Hey Arne, thanks for the reply.  I'm not familiar with interface templates, I'll look into those. How do you apply the interface template from ISE, what's the radius attrib that's being used?

First, you create an Authorization Profile that is applied when ISE Authorizes a particular vendor's phone - e.g. the NEC Phone - whether you match by certificate, EAP-PEAP, MAB - doesn't matter - you apply the profile below and that will assign the interface template to the interface - the interface template option is found under Common Tasks. Make sure the name is exactly as defined on the Cisco switch:

When the phone is authorized, then this template is ADDED to the existing interface config. That should hopefully assign the correct voice VLAN and put the MAC in the voice domain.

On the switch define the VLAN - e.g.

vlan 123
  name NEC_VOICE

Then define the template

template interface NEC_PHONE_VLAN
  switchport voice vlan name NEC_VOICE

Using VLAN names instead of IDs allows you to repeat the template across multiple switches - all you need to alter (if at all) is the VLAN ID on each switch - e.g. "vlan 124  / name NEC_VOICE"    etc.

So the difference that I see here is you are using the name of the VLAN in the switchport command instead of the VLAN ID.  Other than that, I've done exactly what you've laid out.  I'll try using the name.  Thanks Arne.

The switch I'm testing on is a 3850 and doesn't have the option to use the VLAN name in the template unfortunately.  On the VLAN ID.  I'm running 3.6.5, not sure if it's a version thing.  I'll try a different switch. 

I tested on a 9300 and the command set you used is there so I tried that.  No difference.  Logs indicate:

%DOT1X_SWITCH-5-ERR_VLAN_EQ_VVLAN: Data VLAN ^A on port TwoGigabitEthernet1/0/1 cannot be equivalent to the Voice VLAN AuditSessionID

Switchport config is as such:

interface TwoGigabitEthernet1/0/1
switchport mode access
authentication event fail action authorize vlan 630
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
mab
dot1x pae authenticator
spanning-tree portfast
spanning-tree bpduguard enable
end

AAA config is as such:

aaa authentication login default group ISE line
aaa authentication dot1x default group radISE
aaa authorization exec default group ISE if-authenticated
aaa authorization network default group radISE
aaa authorization commands 15 default group ISE if-authenticated
aaa accounting exec default start-stop group ISE
aaa accounting commands 0 default start-stop group ISE
aaa accounting commands 1 default start-stop group ISE
aaa accounting commands 15 default start-stop group ISE
aaa accounting system default start-stop group ISE
!
!
!
!
!
!
radius server radISE1
address ipv4 <redacted> auth-port 1812 acct-port 1813
timeout 5
key 7 <redacted>
!
tacacs server ISE1
address ipv4 <redacted>
key 7 <redacted>
timeout 5
tacacs server ISE2
address ipv4 <redacted>
key 7 <redacted>
timeout 5
!
!
aaa group server radius radISE
server name radISE1
!
aaa group server tacacs+ ISE
server name ISE1
server name ISE2

What does the template look like on the switch (output please) ?

Does ISE return this template name?

Does the Voice VLAN exist in the switch (output please) ?

The DATA vlan on the TwoGigabitEthernet1/0/1 is not defined - which means it will default to VLAN 1 - I hope you're not trying to assign the voice VLAN to Vlan 1 as well? That would explain the error.

In the case where an interface template has been successfully applied to an interface, you won't see the result with a "show run interface" - you will have to use the command "show derived interface" instead.

The data vlan is not defined because we expect that to also be assigned dynamically when a computer is connected to the phone (for my testing, one is not).  We currently do that in production using a FreeRadius solution that will eventually migrate to ISE (hence my testing).  I'm trying to leave that aspect out of testing for now to avoid this being too complicated (one piece at a time).  The main thing I'm trying to accomplish here is to dynamically assign the voice vlan.

The templates look like this:

template CISCOVOICE
switchport voice vlan 3000
template NECVOICE
switchport voice vlan 2342

The VLANs are installed on the switch as such:

vlan 2
name PROTECTED
vlan 108
name CLOSED
vlan 630
name CRITICAL
vlan 2342
name NECVOIP
vlan 2350
name MGMT
vlan 3000
name CISCOVOIP

The template results in ISE looks like this:


Access Type = ACCESS_ACCEPT
cisco-av-pair = device-traffic-class=voice
cisco-av-pair = interface-template-name=CISCOVOICE

Access Type = ACCESS_ACCEPT
cisco-av-pair = device-traffic-class=voice
cisco-av-pair = interface-template-name=NECVOICE

I don't see the template being passed by the live logs, but it wouldn't if authz is failing.  I've read that the phones need to be configured for 802.1x to get authorization profiles passed to them by ISE in some forums?   These phones are not configured for 802.1x because I was counting on using MAB.  If that's not going to work, I can explore 802.1x on them. 

Your config looks correct - you should see the template Cisco AVPair passed in the Access-Accept - but it sounds like the MAB is not working. There is no need for 802.1X.  How are you authenticating and authorizing these phones?  Perhaps you can show us your Policy Set logic.  

Thanks Arne, here's a screen snip.  The Authz profiles were scrubbed in the screenshot to avoid displaying my orgs name.

Hey Thomas, thanks for the reply.  You're the first person to suggest this is even possible with IP phones.  What would the switchport config look like if I had two VLANs like such:

VLAN 2 - NEC_VOICE

VLAN 3 - CISCO_VOICE

I've been trying to get this working with just the MAC addresses of the phones and a static group assignment in ISE for over a week and it fails.  I'm passing the VLAN name in the Auth Profile and it matches the name on the switch.  I don't believe I'm getting that far though because the switch indicates that authentication and authorization fails in the logs.  

---

@Christopher Bell wrote:

Hey Thomas, thanks for the reply.  You're the first person to suggest this is even possible with IP phones.  What would the switchport config look like if I had two VLANs like such:

VLAN 2 - NEC_VOICE

VLAN 3 - CISCO_VOICE

I've been trying to get this working with just the MAC addresses of the phones and a static group assignment in ISE for over a week and it fails.  I'm passing the VLAN name in the Auth Profile and it matches the name on the switch.  I don't believe I'm getting that far though because the switch indicates that authentication and authorization fails in the logs.  

---

You'll have to share your Policy Set with us to help you determine the issue. Do the RADIUS requests appear in the ISE Live Logs? Errors?  What do the errors say?

A good starting point is always

show run interface xxx
show run | section radius
show run | include aaa

> ... the switch indicates that authentication and authorization fails in the logs.
This usually means that ISE authentication is successful but the returning attributes are unable to apply to the client session on the switch for one reason or another, e.g. bad entries in the DACL. It would help by debugging on the switch side and the debug commands may vary by switches and switch firmwares. One of the following might help.

• Troubleshoot Dot1x and Radius in IOS and IOS-XE
• Debug Authentications
• 802.1x Wired Authentication on a Catalyst 3550 Series Switch and an ACS Version 4.2 Configuration Example