Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7107
Views
26
Helpful
12
Replies

Cisco ISE PC behind the phone issue

Go to solution
Ditter
Level 3
Level 3

‎10-31-2018 07:02 AM

Dear All,

 

i am facing the following issue:

 

I have a cisco 7841 ip phone and i am using its switch in order to connect the user PC behind the phone.

 

I need to execute MAB (not 802.1x) through ISE but only for the phone and not for the PC (i need PC to be freely connect to the DHCP VLAN).

 

So i thought if i use the switch command : authentication host-mode multi-host then the phone could get authorized through ISE & MAB and then the PC could connect without the need to pass the authentication/authorization process).

 

When i have the command authentication host-mode multi-domain then the phone gets authorized from ISE but the PC does not get authorized ( i suppose that it has to do with ISE configuration) but the problem is that  as i mentioned i prefer this PC to be connected without passing any mab process.

 

Any ideas how to do this?

 

The switch config is as follows:

 

interface GigabitEthernet4/23
 switchport access vlan XXX  <--- DHCP VLAN
 switchport mode access
 switchport voice vlan VVV  <-- Voice VLAN
 no logging event link-status
 authentication host-mode multi-domain
 authentication order mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 mab
 no snmp trap link-status
 dot1x pae authenticator
 dot1x timeout tx-period 10
 spanning-tree portfast
 spanning-tree bpduguard enable
end

 

Thank you ,

 

Ditter.

2 people had this problem
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Ditter
Level 3
Level 3
In response to Tmsna

‎10-31-2018 01:59 PM

Thanks for your answer.

 

As i look it now i also think the same as you.

 

What i did a little while ago (after having posted this thread) in order to have the PC also authenticate through MAB was to let the PC to be authorized by the last rule in the authorization tree which is permit access. So now the phone is authorized by MAB and the PC behind the phone is authorized by the default permit.

View solution in original post

0 Helpful

Go to solution
howon
Cisco Employee
Cisco Employee
In response to hslai

‎11-01-2018 02:42 PM

Multi-Auth includes all features of MDA plus allows multiple data MAC addresses to connect. For MDA if you want to prevent interface from disabling you can use 'authentication violation' interface command. Default is shutdown and difference between protect and restrict is whether event is logged or not. Restrict will log and alert the event when violation occurs while protect does not, however behavior is the same between the two in terms of access.

 

3560CX(config-if)#authentication violation ?
  protect   Protect the port
  replace   Replace the existing session
  restrict  Restrict the port
  shutdown  SHUTDOWN the port

View solution in original post

12 Replies 12

Go to solution
Tmsna
Level 1
Level 1

‎10-31-2018 07:05 AM

Hi Ditter,

 

I think that once you configure a port to authenticate the endpoints, there is no way to authenticate just the phone and not the PC.

But I'm ready to be corrected if I'm wrong.

 

Regards,

Tmsna

Go to solution
Ditter
Level 3
Level 3
In response to Tmsna

‎10-31-2018 01:59 PM

Thanks for your answer.

 

As i look it now i also think the same as you.

 

What i did a little while ago (after having posted this thread) in order to have the PC also authenticate through MAB was to let the PC to be authorized by the last rule in the authorization tree which is permit access. So now the phone is authorized by MAB and the PC behind the phone is authorized by the default permit.

0 Helpful

Go to solution
pan
Cisco Employee
Cisco Employee

‎10-31-2018 10:02 AM

Following is the explanation of the multi-host and multi-domain:

 

multi-host allows multiple mac addresses in DATA domain. Only first one is authenticated.

multi-domain allows Only 1 mac address in DATA domain and only 1 mac address in VOICE domain.

 

What is happening when you use multi-host?

Go to solution
Ditter
Level 3
Level 3
In response to pan

‎10-31-2018 02:13 PM

Hi Pan, as mentioned above i finally made it to work with MDA  but now both devices are authorized with MAB (as mentioned in the beginning of my email , i wanted only the phone to authorize via MAB and not the PC). Now by passing the default permit access i can have also the PC authorized by using MDA on the port.

 

What i can not understand is how the switch behaves when a port is in MDA mode?  How the switch understands that a client is voip phone?  By CDP?

 

Thanks.

0 Helpful

Go to solution
Ditter
Level 3
Level 3
In response to Ditter

‎11-01-2018 02:44 AM

Hi to all,

 

it seems that the best way of ensuring everything works is by using multi-auth instead of MDA just because of the fact that a vm running on the PC will shutdown the port!

 

What is your opinion?  What we lose if we use multi-auth instead of MDA for a Phone and a PC behind the phone?

 

Ditter.

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to Ditter

‎11-01-2018 09:10 AM

Yeah, I agree with you.

Cisco IOS platforms added multi-auth to support more flexibility. MDA is good if strictly enforcing one voice and one data endpoints.

Go to solution
howon
Cisco Employee
Cisco Employee
In response to hslai

‎11-01-2018 02:42 PM

Multi-Auth includes all features of MDA plus allows multiple data MAC addresses to connect. For MDA if you want to prevent interface from disabling you can use 'authentication violation' interface command. Default is shutdown and difference between protect and restrict is whether event is logged or not. Restrict will log and alert the event when violation occurs while protect does not, however behavior is the same between the two in terms of access.

 

3560CX(config-if)#authentication violation ?
  protect   Protect the port
  replace   Replace the existing session
  restrict  Restrict the port
  shutdown  SHUTDOWN the port

Go to solution
Ditter
Level 3
Level 3
In response to howon

‎11-02-2018 01:25 AM

Hi Howon,

thank you for your answer.

What confuses me is the following:
Suppose that my switch configuration is as follows:

 

interface GigabitEthernet4/23
 switchport access vlan XXX  <--- DHCP VLAN
 switchport mode access
 switchport voice vlan VVV  <-- Voice VLAN
 no logging event link-status
 authentication host-mode multi-domain
 authentication order mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 mab
 no snmp trap link-status
 dot1x pae authenticator
 dot1x timeout tx-period 10
 spanning-tree portfast
 spanning-tree bpduguard enable
end

 

As you can see the port configuration is ready to accept the voice and data devices.

 

The confusing thing for me is the following:

 

In ISE there is the option (in Common Tasks section) to define in an authorization profile the two following option:

1.Vlan

2. Voice Domain Permission

 

See also attached png.

 

So my question is what is the meaning of these two options in ISE Authorization profile  if you have already programmed the switch port with the appropriate voice vlan commads?

 

Thnaks,

Ditter

Preview file
6 KB
0 Helpful

Go to solution
Cory Peterson
Level 5
Level 5
In response to Ditter

‎11-02-2018 04:57 AM

The Voice Domain option authorizes the device to use the voice domain(vlan) that is set on the port.

 

The VLAN Setting dynamically sets the Data VLAN on the port.

 

The two options should not be used in the same authorization profile. The VLAN setting should only be used it you want to change the VLAN from what is configured on the port. 

0 Helpful

Go to solution
Ditter
Level 3
Level 3
In response to Cory Peterson

‎11-02-2018 07:21 AM

Thank you Cory,

 

so that means that even if a port is configured with voice vlan , the phone will not be able to use it unless in the authorization profile the VOICE DOMAIN PERMISSION is checked.

 

I can confirm that , i tested and works the way you described.

 

I can also confirm that if VLAN and VOICE DOMAIN PERMISSION are both checked in the same authorization profile the data vlan does not seem to change as you also describe.  Any idea why is this happening? Why i am not able to do both changes in the same authorization profile?

 

Thanks,

 

Ditter.

0 Helpful

Go to solution
howon
Cisco Employee
Cisco Employee
In response to Ditter

‎11-02-2018 09:59 AM - edited ‎11-02-2018 10:01 AM

As Cory described voice domain permission allows access to the voice VLAN configured on the switch. When you send down VLAN ID along with the voice domain permission, the switch will dynamically assign voice VLAN for the phone. For older IOS versions (My guess is anything lower than 15.1), this was not the case and assigning both voice vlan permission and VLAN ID would not work on the switch and end up with authorization failure if I recall.

Reading through the notes, it sounds like you are trying to assign permission for the PC behind the phone based on the phone's authentication. This is not possible as authorization profile is applied to the session (Or specific MAC address depending on how you look at it) not to the whole interface. In other words, the set of settings you defined on the phone authorization profile only applies to the phone's session/MAC. The PC has to be assigned its own authorization profile independent of phone's authorization profile by going through authentication on its own.

Now, I technology aside, I do not understand the use case here to permit data access based on phone, but if you share the business requirement, there may be better ways to meet the requirement.

0 Helpful

Go to solution
Ditter
Level 3
Level 3
In response to howon

‎11-08-2018 05:54 AM

Hi Howon, sorry for the delay in updating the thread...

 

My initial intention was  the PC to connect to the network without having to pass through a new authorization process. I understood that it was not possible.

 

I did some tests with a switch running  15.0.2 and i can send in an attached voip phone both Voice Domain parmition as well as change the vlanid where it belongs.  Both actions can occur in the same autorization profile.

 

In another auth profile (only for data this time) i authorize attached PCs connected to the switch port of the voip phone and in this second authorization profile i can also assign dynamically a vlan.

 

Thank you all  for your contributions.

 

Ditter.

 

0 Helpful
Customers Also Viewed These Support Documents