We are running ISE 1.4 across our campus network, currently with a mix of MAB and dot1x authentication (migrating all devices to dot1x is moving slower than expected), and have come across an interesting issue with a new batch of Polycom conference stations.

The switchports are configured for multi-domain auth (data and voice vlans), and this works perfectly for a Cisco phone and a workstation connected to that phone; i.e. the phone gets authorized in the voice domain, and the workstation gets authorized in the data domain.

However, when we connect a Polycom to a switch port with our standard config, and with CDP enabled on the Polycom (shows as a CDP neighbor with the same attributes as a 9971 for example), ISE only authorizes the switchport in the data domain and NOT the voice domain.

Because there is no authorization in the voice domain, the Polycom cannot register with CUCM. The work around for this is to configure the switchport as a standard access vlan, using the voice vlan ID. CDP also has to be disabled as the Polycom seems to expect CDP information identifying which vlan tag to be used for voice traffic. But with this config, we loose voice traffic dos marking, 

Does anyone know how I can get ISE to authorized the voice domain in this situation? Any help would be appreciated.

Regards to all, Joe