Re: MAB authentication with cisco Phone

Saeed Abd Elhalim Hamada · ‎02-02-2025

Hi all

i`m using DNA and my company recently bougth ISE and we doing our implamantion o face problem with the Cisco Phone

the problem it how to assigend Voice vlan to cisco phone when they try to connect using mab , becuse when i use authiz profile that assend vlan X when phone authication it`s give the port as access vlan not voice vlan

i read about i can assgned template this teplate have command (sw acc voice vlan) , but the problem with this solution is the dna when i applyed close authication dna pushed template and i cannt apply two template on the same port

so if anyone have any idea about how to make any phone auth mab assgiend to voice vlan

thanks

Rob Ingram · ‎02-02-2025

@Saeed Abd Elhalim Hamada create an Authorisation Profile to to send a Cisco Attribute-Value (AV) pair attribute with a value of - device-traffic-class=voice

Example

Saeed Abd Elhalim Hamada · ‎02-02-2025

you mean voice per ?

Rob Ingram · ‎02-02-2025

@Saeed Abd Elhalim Hamada yes you can use the "Voice Domain Permission" common task.

Saeed Abd Elhalim Hamada · ‎02-02-2025

Rob Ingram · ‎02-02-2025

@Saeed Abd Elhalim Hamada ok, what is the issue now?

Provide the output of "show authentication session interface gig 6/0/23 detail"

Provide the output of the configuration of GI6/0/23

Saeed Abd Elhalim Hamada · ‎02-02-2025

the interface should be in VLAN 8 as voice and Vlan 50 as data

Rob Ingram · ‎02-02-2025

@Saeed Abd Elhalim Hamada is "switchport voice vlan 8" configured under the interface?

Provide the output of the configuration of GI6/0/23

Saeed Abd Elhalim Hamada · ‎02-03-2025

no it`s not

Saeed Abd Elhalim Hamada · ‎02-03-2025

i need to make it dynamic vlan is that possible , cuz if i didnt i need to make all interface voice vlan static

Aref Alsouqi · ‎02-03-2025

I think you can, but you would still need to configure a default voice VLAN on the switch interfaces. Say if you configure the default voice VLAN to be 20 and then you push different voice VLAN IDs from ISE, the voice VLAN attributes on the ports will be taken from ISE. Alternatively I think you can rely on the interface template feature but that would require running IBNS 2.0 to be able to assign the VLAN ID.

Arne Bier · ‎02-03-2025

@Aref Alsouqi - I have yet to find the RADIUS attribute that tells a switch to change the VOICE VLAN. I don't believe this feature exists. It does of course exist for the 'access vlan' (DATA domain).

Aref Alsouqi · ‎02-04-2025

@Arne Bier I was wrong on this one, thanks for pointing that out. I checked on a deployment I have and I couldn't find any attribute to change the voice VLAN dynamically. I think the only option to do that would be via the interface templates or maybe the service templates but I think both would require IBNS 2.0.

Saeed Abd Elhalim Hamada · ‎02-02-2025

phone keep in verviy your network stage

Overview

Event	5200 Authentication succeeded
Username	6C:41:0E:DE:DA:E4
Endpoint Id	6C:41:0E:DE:DA:E4
Endpoint Profile	Cisco-IP-Phone-8811
Authentication Policy	Wired MAB NIB Phones >> New-Mab Auth
Authorization Policy	Wired MAB NIB Phones >> Authorization Rule 1
Authorization Result	VOICE_VLAN_8

Authentication Details

Source Timestamp	2025-02-03 09:23:19.453
Received Timestamp	2025-02-03 09:23:19.453
Policy Server	ISE-01
Event	5200 Authentication succeeded
Username	6C:41:0E:DE:DA:E4
User Type	Host
Endpoint Id	6C:41:0E:DE:DA:E4
Calling Station Id	6C-41-0E-DE-DA-E4
Endpoint Profile	Cisco-IP-Phone-8811
Authentication Identity Store	Internal Endpoints
Identity Group	Cisco-IP-Phone
Audit Session Id	01000C0A0000ED04CAE5D5B6
Authentication Method	mab
Authentication Protocol	Lookup
Service Type	Call Check
Network Device	Edge-F3-01-R.Nibhq.local
Device Type	All Device Types#NAS Address
NAS IPv4 Address	10.100.3.1
NAS Port Id	GigabitEthernet6/0/23
NAS Port Type	Ethernet
Authorization Profile	VOICE_VLAN_8
Response Time	8 milliseconds

Other Attributes

ConfigVersionId	389
DestinationPort	1812
Protocol	Radius
NAS-Port	50623
Framed-MTU	1468
OriginalUserName	6c410ededae4
NetworkDeviceProfileId	b0699505-3150-4215-a80e-6753d45bf56c
IsThirdPartyDeviceFlow	false
AcsSessionID	ISE-01/526818642/733406
SelectedAuthenticationIdentityStores	Internal Endpoints
AuthenticationStatus	AuthenticationPassed
IdentityPolicyMatchedRule	New-Mab Auth
AuthorizationPolicyMatchedRule	Authorization Rule 1
EndPointMACAddress	6C-41-0E-DE-DA-E4
ISEPolicySetName	Wired MAB NIB Phones
IdentitySelectionMatchedRule	New-Mab Auth
TotalAuthenLatency	8
ClientLatency	0
DTLSSupport	Unknown
HostIdentityGroup	Endpoint Identity Groups:Profiled:Cisco-IP-Phone
Network Device Profile	Cisco
Location	Location#All Locations
Device Type	Device Type#All Device Types#NAS Address
IPSEC	IPSEC#Is IPSEC Device#No
Name	Endpoint Identity Groups:Profiled:Cisco-IP-Phone
RADIUS Username	6C:41:0E:DE:DA:E4
Device IP Address	10.100.3.1
CPMSessionID	01000C0A0000ED04CAE5D5B6
Called-Station-ID	7C:AD:4F:28:FD:97
CiscoAVPair	cts-pac-opaque=****,service-type=Call Check,audit-session-id=01000C0A0000ED04CAE5D5B6,method=mab,client-iif-id=371229461,AuthenticationIdentityStore=Internal Endpoints
UseCase	Host Lookup

Result

UserName	6C:41:0E:DE:DA:E4
User-Name	6C-41-0E-DE-DA-E4
Class	CACS:01000C0A0000ED04CAE5D5B6:ISE-01/526818642/733406
cisco-av-pair	device-traffic-class=voice
cisco-av-pair	profile-name=Cisco-IP-Phone-8811
LicenseTypes	Advantage license consumed.