Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
895
Views
0
Helpful
3
Replies

ISE - Not all Cisco Phones are Being Profiled as Cisco Phones

Jabroni1972
Level 1
Level 1

‎10-28-2019 09:19 AM - edited ‎10-28-2019 09:20 AM

Running ISE 2.3 with 2 nodes in Active / Standby.

I have 4 Cisco 8851 IP phones.

My Authentication policy is Wired 802.1X and Network Access EAPAuthentication equals EAP-TLS

My Authorization policy is Network Access EAPAuthentication equals EAP-TLS and Cert Subject Starts with CP-

 

Before you bash me for using the MIC cert just know this is all in testing and preparing for a large scale rollout of dot1x.  I plan to have Authorization on the LSC.

 

Anyway, of the 4 phones I have, 2 are profiled as Cisco-IP-Phone and they pass on to the Voice VLAN without issue, contact the call manager and register correctly.  The other 2 phones hit our default MAB-Default rule and get kicked over to our Guest VLAN.  These 2 phones are showing an Endpoint Profile of Cisco-Device but the Identity Group just says Profiled (where it should say Cisco-IP-Phone). 

 

Any help would be much appreciated.  

 

0 Helpful
3 Replies 3

Mike.Cifelli
VIP Alumni
VIP Alumni

‎10-28-2019 09:37 AM

Are all 4 phones plugged into the same NAD? IMO I like using my own profiles instead of the out-of-the-box ones. If you decide to go that route ensure that your MCF is higher than the default ones from the Cisco-IP-Phone profile.
Here is what I would do to start troubleshooting this:
Ensure you know what conditions are configured under the Cisco-IP-Phone profile. Take the MAC addresses for the two failing host and go to context visibility. Then look at the attributes to see what certain attributes are not being passed to ISE via your sensor. Good luck & HTH!
0 Helpful

Jabroni1972
Level 1
Level 1
In response to Mike.Cifelli

‎10-28-2019 09:53 AM

That's the odd thing about it.  We don't have what I would consider a complicated ISE setup.  In looking at Context Visibility everything is the same for a phone that works and a phone that doesn't work.  See below.  Thanks for the help.

 

Bad.JPGGood.JPG

0 Helpful

Jabroni1972
Level 1
Level 1
In response to Mike.Cifelli

‎10-28-2019 09:58 AM

Scratch my previous post as I must have fat fingered something.  There is a difference but I can't tell why one phone works and one doesn't.  All 4 of my test phones are plugged into the same switch so I am pretty sure it isn't the switch config.  Below are the correct screenshots.

 

Good.JPGBad.JPG

0 Helpful
Customers Also Viewed These Support Documents