Solved: Profiling Cisco 8865 on ISE

Pulkit Nagpal · ‎08-20-2017

Hello Experts,

My customer is going to replace their existing DX-650 phones with Cisco 8865 phones for VPN home phone setup. They were using device-type information from radius authentication packet for creating policy on ISE. To be specific, they were using using device type field as below:

Cisco 8865 is not sending any such such unique "ciscoavpair" attribute that can be used in this case. Can you suggest an alternative please?

Thanks & Regards,

Pulkit

hslai · ‎08-22-2017

The device-type is part of AnyConnect Identity Extensions (ACIDEX) supported in ISE 1.3+, ASA 9.2.1+ and AnyConnect 3.1MR5+ for desktop OS's, Android, and Apple iOS. Please consult the phone platform support team whether it has this particular AnyConnect VPN feature.

View solution in original post

ognyan.totev · ‎08-21-2017

Ok we see what is the switch information about DX-650 but give us some log what u see when u connect Cisco 8865

Nidhi · ‎08-21-2017

This is from the 8865 deployment guide -

" The Cisco IP Phone 8861 and 8865 currently support automatic provisioning of the PAC only, so enable Allow anonymous inband PAC provisioning on the RADIUS server as shown below. Both EAP-GTC and EAP-MSCHAPv2 must be enabled when Allow anonymous in-band PAC provisioning is enabled. "

You might want to follow the document at https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/cuipph/8841_8851_8861/10_5/english/DeploymentGuide/CiscoIPPhone8…

hslai · ‎08-22-2017

The device-type is part of AnyConnect Identity Extensions (ACIDEX) supported in ISE 1.3+, ASA 9.2.1+ and AnyConnect 3.1MR5+ for desktop OS's, Android, and Apple iOS. Please consult the phone platform support team whether it has this particular AnyConnect VPN feature.