Solved: ISE 'Authentication OPEN' with VoIP Phones

tcebak · ‎03-31-2021

Question: If a VoIP phone connects to a switch that has 'authenticaion open' command on the interface, and the switchport access vlan 10 is set, as well as, the switchport voice vlan 20. Would the phone still have access to the voice vlan? The phone would hit the default 'DenyAccess' rule at the bottom of my policy set.

Backgroud: We recently moved all our phones to utilize 802.1x and i just removed all the MAB rules for phones. The datacom/voip guys said they normally have 1 or 2 ports that have 'authentication open' and they can connect a new out of the box phone, get it registered to CUCM and then it's ready to get placed at the user's desk and eventually has no issues with our 802.1x connection.

My understanding is 'authentication open' just allows the authentication to be by-passed. The authorization result can still block if there is a dACL or redirect in place. But if fails with the default authorization, it would default to the switch configuration and still allow access to that vlan. It was just brought up that they have been doing this for a while but now it's not working. But i think that's due to me deleting the rule that profiled a phone and would allow access and send that device-traffic-class=voice. But now it's authorization is failing it's not connecting? (it get's an ip but never registers to CUCM)

Just wanted to see if my understanding was correct.

Greg Gibbs · ‎04-05-2021

See the IP Telephony for 802.1X Design Guide for more detailed information. This is an old document so there have been some enhancements since the writing, but much of the information on how things work internally are largely still accurate.

As per this document "Regardless of whether the phone is authenticated via 802.1X or MAB, the most important message from the MDA perspective is the final RADIUS Access-Accept from the ACS. The Access-Accept message contains a special Cisco vendor-specific attribute (VSA) that includes the string device-traffic-class = voice. This VSA tells the switch that the device that just authenticated is a phone and should be allowed access to the voice VLAN."

If the phone session hits an AuthZ Policy that does not include the voice domain permission in the AuthZ Profile, the switch will place the session in the DATA domain (and hence, the data VLAN).

View solution in original post

Marcelo Morais · ‎03-31-2021

Hi @tcebak

since the IP Phone gets an IP Addr, please double check if the IP Phone receives the DHCP Option 150 that contains the IP Addr of the CUCM TFTP Server to register with CUCM.

Hope this helps !!!

Greg Gibbs · ‎04-05-2021

See the IP Telephony for 802.1X Design Guide for more detailed information. This is an old document so there have been some enhancements since the writing, but much of the information on how things work internally are largely still accurate.

As per this document "Regardless of whether the phone is authenticated via 802.1X or MAB, the most important message from the MDA perspective is the final RADIUS Access-Accept from the ACS. The Access-Accept message contains a special Cisco vendor-specific attribute (VSA) that includes the string device-traffic-class = voice. This VSA tells the switch that the device that just authenticated is a phone and should be allowed access to the voice VLAN."

If the phone session hits an AuthZ Policy that does not include the voice domain permission in the AuthZ Profile, the switch will place the session in the DATA domain (and hence, the data VLAN).