Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1699
Views
1
Helpful
7
Replies

Double dynamic vlan assignement on interface ISE MAB

Louey
Level 1
Level 1

‎04-05-2023 02:18 AM

Hello

We are implementing mab for our IP-Phones.

I made an authorization policy to assign a dynamic vlan to them once authenticated. The authencation passed and authorization policy matched but in addition to the dynamic vlan, they are getting the default vlan 1 also as shown below :

Vlan Mac Address Type Ports
---- ----------- -------- -----
1     70ca.9b9f.2a42  STATIC  Gi1/0/33
1022    70ca.9b9f.2a42  STATIC  Gi1/0/33

This make the phones not getting an IP in the designed vlan and not getting reachable. 

Any helps for that please ?

Regards

0 Helpful
7 Replies 7

marce1000
VIP
VIP

‎04-05-2023 03:53 AM

 

 - Check ISE (live) logs for the particular authentication(s) and observe if the policy works as intended or not (to start with)

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Louey
Level 1
Level 1
In response to marce1000

‎04-05-2023 04:26 AM

It is matching the right authentication policy and authentication is passed. Even the authZ policy is okay it is just that the phone is not getting an ip address on the configured dynamic voice vlan. the dynamic vlan is 1022 (which is a voice vlan) and I checked also "voice domain permission" on hte AuthZ policy.

The phone is not reachable as getting the wrong IP or no IP at all, and two vlans appear on the switchport.

0 Helpful

marce1000
VIP
VIP
In response to Louey

‎04-05-2023 04:37 AM

 

 - Check interface configuration according to : https://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_aaa/configuration/15-2mt/sec-config-mab.html  (and or review the examples)

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

thomas
Cisco Employee
Cisco Employee

‎04-08-2023 03:14 PM

You have not shared any switch configurations so it is impossible to know what you may or may not be doing wrong with your VLAN or more likely your 802.1X/MAB switchport authentications.  We have best practice configurations documented in the ISE Secure Wired Access Prescriptive Deployment Guide including details for the phones.

Please see How to Ask The Community for Help to provide enough details to help us help you with troubleshooting.

Louey
Level 1
Level 1
In response to thomas

‎04-11-2023 01:57 AM

Here is the switchport configuration :

switchport mode access
device-tracking attach-policy IPDT_POLICY
ip flow monitor dnacmonitor input
ip flow monitor dnacmonitor output
load-interval 30
access-session inherit disable interface-template-sticky
access-session inherit disable autoconf
dot1x timeout tx-period 7
dot1x max-reauth-req 3
no macro auto processing

dot1x pae authenticator
dot1x timeout supp-timeout 7
dot1x max-req 3
switchport mode access
switchport voice vlan 2046
mab
access-session closed
access-session port-control auto
authentication periodic
authentication timer reauthenticate server
service-policy type control subscriber PMAP_DefaultWiredDot1xClosedAuth_1X_MAB

spanning-tree portfast
spanning-tree bpduguard enable
service-policy input DNA-MARKING_IN
service-policy output DNA-dscp#APIC_QOS_Q_OUT
ip nbar protocol-discovery

The dynamic vlan is the 1022 (voice vlan) with a DHCP server pool.

the 2046 vlan is a voice vlan included in the cisco Closed wired authentication template on the port with no IP pool.

As my understanding, the Phone is not able to have an IP from the voice vlan IP pool, so it is put in the vlan 1 (default) and the voice vlan, but as there is no pool associated it does not get any IP. When I add a data vlan on the switchport with a dhcp IP pool, the Phone gets an IP address on this vlan and is working.

Here is the mac table for the phone port :

Mac Address Table
-------------------------------------------

Vlan     Mac Address       Type            Ports
----      -----------      --------       -----
1         0004.f271.7a12      STATIC    Gi1/0/14
1022    0004.f271.7a12    STATIC    Gi1/0/14

 

 

0 Helpful

Nancy Saini
Cisco Employee
Cisco Employee
In response to Louey

‎04-11-2023 10:50 AM

Can you try "access-session host-mode multi-auth" because a voice device first gets learnt in data VLAN and then moves to voice VLAN so to allow both voice and data VLAN use host-mode multi-auth.

Reference : https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_8021x/configuration/15-mt/sec-user-8021x-15-mt-book/sec-ieee-802x-multi-auth.html

Hope this helps.

0 Helpful

Octavian Szolga
Level 4
Level 4

‎04-13-2023 08:00 AM

Hi,

I belive you have a 'standard' IP Phone. This means you need a voice VLAN on switch port + your phone sends its own traffic tagged.
When you authenticate your phone, ISE has to return voice VLAN permissions (voice vlan in the authorization profile) so that your phone can belong to the voice domain. If this does not happen, you phone will not work.

You cannot combine dynamic vlan assignment with voice vlan permissions. What I'm trying to tell you is that even though you're pushing VLAN 1022 to your switch, that VLAN is a data VLAN from your switch's perspective, not a voice VLAN and the tagged traffic your phone is sending to the switch is dropped.

Please check this similar post:

Dynamic voice VLAN assignment when different phone systems are in play - Cisco Community

 

Like Arne Bier mentioned,  you can combine voice domain permissions with an interface templace.

As an alternative you can use a macro locally defined on the switch and refer to that in your authorization profile.

In the end, you get the same result.

 

BR,

Octavian

0 Helpful
Customers Also Viewed These Support Documents