cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
481
Views
0
Helpful
2
Replies

Mobile phone audio problem after implementation ISE 2.7

DariuszD
Level 1
Level 1

Hello

I am using Cisco ISE 2.7 in my infrastructure for MAB and 802.1X network access authentication. I have noticed a problem with Cisco Voip phones connected to a switch port. The problem is that after setting up the call to the mobile phone , the person making the call cannot be heard by the person receiving the call (on his mobile phone), call between VoIP phone in officre works fine . It seems that on the ISE and switch side everything is configured correctly, MAB authentication and 802.1x is working correctly.

I have the correct policy and profile for Voice VLan configured in ISE:

Access type = ACCESS_ACCEPT
Tunnel-Private-Group-ID = 1:43
Tunnel-Type = 1:13
Tunnel-Medium-Type = 1:6
DACL = ACL_Voice
cisco-av-pair = device-traffic-class=voice

dACL_Voice
permit ip any host y.y.y.y # CCM_IP_1
permit ip any host x.x.x.x # CCM_IP_2
permit udp any (VoIP phone IP)  range 16384 32767 //RTP protocol
permit udp any (VoIP phone IP)  range 16384 32767 //RTP protocol
deny ip any any

on each port of the access switch I have added acl on IN : ip access-group ACL-PREAUTH in

ip access extend ACL-PREAUTH
10 permit udp any eq bootpc any eq bootps
20 permit udp any any eq domain
30 permit tcp any host x.x.x.x eq www  # ISE_1 IP
40 permit tcp any host y.y.y.y eq www  # ISE_2 IP
50 permit tcp any host x.x.x.x eq 8443 # ISE_1 IP
60 permit tcp any host y.y.y.y eq 8443 # ISE_2 IP
70 permit tcp any host x.x.x.x eq 443 # ISE_1 IP
80 permit tcp any host y.y.y.y eq 443 # ISE_2 IP
110 deny icmp any any echo
120 deny tcp any any range 22 telnet
130 deny icmp any any echo-reply
140 deny ip any any

All problems disappear when I remove the following from the configuration of the switch port to which the Voip phone is connected: ip access-group ACL-PREAUTH in

I need an ACL-PREAUTH list on the ports because I want to block ssh ping and telnet for connected PCs that will not be authenticated in ISE.

 

Regards

2 Replies 2

Damien Miller
VIP Alumni
VIP Alumni

Can you share the switch model and software version it's running? 

The one way audio is very likely going to be related to the ACL's, we just need to narrow down why. Do you also see the phone IP in the auth session and phone ip showing up as active in the device tracking database? 

Damien thanks for your reply,

The problem occurs on the following switch:

WS-C2960S-48FPS-L 15.2(2)E9 C2960S-UNIVERSALK9-M

The phone registers correctly in the network, the connection between the telephones is established correctly, the telephones download the IP. At first I had the same problem when the phones set up a VoIp connection to a Voip phone in the office, the caller was not heard by the person answering the call and then removing the ACL in: ACL-PREAUTH from the port to which the Voip phone is connected also helped. I read up on the cisco community and added a dACL (dACL_Voice) to the profile for Voice_VLan with entries for the RTP protocol:

permit udp any (VoIP phone IP) range 16384 32767 //RTP protocol
permit udp any (VoIP phone IP) range 16384 32767 //RTP protocol

After adding the above entries to the dACL, the audio problem with the VoIP to VoIP connection disappeared.

After some time I noticed that the same problem I had with VoIP to Voip calls is when I call Voip to mobile Phone and in this case it also helps to disable the ACL from the port to which the Voip phone is connected, I tried to add different ports to dACL_Voice but this does not solve the audio problem.