02-21-2021 11:35 PM
Hi add,
I am a beginner to ISE. I would like to only allow IP phone (Voice Vlan only)to access to Switch, no devices (Data vlan) behind the IP phone.
1. I tried to use host-mode single host, but the IP phone cannot functional.
2. I tried to use host-mode multi-domain, the IP phone works but I cannot limit the devices which is behind the IP phone (Data Vlan).
What policy I can use to limit the data vlan.
Thanks a lot.
Solved! Go to Solution.
03-09-2021 11:56 AM
Your options:
1) 802.1X authentication :
Authenticate your phones using 802.1X with username/password or certificates and deny the rest. This is absolutely possible but most people never do this because of administrative politics or effort. I assume you will not do this, either. If you do, see the ISE Authentication and Authorization Policy Reference for examples.
2) static endpoint group:
Status | Rule Name | Conditions | Profiles | Security Groups | Hits | Actions |
---|---|---|---|---|---|---|
✔ | MyPhones | IdentityGroup-Name EQUALS Endpoint Identity Groups:MyIPPhones | Cisco_IP_Phones | Select from list | 0 | ⚙ |
3) dynamic endpoint profiling:
Use ISE endpoint profiling to dynamically detect an IP phone (or not) and authorize access (or not). This is a default policy in ISE and should just work unless you have other policies that match first or do not have ISE Plus (2.x) or Advantage (3.x) licenses.
Status | Rule Name | Conditions | Profiles | Security Groups | Hits | Actions |
---|---|---|---|---|---|---|
✔ | Profiled Cisco IP Phones | IdentityGroup-Name EQUALS Endpoint Identity Groups:Profiled:Cisco-IP-Phone | Cisco_IP_Phones | Select from list | 0 | ⚙ |
✔ | Profiled Non Cisco IP Phones | Non_Cisco_Profiled_Phones | Non_Cisco_IP_Phones | Select from list | 0 | ⚙ |
02-22-2021 12:12 AM
Have you considered disabling the data port on the phones? Since you don't want it being used, you could just disable it all together from your phone system's control panel.
02-22-2021 04:54 AM
Thanks for your suggestion. I would like to prevent some users knowing how to turn it on again.
02-22-2021 03:21 AM
Hi @Tsoi07383
you can configure the DATA VLAN as a "garbage" one, a vlan without access to your network.
Disabling the IP Phone's data port is a good option, but you have to consider that someone could disconnect the IP Phone cable and connect it to the Notebook, bypassing the IP Phone's data port configuration.
Hope this helps !!!
02-22-2021 05:06 AM
Hi Maoris,
for the Users authentication, there are dynamic Vlan setting for different users. the IP Phones are authenticated by MAB.
despite I configure the DATA VLAN as a "garbage" one, the users also allocated the specified vlan then access to network.
I tried to use Single host, but the IP phone cant works.
Switchport config as below
switchport voice vlan 998
switchport access vlan 999
switchport mode access
no cdp enable
authentication periodic
authentication timer reauthenticate server
access-session host-mode multi-domain
access-session closed
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 15
spanning-tree portfast
!
03-09-2021 11:56 AM
Your options:
1) 802.1X authentication :
Authenticate your phones using 802.1X with username/password or certificates and deny the rest. This is absolutely possible but most people never do this because of administrative politics or effort. I assume you will not do this, either. If you do, see the ISE Authentication and Authorization Policy Reference for examples.
2) static endpoint group:
Status | Rule Name | Conditions | Profiles | Security Groups | Hits | Actions |
---|---|---|---|---|---|---|
✔ | MyPhones | IdentityGroup-Name EQUALS Endpoint Identity Groups:MyIPPhones | Cisco_IP_Phones | Select from list | 0 | ⚙ |
3) dynamic endpoint profiling:
Use ISE endpoint profiling to dynamically detect an IP phone (or not) and authorize access (or not). This is a default policy in ISE and should just work unless you have other policies that match first or do not have ISE Plus (2.x) or Advantage (3.x) licenses.
Status | Rule Name | Conditions | Profiles | Security Groups | Hits | Actions |
---|---|---|---|---|---|---|
✔ | Profiled Cisco IP Phones | IdentityGroup-Name EQUALS Endpoint Identity Groups:Profiled:Cisco-IP-Phone | Cisco_IP_Phones | Select from list | 0 | ⚙ |
✔ | Profiled Non Cisco IP Phones | Non_Cisco_Profiled_Phones | Non_Cisco_IP_Phones | Select from list | 0 | ⚙ |
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide