I am using Cisco ISE 2.7 in my infrastructure for MAB and 802.1X network access authentication. I have noticed a problem with Cisco Voip phones connected to a switch port. The problem is that after setting up the call to the mobile phone , the person making the call cannot be heard by the person receiving the call (on his mobile phone), call between VoIP phone in officre works fine . It seems that on the ISE and switch side everything is configured correctly, MAB authentication and 802.1x is working correctly.
I have the correct policy and profile for Voice VLan configured in ISE:
dACL_Voice permit ip any host y.y.y.y # CCM_IP_1 permit ip any host x.x.x.x # CCM_IP_2 permit udp any (VoIP phone IP) range 16384 32767 //RTP protocol permit udp any (VoIP phone IP) range 16384 32767 //RTP protocol deny ip any any
on each port of the access switch I have added acl on IN : ip access-group ACL-PREAUTH in
ip access extend ACL-PREAUTH 10 permit udp any eq bootpc any eq bootps 20 permit udp any any eq domain 30 permit tcp any host x.x.x.x eq www # ISE_1 IP 40 permit tcp any host y.y.y.y eq www # ISE_2 IP 50 permit tcp any host x.x.x.x eq 8443 # ISE_1 IP 60 permit tcp any host y.y.y.y eq 8443 # ISE_2 IP 70 permit tcp any host x.x.x.x eq 443 # ISE_1 IP 80 permit tcp any host y.y.y.y eq 443 # ISE_2 IP 110 deny icmp any any echo 120 deny tcp any any range 22 telnet 130 deny icmp any any echo-reply 140 deny ip any any
All problems disappear when I remove the following from the configuration of the switch port to which the Voip phone is connected: ip access-group ACL-PREAUTH in
I need an ACL-PREAUTH list on the ports because I want to block ssh ping and telnet for connected PCs that will not be authenticated in ISE.
Can you share the switch model and software version it's running?
The one way audio is very likely going to be related to the ACL's, we just need to narrow down why. Do you also see the phone IP in the auth session and phone ip showing up as active in the device tracking database?
The phone registers correctly in the network, the connection between the telephones is established correctly, the telephones download the IP. At first I had the same problem when the phones set up a VoIp connection to a Voip phone in the office, the caller was not heard by the person answering the call and then removing the ACL in: ACL-PREAUTH from the port to which the Voip phone is connected also helped. I read up on the cisco community and added a dACL (dACL_Voice) to the profile for Voice_VLan with entries for the RTP protocol:
permit udp any (VoIP phone IP) range 16384 32767 //RTP protocol permit udp any (VoIP phone IP) range 16384 32767 //RTP protocol
After adding the above entries to the dACL, the audio problem with the VoIP to VoIP connection disappeared.
After some time I noticed that the same problem I had with VoIP to Voip calls is when I call Voip to mobile Phone and in this case it also helps to disable the ACL from the port to which the Voip phone is connected, I tried to add different ports to dACL_Voice but this does not solve the audio problem.