Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
330
Views
0
Helpful
3
Replies

Cisco ISE + MAB + Voice VLAN - How does it work?

Go to solution
vsurresh
Level 1
Level 1

‎03-14-2024 04:05 PM

I've been working with ISE for the past few years and am comfortable with most of the stuff. Yesterday, I was helping a friend with troubleshooting and I noticed something. The Catalyst switch has a voice VLAN command on the ports, and when someone connects an IP phone to it, it gets authenticated with ISE using MAB (the MAC address exists in the ISE database). ISE then sends an access-accept message alongside a dACL. There is nothing else in the Authorization Profile to indicate that this device belongs to the voice VLAN. How does the switch know and correctly assign it to the voice VLAN? I'm trying to figure out how this actually works without specific AV pairs. Meraki, for example, requires a specific AV pair to indicate that this device should be in the voice VLAN. Here is the sample switch port config. 

int Gi1/0/10
 switchport access vlan 10
 switchport mode access
 switchport voice vlan 20
 ip access-group ACL-D in
 authentication host-mode multi-auth
 authentication open
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication violation restrict
 mab
 snmp trap mac-notification change added
 snmp trap mac-notification change removed
 dot1x pae authenticator
 dot1x timeout tx-period 10
 spanning-tree portfast
 spanning-tree bpduguard enable
 device-tracking
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
thomas
Cisco Employee
Cisco Employee

‎03-14-2024 04:17 PM - edited ‎03-14-2024 04:18 PM

 

 switchport voice vlan 20

 

Is what tells the switch which VLAN to assign the phone.

You did not share your authorization profile but assuming you are using the default Cisco_IP_Phones authorization profile, the Common Tasks checkbox for Voice Domain Permission tells the switch to use the switchport voice vlan above.

thomas_0-1710458089211.png

And if you want to know the actual RADIUS attribute that checkbox maps to, scroll to the bottom and see in the Attribute Details the Cisco Vendor Specific Attribute (VSA):

 

cisco-av-pair = device-traffic-class=voice

 

 

 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
thomas
Cisco Employee
Cisco Employee

‎03-14-2024 04:17 PM - edited ‎03-14-2024 04:18 PM

 

 switchport voice vlan 20

 

Is what tells the switch which VLAN to assign the phone.

You did not share your authorization profile but assuming you are using the default Cisco_IP_Phones authorization profile, the Common Tasks checkbox for Voice Domain Permission tells the switch to use the switchport voice vlan above.

thomas_0-1710458089211.png

And if you want to know the actual RADIUS attribute that checkbox maps to, scroll to the bottom and see in the Attribute Details the Cisco Vendor Specific Attribute (VSA):

 

cisco-av-pair = device-traffic-class=voice

 

 

 

0 Helpful

Go to solution
vsurresh
Level 1
Level 1
In response to thomas

‎03-14-2024 04:21 PM

Thank you for the response. It does use a a different custom Auth Profile which doesn't have the 'Voice Domain Permission' ticked. The profile also doesn't have the av-pair you mentioned hence my confusion. I triple-checked the logs and made sure the phone is indeed using that profile without any custom radius attributes.   

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to vsurresh

‎03-16-2024 10:34 AM - edited ‎03-17-2024 05:51 AM

last reply maybe not so clear 
the Authorization profile have voice domain option not authentication

MHM

0 Helpful
Customers Also Viewed These Support Documents