Solved: Re: Problem with automatic profiling on Ise 3.1 for cisco phones with

adrian.ciubotariu.lacatusu · ‎03-02-2022

Hello,

I have a problem with automatic profiling on Ise 3.1 for cisco phones (7861,8851) with MAB.

So, if my device is already profiled on ISE in manual mode, when the phone is connected, it is recognized correctly, in fact in the radius logs I see the cdp tlv parameters sent correctly to the NAC,but when I connect a new phone, it is profiled as a cisco device and not as a cisco ip-phone and is blocked by my policy. Launching a debug on the switch, I noticed, as reported above, that a device inserted manually on the nac, the switch sends the cdp tlv parameters correctly and in the other case it does not.

I use a switch 2960X with two different IOS :15.2(4)E8 and 15.2(7)E5 , and another model of switch with: WS-C3560CX-8PC-S IOS 15.2(7)E2

Thanks in advance.

Marcelo Morais · ‎03-04-2022

Hi @adrian.ciubotariu.lacatusu ,

the RADIUS logs for IP Phones that Not-Work vs Work are the same during the initial authentication process. The point here is, since you "Static Assigment" some IP Phones to Cisco-IP-Phone, this Endpoints don't need to be profiled by ISE because they are already manually profiled as Cisco-IP-Phone (and this is a Condition of your IP-PHONE-Authorization rule).
Please take a look at your Cisco-Device-Attributes.PNG file ... you must check the Other Attributes and search for (for ex.):

the DHCP-Class-Identifier is a Condition to the Cisco-IP-Phone profile.

Hope this helps !!!

View solution in original post

Marcelo Morais · ‎03-02-2022

Hi @adrian.ciubotariu.lacatusu ,

to be profiled as Cisco-IP-Phone (at Work Centers > Profiler > Profiling Policies > Cisco-Device > Cisco-IP-Phone) some Conditions must be match for DHCP, CDP or LLDP, for ex.: CiscoIPPhoneDHCPClassIdentifierCheck, CiscoIPPhoneCDPDeviceIDCheck, ...

Please double check if you are using the correct Probe (at Administration > System > Deployment > select a PSN Node > Profiling Configuration) for that.

Hope this helps !!!

adrian.ciubotariu.lacatusu · ‎03-03-2022

Hi @Marcelo Morais,

thanks for replay.

Saw, i attached the screen with default rule Cisco-device and cisco-ip-phone, and the profiling Configuration NODE.

Maybe I did't say it clear enough. When I connect a new Cisco phone, it is profiled as a Cisco Device and not as a Cisco-Ip-Phone.

i'm using the default profiles of the nac. And as you can see from the screen, the cisco device profile contains only those rules.

Marcelo Morais · ‎03-03-2022

Hi @adrian.ciubotariu.lacatusu ,

to be profiled as Cisco-IP-Phone some Conditions must be matched (please take a look at the image that you provided: cisco-ip-phone.png), for ex. the CiscoIPPhoneDHCPClassIdentifierCheck2 condition needs a DHCP Probe enabled (that is intended for use with methods where the DHCP Request is sent directly to the ISE PSN, as the result of DHCP Relay functions in the network, via the ip helper-address command).

Note: at Context Visibility > Endpoints > select the IP Phone MAC Addr > Attributes, you are able to check the attributes received for that particular IP Phone, in other words, you are able to check what is missing for that IP Phone to be profiled as Cisco-IP-Phone.

Hope this helps !!!

adrian.ciubotariu.lacatusu · ‎03-03-2022

Hi,

for dhcp i use another system, that's why i disabled dhcp on node. I checked the attributes, but it's different because one was manually profiled and another was automatically profiled. at the first connection, the phone is profiled with cisco-device and is blocked by the policy rule.

Cisco Device is a default profile and the same for Cisco-ip-Phone. In fact, I can't understand why he immediately chooses the cisco device profile, and not the cisco-ip-phone profile ..

in Attached the attributes, the policy and some log.

Sorry if I look stubborn, I don't have much experience with ISE.

Marcelo Morais · ‎03-04-2022

Hi @adrian.ciubotariu.lacatusu ,

the RADIUS logs for IP Phones that Not-Work vs Work are the same during the initial authentication process. The point here is, since you "Static Assigment" some IP Phones to Cisco-IP-Phone, this Endpoints don't need to be profiled by ISE because they are already manually profiled as Cisco-IP-Phone (and this is a Condition of your IP-PHONE-Authorization rule).
Please take a look at your Cisco-Device-Attributes.PNG file ... you must check the Other Attributes and search for (for ex.):

the DHCP-Class-Identifier is a Condition to the Cisco-IP-Phone profile.

Hope this helps !!!

adrian.ciubotariu.lacatusu · ‎03-31-2022

Hello Marcelo,

thank's for your help.

I activated the dhcp voice on the two nodes, and then I set the helper addresses under the vlan voice with the radius ip and it worked.

I'm having the following problem:

If I connect a pc to the switch, it authenticates itself correctly with the dot1x. If I connect a Cisco phone, it is profiled correctly with the mab. If I insert a phone,
with the pc connected behind it, the phone is not profiled, but remains in the cisco device group, instead the pc authenticates itself correctly, even if behind the phone.
I also entered the command on the interface : access-session host-mode multi-domain.

Thanks in advance.

BR

Problem with automatic profiling on Ise 3.1 for cisco phones with MAB