Solved: CISCO ISE not authenticating printers and cisco phones

Blessed · ‎12-15-2023

Hi guys I am planning to implement NAC on my network and I am Facing the following issues;

1. The cisco phones are stuck on configuiring IP.

2. The printers are being blocked.

3. Devices not connected to the domain are able to access the network yet they should be blocked.

Below are the commands I am using;

switchport access vlan 30
switchport mode access
switchport voice vlan 2
authentication event fail action next-method
authentication event server dead action authorize
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority mab dot1x
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
spanning-tree portfast

Kindly help me see what I am missing or doing wrong.

MHM Cisco World · ‎12-15-2023

@Blessed wrote:
Hi MHM, Thank you so much for the reply; Below is the output of the show
auth session for the phone and printer:

**For the Phone**

*Interface MAC Address Method Domain Status Fg Session
ID--------------------------------------------------------------------------------------------Gi1/0/25
38ed.18e9.f8f4 mab DATA Auth
0A0F0003000032E46C8EEAB2*

**For the Printer*Gi1/0/42 48ba.4edc.4459 mab DATA
Auth 0A0F000400000BA86CB5CC98*

That explain all issue

You must config the ISE to push domain voice to phone

Here the ISE push data and you use multi-domain i.e.one data and one voice this make both not work

Phone get data

Printer can not work since data allow only one device

MHM

View solution in original post

MHM Cisco World · ‎12-15-2023

There are three device

Let start with VoIP phone

Share

Show auth session

When you connect phone

And later when you connect printer

Also share show aaa server

MHM

Blessed · ‎12-15-2023

Hi MHM, Thank you so much for the reply; Below is the output of the show
auth session for the phone and printer:

**For the Phone**

*Interface MAC Address Method Domain Status Fg Session
ID--------------------------------------------------------------------------------------------Gi1/0/25
38ed.18e9.f8f4 mab DATA Auth
0A0F0003000032E46C8EEAB2*

**For the Printer*Gi1/0/42 48ba.4edc.4459 mab DATA
Auth 0A0F000400000BA86CB5CC98*

MHM Cisco World · ‎12-15-2023

@Blessed wrote:
Hi MHM, Thank you so much for the reply; Below is the output of the show
auth session for the phone and printer:

**For the Phone**

*Interface MAC Address Method Domain Status Fg Session
ID--------------------------------------------------------------------------------------------Gi1/0/25
38ed.18e9.f8f4 mab DATA Auth
0A0F0003000032E46C8EEAB2*

**For the Printer*Gi1/0/42 48ba.4edc.4459 mab DATA
Auth 0A0F000400000BA86CB5CC98*

That explain all issue

You must config the ISE to push domain voice to phone

Here the ISE push data and you use multi-domain i.e.one data and one voice this make both not work

Phone get data

Printer can not work since data allow only one device

MHM

MHM Cisco World · ‎12-15-2023

Sorry I check the port is not same i.e. the printer not connect to phone ?

If Yes then printer get auth and authz with data but which vlan it use?

Can you share

Show auth session details

Thanks

MHM

Blessed · ‎12-17-2023

Dear MHM,

The Printer is not connected through the phone, the phone and printer are connected independently.

MHM Cisco World · ‎12-15-2023

Check above

MHM

balaji.bandi · ‎12-15-2023

You need to give more information

1. ISE version

2. what model of the switch and IOS code running?

3. how is your AAA configuration

4. is the Device added to ISE ?

5. Does the device able to see the ISE ?

6. Do you see any Logs in ISE ?

7. where is your DHCP, do you have helper address configured ?

Follow below guides and verify the coniguration : (make changes accordingly and do the troubleshooting)

https://community.cisco.com/t5/security-knowledge-base/how-to-configure-wired-802-1x-amp-mab-authentication-with-ise-on/ta-p/3657380

https://www.youtube.com/watch?v=IzUpgL-zPVE

https://www.youtube.com/watch?v=PRlLDhbljIE

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Aref Alsouqi · ‎12-15-2023

From the shared output the printer seems to have gone through the authentication and authorization correctly, so it should work. What do you see on ISE RADIUS live logs for the printer session?

Regarding the phone, as @MHM Cisco World mentioned, you should configure the phone authorization profile on ISE with the voice domain option in the common tasks list, I think it is called "Voice Domain Permission" or something similar.

For the devices that are not connected to the domain and that seem to have access to the network, maybe they are hitting the default authorization rule on ISE that is allowing access.