Re: Double dynamic vlan assignement on interface ISE MAB

Louey · ‎04-05-2023

Hello

We are implementing mab for our IP-Phones.

I made an authorization policy to assign a dynamic vlan to them once authenticated. The authencation passed and authorization policy matched but in addition to the dynamic vlan, they are getting the default vlan 1 also as shown below :

Vlan Mac Address Type Ports
---- ----------- -------- -----
1 70ca.9b9f.2a42 STATIC Gi1/0/33
1022 70ca.9b9f.2a42 STATIC Gi1/0/33

This make the phones not getting an IP in the designed vlan and not getting reachable.

Any helps for that please ?

Regards

marce1000 · ‎04-05-2023

- Check ISE (live) logs for the particular authentication(s) and observe if the policy works as intended or not (to start with) ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Louey · ‎04-05-2023

It is matching the right authentication policy and authentication is passed. Even the authZ policy is okay it is just that the phone is not getting an ip address on the configured dynamic voice vlan. the dynamic vlan is 1022 (which is a voice vlan) and I checked also "voice domain permission" on hte AuthZ policy.

The phone is not reachable as getting the wrong IP or no IP at all, and two vlans appear on the switchport.

marce1000 · ‎04-05-2023

- Check interface configuration according to : https://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_aaa/configuration/15-2mt/sec-config-mab.html (and or review the examples)

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

thomas · ‎04-08-2023

You have not shared any switch configurations so it is impossible to know what you may or may not be doing wrong with your VLAN or more likely your 802.1X/MAB switchport authentications. We have best practice configurations documented in the ISE Secure Wired Access Prescriptive Deployment Guide including details for the phones.

Please see How to Ask The Community for Help to provide enough details to help us help you with troubleshooting.

Louey · ‎04-11-2023

Here is the switchport configuration :

switchport mode access
device-tracking attach-policy IPDT_POLICY
ip flow monitor dnacmonitor input
ip flow monitor dnacmonitor output
load-interval 30
access-session inherit disable interface-template-sticky
access-session inherit disable autoconf
dot1x timeout tx-period 7
dot1x max-reauth-req 3
no macro auto processing

dot1x pae authenticator
dot1x timeout supp-timeout 7
dot1x max-req 3
switchport mode access
switchport voice vlan 2046
mab
access-session closed
access-session port-control auto
authentication periodic
authentication timer reauthenticate server
service-policy type control subscriber PMAP_DefaultWiredDot1xClosedAuth_1X_MAB

spanning-tree portfast
spanning-tree bpduguard enable
service-policy input DNA-MARKING_IN
service-policy output DNA-dscp#APIC_QOS_Q_OUT
ip nbar protocol-discovery

The dynamic vlan is the 1022 (voice vlan) with a DHCP server pool.

the 2046 vlan is a voice vlan included in the cisco Closed wired authentication template on the port with no IP pool.

As my understanding, the Phone is not able to have an IP from the voice vlan IP pool, so it is put in the vlan 1 (default) and the voice vlan, but as there is no pool associated it does not get any IP. When I add a data vlan on the switchport with a dhcp IP pool, the Phone gets an IP address on this vlan and is working.

Here is the mac table for the phone port :

Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
1 0004.f271.7a12 STATIC Gi1/0/14
1022 0004.f271.7a12 STATIC Gi1/0/14

Nancy Saini · ‎04-11-2023

Can you try "access-session host-mode multi-auth" because a voice device first gets learnt in data VLAN and then moves to voice VLAN so to allow both voice and data VLAN use host-mode multi-auth.

Reference : https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_8021x/configuration/15-mt/sec-user-8021x-15-mt-book/sec-ieee-802x-multi-auth.html

Hope this helps.

Octavian Szolga · ‎04-13-2023

Hi,

I belive you have a 'standard' IP Phone. This means you need a voice VLAN on switch port + your phone sends its own traffic tagged.
When you authenticate your phone, ISE has to return voice VLAN permissions (voice vlan in the authorization profile) so that your phone can belong to the voice domain. If this does not happen, you phone will not work.

You cannot combine dynamic vlan assignment with voice vlan permissions. What I'm trying to tell you is that even though you're pushing VLAN 1022 to your switch, that VLAN is a data VLAN from your switch's perspective, not a voice VLAN and the tagged traffic your phone is sending to the switch is dropped.

Please check this similar post:

Dynamic voice VLAN assignment when different phone systems are in play - Cisco Community

Like Arne Bier mentioned, you can combine voice domain permissions with an interface templace.

As an alternative you can use a macro locally defined on the switch and refer to that in your authorization profile.

In the end, you get the same result.

BR,

Octavian