Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3124
Views
0
Helpful
8
Replies

ISE 2.4 VOIP Phone access

Go to solution
jtimmer1
Level 1
Level 1

‎08-29-2018 02:54 AM

Hello All,

 

We've a problem with MAB on voice phones.

We are busy to implement ISE so i am testing and making policy's with DACL's and dynamic vlan assingment.

 

Now i have 2 policy's for a Data and voice vlan, But when i check the box in the policy results "voice domain permissions" the traffic of the Phone is unauthenticated.

When i change it back to Data (So uncheck the box) it works normally.

I've also tried to change from Multi-auth to Multi-domain. but that doesn't work eather.

 

Could you guys help me further?

 

Many thanks!

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Cory Peterson
Level 5
Level 5
In response to jtimmer1

‎08-29-2018 05:33 AM

You are missing a config on the switch port: 

 

You need to have "switchport voice vlan XX "

 

You also need to ensure the phone is set to use the voice vlan. 

View solution in original post

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to Cory Peterson

‎08-29-2018 05:50 AM

If you really were trying to assign the voice VLAN dynamically you could invoke an autosmart port on the switch that assigns the voice VLAN to the port, but what is the reason you need to move around the voice VLAN?

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Cory Peterson
Level 5
Level 5

‎08-29-2018 05:00 AM

What make/model are the phones? Can you show us some examples of your switch config and ISE config?

0 Helpful

Go to solution
jtimmer1
Level 1
Level 1
In response to Cory Peterson

‎08-29-2018 05:06 AM

hi,

 

Thanks for your reply.

 

The brand of the phones is Alcatel-Lucent. with different models.

 

The switchconfig:

 

switchport mode access
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast

 

Config of the policy

 

Access Type = ACCESS_ACCEPT
Tunnel-Private-Group-ID = 1:319
Tunnel-Type = 1:13
Tunnel-Medium-Type = 1:6
DACL = PERMIT_ALL_TRAFFIC
cisco-av-pair = device-traffic-class=voice

0 Helpful

Go to solution
Cory Peterson
Level 5
Level 5
In response to jtimmer1

‎08-29-2018 05:33 AM

You are missing a config on the switch port: 

 

You need to have "switchport voice vlan XX "

 

You also need to ensure the phone is set to use the voice vlan. 

0 Helpful

Go to solution
jtimmer1
Level 1
Level 1
In response to Cory Peterson

‎08-29-2018 05:41 AM

Hello,

 

I've add the switchport voice vlan xxx it works..:)

 

However.. is it possible to give a voice vlan by dynamicly assigned?

0 Helpful

Go to solution
Cory Peterson
Level 5
Level 5
In response to jtimmer1

‎08-29-2018 05:44 AM

No, you have to set the voice vlan statically on the switch port and assign voice domain permissions from ISE.

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to Cory Peterson

‎08-29-2018 05:50 AM

If you really were trying to assign the voice VLAN dynamically you could invoke an autosmart port on the switch that assigns the voice VLAN to the port, but what is the reason you need to move around the voice VLAN?

0 Helpful

Go to solution
jtimmer1
Level 1
Level 1
In response to paul

‎08-29-2018 06:16 AM

i work in a Health Company,

 

and some of our walloutlets can be used by guest. in that case we want to make sure that the voice vlan is blocked.

When an other Device connects (From our company) we would like the voice vlan is available.

 

 

0 Helpful

Go to solution
thomas
Cisco Employee
Cisco Employee

‎08-29-2018 04:05 PM

Please review our best practice switch configurations in the ISE Wired Access Deployment Guide

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents