cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

698
Views
0
Helpful
2
Replies
michael_bartho
Beginner

ISE MAB with Aastra 5370ip (no LLDP or CDP)

Hi guys,

 

We are using Aastra IP phones, that does't support LLDP og CDP. The phones connect to a user subnet for FTP download for the config. After the config is installed, the phone puts voice traffic in VLAN 40.

 

How can I make a MAB policy that, allows the phone onto the user VLAN for config, and afterwards ISE makes a CoA, and puts the phone onto VLAN 40. If I put the phone directly in VLAN 40 via the AuthZ policy, it doesn't get an IP address, since the traffic should be tagged to VLAN 40.

 

My 802.1x deployment is stuck, until I find a workaround!

 

Br,

Michael  

2 REPLIES 2
michoudi
Beginner

Create a MAB AuthZ policy that matches the vendor MAC address to place the phone into the user vlan. Include 802.1x configuration for the phone config that is downloaded. Then create a 802.1x AuthZ policy for phones that have been configured that puts them on your voice vlan. Unconfigured phones will match MAB and go into the user vlan, configured phones will match the 802.1x policy and go into the voice vlan.

 

If the switchport's authentication priority and order are 802.1x first, you won't even need to do CoA. The switchport will see that the phone is now trying to authenticate with 802.1x re-authenticate it.

It sounds like a solution that will work. The phones support dot1x, so I'll have to go into the configs and tests. 

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars



Did you miss a previous ISE webinar?

CiscoISE YouTube Channel