03-05-2019 05:18 AM
Dear All,
a quick question for which i would like to have your opinion.
I am using MAB Authentication/Authorization for Cisco IP phones as well as the network PCs.
The problem is that the first time i plug a new phone in the network it gets connected as data domain device and it stacks in "Detecting network..."
Then i unplug the phone, re-plug it and it connects correctly to voice domain (as it should in the first place) and from that points onward it works OK, proceeds and connects to Call Manager downloading firmware and phone profile.
Any idea why the phone does not get in the voice domain from the first time ?
Is there by any chance the phone not able to be profiled correctly from the beginning in order to connect to voice domain?
And why is the phone capable of connecting to the voice domain after the reboot?
Please find attached my authorization policy.
Lastly the switch port config is as follows:
interface GigabitEthernet5/35
switchport access vlan 10
switchport mode access
switchport voice vlan 90
no logging event link-status
authentication control-direction in
authentication event server dead action authorize vlan 10
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order mab
authentication priority mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
no snmp trap link-status
auto qos voip cisco-phone
dot1x pae authenticator
qos trust device cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
end
Thank you,
Ditter
Solved! Go to Solution.
03-12-2019 06:26 AM
So here is what is happening when a new phone connects:
So the morale of the story is, install patch 6 and it should fix your issue.
03-05-2019 05:47 AM
Hi,
The port config looks like ok ,you allow only mab on port but if this is your solution looks like ok.
First device connect maybe in ISE you can see it is profiled like Cisco Device and after some time the switch must reproffile it like cisco ip phone . In my deployment i authenticate phones with dot1x and i never seen to be not profiled correctly .
03-06-2019 11:14 AM
Thanks Ognyan,
to answer your first question , yes i am only using MAB because i have two kinds of phones 7841 & 3905 and the latter does not support dot1x and i want to have one policy for all phones, hence MAB.
it is true that this situation happens only for the first time the phones are connected in the network , out of the box and ISE did not have the chance to profile them.
Do you see any way to go around this problem?
Thanks again,
Ditter.
03-06-2019 04:36 PM
Hi
Configuration looks good and you using the right mode(MDA) for ip telephony.. Usually the phone falling back to Data vlan is know thing, but once it is authenticated to ISE and when ISE sends back device-traffic-class=voice VSA, it should fallback to Voice VLAN automatically..
How about CDP or LLDP, is CDP Enabled on ports? Through CDP/LLDP , Cisco iP Phone should learn the VOICE VLAN..
The first CDP frame received from the Cisco IP phone allows the switch to realize that a Cisco IP phone is actually connected to the port so that the right information, such as power level, voice VLAN ID (VVID), and so on) can then be delivered to the phone.
03-12-2019 02:55 AM
Thanks Mnagired,
yes lldp and cdp are both configured and enabled to all ports.
The strange thing is that the phone (as mentioned a phone picked out-of-the-box) gets stacked in "detecting Network" as it it authenticated as a data device and only after a reboot registers to voice domain.
It is like the phone is not recognized as voice device from "moment 0" but as a data device.
03-12-2019 06:26 AM
So here is what is happening when a new phone connects:
So the morale of the story is, install patch 6 and it should fix your issue.
03-14-2019 07:39 AM
Hi Paul !
so glad i am part of this community.
You seem to know your stuff :-)
I had to patch the PSNs to patch no.6 that is the reason i did no reply earlier.
It worked perfectly, the phone was firsty profiled as cisco device, then CoA worked fine and a moment later the phone was correctly profiled as part of my custom Cisco Phone logical profile group and voice authorization profile with voice domain was applied.
Thank you for your help in solving the problem.
Ditter.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide