is similar to my problem.
Do you have any solution to solve this besides shutdown & no shutdown the port ?
10-22-2020 02:35 PM
Check if you have the necessary
aaa authorization network default group <RADIUS-GROUP>
command.
10-23-2020 12:09 AM
Hi Peter,
I got configure the following at each Switch :
aaa group server radius ise-group
server name pfpt-cisco-ise1
server name pfsg-cisco-ise1
server name pfde-cisco-ise2
deadtime 15
aaa authentication dot1x default group ise-group
aaa authorization network default group ise-group
aaa authorization auth-proxy default group ise-group
aaa accounting dot1x default start-stop group ise-group
aaa accounting update newinfo periodic 2880
aaa accounting system default start-stop group ise-group
10-27-2020 12:59 AM
Hi
can you provide a packet capture that includes ISE radius reply to the switch?
You can perform such capture from ISE under Operations -> Troubleshoot -> TCP Dump
User filter ip host <NAD/switch IP>
If you can see the reply there including the voice vlan assigment, then I suggest opening a TAC case.
10-28-2020 02:48 AM
If this issue happens sporadically, I would think it might be the switch is hitting a bug, I would search if there is any reported bug for this behaviour:
https://www.cisco.com/c/en/us/support/web/tools/bst/bsthelp/index.html
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide