01-12-2018 02:04 AM - edited 02-21-2020 10:43 AM
Hi,
There are actually two questions here that I need responding to but the primary one is around the deletion of a MAC address entry in a identify store.
I have ISE 2.2.0.470 instilled and for wired connections we use dot1x for pc authentication and then as expected MAB for none domain devices. The original issues to get Cisco phones authenticated onto the network without having to use MAC addresses in MAB which normally works. One of our sites is setup a bit different and do not have a separate data and voice VLAN but instead just use the one VLAN for both. At this site we do not connect PCs into phones and all the PC devices are been authenticated correctly with dot1x but all the phones are failing authentication.
To troubleshoot I have added one of the phones MAC addresses to the site --> printer group identity which is now authenticating and allowed on the network. I would have expected that the phones would have been identified using CDP or radius VSA and then authenticate using the device type. This is not the case.
What I have then tried is to remove the MAC address from the group so that Auth fails and I can test some more but it is not been removed. The device is still authenticating via MAB. I have checked the purge properties and there is a default job that takes place every evening at 3:00.
Any help here would be appreciated.
01-12-2018 04:14 AM - edited 01-12-2018 04:16 AM
Hi,
If the phone is correctly identified and you are using the same authorization rule for profiled IP phones, the setup would not work because ISE is returning voice domain permissions (essentially it tells the switch to apply whatever voice vlan is configured at the port level).
If the switchport does not have a voice vlan configured, it will not get applied and authorization will fail, even though ISE will show a green/authenticated session.
It doesn't matter if you have or not the vlan configured on the switch. It's not configured at port level.
Regarding your second issue, normally when you remove a MAC address from an endpoint identity group, ISE sends a CoA message to the switch, telling him to reuauthenticate the device. Maybe CoA support is not configured on the switch or on ISE for the specific NAD.
Regards,
Octavian
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide