Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2084
Views
10
Helpful
5
Replies

MAB / Voice Authentication

Go to solution
neteng1
Level 1
Level 1

‎01-21-2022 02:04 PM - edited ‎01-21-2022 02:05 PM

I am testing wired port authentication using MAB with the IBNS 2.0 method. Everything is working as expected. However, I want to create a policy that authorizes voice devices immediately.

I tried the following config, but the switch still tries to authenticate the phone.

class-map type control subscriber match-all VOICE
 match client-type voice
policy-map type control subscriber POLICY_USER
 event session-started match-first
  10 class VOICE do-until-failure
   10 authorize
  20 class always do-until-failure
   10 authenticate using mab priority 10

Is there something I'm doing wrong or another way to accomplish this? I am not sure how the class-map identifies voice clients, but I did reference this document.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP
In response to neteng1

‎01-26-2022 03:17 PM

You can assign the phone locally by applying a service template to it under the class definition

 

 

 

policy-map type control subscriber POLICY_USER
 event session-started match-first
  10 class VOICE do-until-failure
    10 activate service-template ASSIGN_VOICE_VLAN
    20 authorize

where the contents of the service-template are 

 

service-template ASSIGN_VOICE_VLAN
 description ** Set the Voice Domain Permission **
 voice vlan

 

 

View solution in original post

5 Replies 5

Go to solution
neteng1
Level 1
Level 1

‎01-25-2022 11:35 AM

I have not found a solution yet. I want to avoid authenticating phones to ISE because it requires a plus license for profiling.

There is a command on the 3850 (16.12.05b) which is not documented anywhere, does anyone know anything more about this?

switch(config)#access-session voice ?              
  skip-data-vlan  Skip Default DataVlan Auth for voice client
0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎01-25-2022 09:53 PM

My guess is that it depends on how the switch identifies the client type as voice. It would need device classifier or the like.

0 Helpful

Go to solution
neteng1
Level 1
Level 1
In response to hslai

‎01-26-2022 08:27 AM

Thanks. I enabled device classifier globally which is now detecting the device-type. I also create a service-template to assign voice vlan to "Cisco-IP-Phone". You can see below, the policy assignment is working, but phone is still assigned to DATA domain.

I know that ISE uses this attribute in CoA "cisco-av-pair=device-traffic-class=voice". Still trying to figure out how I can assign the VOICE domain locally.

switch#sh access-session int g1/0/1 details 
            Interface:  GigabitEthernet1/0/1
               IIF-ID:  0x1480E677
          MAC Address:  2c73.a003.5a4d
         IPv6 Address:  fe80::2e73:a0ff:fe03:5a4d
         IPv4 Address:  10.1.1.240
          Device-type:  Cisco-IP-Phone
          Device-name:  Cisco IP Phone 7821
               Status:  Authorized
               Domain:  DATA
       Oper host mode:  multi-auth
     Oper control dir:  both
      Session timeout:  N/A
  Acct update timeout:  172800s (local), Remaining: 172128s
    Common Session ID:  0A0113280000010F9722A9F7
      Acct Session ID:  0x000000be
               Handle:  0x46000105
       Current Policy:  POLICY_USER


Local Policies:
	Service Template: VOICE (priority 150)
           Voice Vlan:  Vlan: 1930
0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to neteng1

‎01-26-2022 03:17 PM

You can assign the phone locally by applying a service template to it under the class definition

 

 

 

policy-map type control subscriber POLICY_USER
 event session-started match-first
  10 class VOICE do-until-failure
    10 activate service-template ASSIGN_VOICE_VLAN
    20 authorize

where the contents of the service-template are 

 

service-template ASSIGN_VOICE_VLAN
 description ** Set the Voice Domain Permission **
 voice vlan

 

 

Go to solution
neteng1
Level 1
Level 1
In response to Arne Bier

‎01-27-2022 06:47 AM

Thank you, that is the solution. In my case, I did try that but forgot to include a permit ACL since I had pre-auth ACL configured. As a note, the domain is still assigned to DATA instead of VOICE, but that does not seem to be an issue.

 

Here is snippet of my full config.

 

device classifier

service-template VOICE
 access-group implicit_permit
 voice vlan 

class-map type control subscriber match-any VOICE
 match device-type "Cisco-IP-Phone"

policy-map type control subscriber POLICY_USER
 event session-started match-first
  10 class VOICE do-until-failure
   10 activate service-template VOICE
   20 authorize
  20 class always do-until-failure
   10 authenticate using mab priority 1

template AUTH_USER
 spanning-tree portfast
 switchport access vlan 10
 switchport mode access
 switchport voice vlan 20
 trust device cisco-phone
 mab
 access-session closed
 access-session port-control auto
 authentication periodic
 authentication timer reauthenticate server
 service-policy type control subscriber POLICY_USER
 description AUTH_USER
 
interface GigabitEthernet1/0/1
 device-tracking attach-policy IPDT_POLICY
 ip access-group PRE_AUTH_ACL in
 source template AUTH_USER
 spanning-tree portfast

ip access-list extended PRE_AUTH_ACL
 10 permit udp any any eq domain
 20 permit udp any eq bootpc any eq bootps
 30 permit icmp any any
 40 permit udp any any eq tftp
 50 deny   ip any any

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents