03-14-2024 04:05 PM
I've been working with ISE for the past few years and am comfortable with most of the stuff. Yesterday, I was helping a friend with troubleshooting and I noticed something. The Catalyst switch has a voice VLAN command on the ports, and when someone connects an IP phone to it, it gets authenticated with ISE using MAB (the MAC address exists in the ISE database). ISE then sends an access-accept message alongside a dACL. There is nothing else in the Authorization Profile to indicate that this device belongs to the voice VLAN. How does the switch know and correctly assign it to the voice VLAN? I'm trying to figure out how this actually works without specific AV pairs. Meraki, for example, requires a specific AV pair to indicate that this device should be in the voice VLAN. Here is the sample switch port config.
int Gi1/0/10
switchport access vlan 10
switchport mode access
switchport voice vlan 20
ip access-group ACL-D in
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication violation restrict
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable
device-tracking
Solved! Go to Solution.
03-14-2024 04:17 PM - edited 03-14-2024 04:18 PM
switchport voice vlan 20
Is what tells the switch which VLAN to assign the phone.
You did not share your authorization profile but assuming you are using the default Cisco_IP_Phones authorization profile, the Common Tasks checkbox for Voice Domain Permission tells the switch to use the switchport voice vlan above.
And if you want to know the actual RADIUS attribute that checkbox maps to, scroll to the bottom and see in the Attribute Details the Cisco Vendor Specific Attribute (VSA):
cisco-av-pair = device-traffic-class=voice
03-14-2024 04:17 PM - edited 03-14-2024 04:18 PM
switchport voice vlan 20
Is what tells the switch which VLAN to assign the phone.
You did not share your authorization profile but assuming you are using the default Cisco_IP_Phones authorization profile, the Common Tasks checkbox for Voice Domain Permission tells the switch to use the switchport voice vlan above.
And if you want to know the actual RADIUS attribute that checkbox maps to, scroll to the bottom and see in the Attribute Details the Cisco Vendor Specific Attribute (VSA):
cisco-av-pair = device-traffic-class=voice
03-14-2024 04:21 PM
Thank you for the response. It does use a a different custom Auth Profile which doesn't have the 'Voice Domain Permission' ticked. The profile also doesn't have the av-pair you mentioned hence my confusion. I triple-checked the logs and made sure the phone is indeed using that profile without any custom radius attributes.
03-16-2024 10:34 AM - edited 03-17-2024 05:51 AM
last reply maybe not so clear
the Authorization profile have voice domain option not authentication
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide