Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7350
Views
0
Helpful
5
Replies

Cisco ISE+2960x+MAB+Avaya IP Phone

Go to solution
cyanesh
Level 1
Level 1

‎07-19-2017 12:30 PM - edited ‎03-11-2019 12:52 AM

Hello,

As the title suggests, I am using Cisco 2960X switches, using MAB standalone with Cisco ISE 2.2.  After some discussions with Cisco TAC, Was able to get a basic rule setup to do MAB with the switch, including accounting for using little 5 port switches on some ports(unfortunately).  Proceeding with testing the deployment, I am using voice VLAN with Avaya IP phones and LLDP.  This normally works perfectly.  I have included port config below as well as a show authentication sessions. Some specifices:

1. Looks like phones are getting voice VLAN because the display shows correct VLAN(110).  The DHCP times out.

2. Cisco ISE shows the session authenticated.

3. The switch shows the MAC for the phone (f836) as authenticated MAB, but in data VLAN.  

4. ISE picks the phone up as Avaya-Device.  Which I am thinking it's not passing the vendor specific attribute for voice-vlan and I can't seem to configure that manually for the profile.  

5.  Using multi-auth mode to specifically address the fact of multiple hosts in data VLAN.  Which seems to work fine.  In addition, when the phone doesn't pull a DHCP address, the PC connected behind it still works just fine. 

Talk about pulling hair out.  ISE has been a PITA so far.  Thanks for reading. 

show authenticated sessions:

Interface MAC Address Method Domain Status Fg Session ID
Gi5/0/1 484d.7ee3.cc00 N/A UNKNOWN Unauth 00000000000000E0A8E3511D
Gi5/0/1 c057.bc23.f836 mab DATA Auth 00000000000000E1A8E3E85D

interface settings:

interface GigabitEthernet5/0/1
switchport access vlan 55
switchport mode access
switchport nonegotiate
switchport voice vlan 110
srr-queue bandwidth share 1 30 35 5
priority-queue out
authentication event server dead action authorize
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order mab
authentication priority mab
authentication port-control auto
authentication periodic
authentication timer restart 15
authentication timer inactivity 300
authentication violation restrict
mab
mls qos trust device cisco-phone
mls qos trust cos
macro description cisco-phone
auto qos trust
storm-control broadcast level 50.00 40.00
spanning-tree portfast edge
end

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
andrewswanson
Level 7
Level 7
In response to cyanesh

‎07-20-2017 04:06 AM

Hi
Do you have ISE configured to authorise your Avaya device as a voice device i.e. send the vsa cisco-av-pair = device-traffic-class=voice back to the authenticating switch?

You can check this under Policy > Authorization on ISE. If ISE is sending the voice vsa back to the switch and the phone still isn't being authorised in the voice domain, ensure you have the aaa command "aaa authorization network default group radius" on the switch.

As for profiling the Avaya device correctly as an Avaya phone, use ISE probes like RADIUS/DHCP and SNMP.

hth
Andy

View solution in original post

0 Helpful
5 Replies 5

Go to solution
andrewswanson
Level 7
Level 7

‎07-19-2017 01:51 PM

Hi

1 Can the phone get a dhcp lease without the dot1x configuration on the switchport?

2. if the device is showing as authenticated, ISE must have an authorization policy. If I remember correctly the ISE default is to "permit access" i.e. return an access-accept with no other attributes/vsa's to the authenticating switch

3 From the Cisco doc below:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-2_2_e/security/configuration_guide/b_sec_1522e_2960x_cg/b_sec_1522e_2960x_cg_chapter_010000.html#ID398

multiple-authentication mode assigns authenticated devices to either a data or a voice VLAN, depending on the VSAs received from the authentication server.

What you are seeing (phone listed as being authorised in the "data" domain) is normal when in monitor mode as the RADIUS server should only be sending an access-accept or access-reject with no other attributes/vsa's.

4 ISE 2.2 has 2 avaya profiling policies - 1 for avaya devices (based on oui) and 1 for avaya phone (based on dhcp attribute). For ISE to get the dhcp attribute you can configure the ISE DHCP probe by setting ISE as a helper-address on your voice vlan svi (alternatively you can use device-sensor on the switch to pass the phone's dhcp attribute to ISE in accounting packets once the device is authorised).

5 I think what you are seeing is normal behaviour for multi-auth in monitor mode with the exception of the phone not getting dhcp. If the phone is learning the voice vlan ok with lldp, troubleshoot why its not getting a dhcp lease.

hth
Andy

0 Helpful

Go to solution
cyanesh
Level 1
Level 1
In response to andrewswanson

‎07-19-2017 02:39 PM

Andy,

The phone works just fine with DHCP normally.  Right now I have the authentication open on the port, so ISE still sees all the authentication requests and the port is always authenticated.  In that mode, the phone works just fine.  ISE is pulling the authorization policy I set, so it isn't hitting the default(which is set to deny).  However, I still see on the switch, the domain is DATA and not voice.  I have read at least one thread about Avaya phones not getting the correct vendor attribute and therefore trying to pull a lease from the data VLAN and not the voice VLAN.  I have seen the Avaya policies.  I tried to set the policy statically for IP phone.  Would that not pass back the correct attributes?  Is there a way to make a custom profile, that forces the vendor attribute and voice vlan setting for the MAC?  I think I have read all the Cisco doc's for 802.1x/MAB.  I will go through the one you have linked to make sure I didn't miss anything.  I could add the ISE IP as a helper addr.  on the SVI.  Is that the industry standard for IP telephony with MAB/ISE?   I will have to look into the device sensor more, I don't remember reading anything about that.  

Thanks for your info.  

0 Helpful

Go to solution
andrewswanson
Level 7
Level 7
In response to cyanesh

‎07-20-2017 04:06 AM

Hi
Do you have ISE configured to authorise your Avaya device as a voice device i.e. send the vsa cisco-av-pair = device-traffic-class=voice back to the authenticating switch?

You can check this under Policy > Authorization on ISE. If ISE is sending the voice vsa back to the switch and the phone still isn't being authorised in the voice domain, ensure you have the aaa command "aaa authorization network default group radius" on the switch.

As for profiling the Avaya device correctly as an Avaya phone, use ISE probes like RADIUS/DHCP and SNMP.

hth
Andy

0 Helpful

Go to solution
cyanesh
Level 1
Level 1
In response to andrewswanson

‎07-20-2017 06:09 AM

Andy,

I created a separate endpoint group for the Avaya phones to be placed into.  Then created a rule for that to hit first and pass the attribute as you suggested.  That seemed to be the magic.  The phones are now classified on the VOICE domain and PC is on DATA.  Thanks for the info.

Chris

0 Helpful

Go to solution
andrewswanson
Level 7
Level 7
In response to cyanesh

‎07-20-2017 06:37 AM

Glad you got it working Chris

cheers

Andy

0 Helpful
Customers Also Viewed These Support Documents