Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3970
Views
1
Helpful
5
Replies

ISE policy for only IP phone access

Go to solution
Tsoi07383
Level 1
Level 1

‎02-21-2021 11:35 PM

Hi add,

 

I am a beginner to ISE. I would like to only allow IP phone (Voice Vlan only)to access to Switch, no devices (Data vlan) behind the IP phone.

1. I tried to use host-mode single host, but the IP phone cannot functional.

2. I tried to use host-mode multi-domain, the IP phone works but I cannot limit the devices which is behind the IP phone (Data Vlan).

What policy I can use to limit the data vlan.

 

Thanks a lot.

 

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
thomas
Cisco Employee
Cisco Employee

‎03-09-2021 11:56 AM

Your options:

1) 802.1X authentication :

Authenticate your phones using 802.1X with username/password or certificates and deny the rest. This is absolutely possible but most people never do this because of administrative politics or effort. I assume you will not do this, either. If you do, see the ISE Authentication and Authorization Policy Reference for examples.

 

2) static endpoint group:

  1. Create an IP phone group @ Administration > Identity Management > Groups > Endpoint Identity Groups
  2. Import all of your known IP Phones' MAC addresses to this group via CSV file under Context Visibility > Endpoints > Import. You will want to download the template or export all existing devices first and update the IdentityGroup field to MyIPPhones or whatever your group name you created. Change StaticGroupAssignment to TRUE.
  3. Create the policy to allow MAC addresses in this group:
    Status Rule Name Conditions Profiles Security Groups Hits Actions
    MyPhones IdentityGroup-Name EQUALS Endpoint Identity Groups:MyIPPhones Cisco_IP_Phones Select from list 0

3) dynamic endpoint profiling:

Use ISE endpoint profiling to dynamically detect an IP phone (or not) and authorize access (or not). This is a default policy in ISE and should just work unless you have other policies that match first or do not have ISE Plus (2.x) or Advantage (3.x) licenses.

Status Rule Name Conditions Profiles Security Groups Hits Actions
Profiled Cisco IP Phones IdentityGroup-Name EQUALS Endpoint Identity Groups:Profiled:Cisco-IP-Phone Cisco_IP_Phones Select from list 0
Profiled Non Cisco IP Phones Non_Cisco_Profiled_Phones Non_Cisco_IP_Phones Select from list 0

 

View solution in original post

5 Replies 5

Go to solution
Tyson Joachims
Spotlight
Spotlight

‎02-22-2021 12:12 AM

Have you considered disabling the data port on the phones? Since you don't want it being used, you could just disable it all together from your phone system's control panel.

0 Helpful

Go to solution
Tsoi07383
Level 1
Level 1
In response to Tyson Joachims

‎02-22-2021 04:54 AM

Thanks for your suggestion. I would like to prevent some users knowing how to turn it on again.

0 Helpful

Go to solution
Marcelo Morais
VIP
VIP

‎02-22-2021 03:21 AM

Hi @Tsoi07383 

 you can configure the DATA VLAN as a "garbage" one, a vlan without access to your network.

 Disabling the IP Phone's data port is a good option, but you have to consider that someone could disconnect the IP Phone cable and connect it to the Notebook, bypassing the IP Phone's data port configuration.

 

Hope this helps !!!

0 Helpful

Go to solution
Tsoi07383
Level 1
Level 1
In response to Marcelo Morais

‎02-22-2021 05:06 AM

Hi Maoris,

 

for the Users authentication, there are dynamic Vlan setting for different users. the IP Phones are authenticated by MAB.

despite I configure the DATA VLAN as a "garbage" one, the users also allocated the specified vlan then access to network.

I tried to use Single host, but the IP phone cant works.

 

Switchport config as below

switchport voice vlan 998

switchport access vlan 999
switchport mode access
no cdp enable
authentication periodic
authentication timer reauthenticate server
access-session host-mode multi-domain
access-session closed
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 15
spanning-tree portfast
!

 

0 Helpful

Go to solution
thomas
Cisco Employee
Cisco Employee

‎03-09-2021 11:56 AM

Your options:

1) 802.1X authentication :

Authenticate your phones using 802.1X with username/password or certificates and deny the rest. This is absolutely possible but most people never do this because of administrative politics or effort. I assume you will not do this, either. If you do, see the ISE Authentication and Authorization Policy Reference for examples.

 

2) static endpoint group:

  1. Create an IP phone group @ Administration > Identity Management > Groups > Endpoint Identity Groups
  2. Import all of your known IP Phones' MAC addresses to this group via CSV file under Context Visibility > Endpoints > Import. You will want to download the template or export all existing devices first and update the IdentityGroup field to MyIPPhones or whatever your group name you created. Change StaticGroupAssignment to TRUE.
  3. Create the policy to allow MAC addresses in this group:
    Status Rule Name Conditions Profiles Security Groups Hits Actions
    MyPhones IdentityGroup-Name EQUALS Endpoint Identity Groups:MyIPPhones Cisco_IP_Phones Select from list 0

3) dynamic endpoint profiling:

Use ISE endpoint profiling to dynamically detect an IP phone (or not) and authorize access (or not). This is a default policy in ISE and should just work unless you have other policies that match first or do not have ISE Plus (2.x) or Advantage (3.x) licenses.

Status Rule Name Conditions Profiles Security Groups Hits Actions
Profiled Cisco IP Phones IdentityGroup-Name EQUALS Endpoint Identity Groups:Profiled:Cisco-IP-Phone Cisco_IP_Phones Select from list 0
Profiled Non Cisco IP Phones Non_Cisco_Profiled_Phones Non_Cisco_IP_Phones Select from list 0

 

Customers Also Viewed These Support Documents