cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2790
Views
10
Helpful
6
Replies

Profiling cisco phones isn't working with Cisco ISE

sanchezeldorado
Level 1
Level 1

Hello,

I'm working on getting 802.1x and MAB configured on my network with Cisco ISE. So far I'm working with a single computer and a single phone for testing. I have MAB and 802.1x authenticating both the phone and the laptop plugged in behind it. I set a dhcp helper address for both VLANs to include the ISE profiling node and that allowed my PC to be profiled as Windows 11. My cisco phone on the other hand is showing up as Cisco Device and doesn't seem to be getting any DHCP information to profile it as a phone.

When I look at the mac address table on the attached switch for that specific MAC address, I get the following, where vlan 50 is my data vlan and vlan 100 is my voice vlan. There's another phone on the same switch with the same configuration (minus the 802.1x config), and it works fine, so it makes me think it's related to ISE.

USBTSW048#show mac add | inc 28af.fd2d.4c51
50 28af.fd2d.4c51 STATIC Fa0/8
100 28af.fd2d.4c51 DYNAMIC Drop

I suspect that the issue has to do with the mac address being listed as drop. I'm also not sure why there would be a static entry here. There's nothing in the config for it. No sticky port configuration. Any help is appreciated.

2 Accepted Solutions

Accepted Solutions

Damien Miller
VIP Alumni
VIP Alumni

DHCP/ip helper often won't be enough to profile a Cisco phone as a Cisco phone, the built in ISE profiles for this often rely on CDP information to be passed to ISE. CDP information is gathered by the device sensor functionality on the access switch, then forwarded to ISE as a RADIUS accounting packet. 

If the dhcp request packet doesn't include exactly "DHCP:dhcp-class-identifier CONTAINS Cisco Systems, Inc. IP Phone", then it's not getting profiled as a phone by that probe alone. 

For your phone issue I would start by checking that the device sensor functionality is configured correctly so that you receive the CDP attributes from the switch. 

As for your static mac, when an access/auth session is created for an endpoint via the dot1x or mab process, the switch programs the mac address in to the mac table as static until the session is cleared or times out. Then the drop on vlan 100 makes sense because the authorization result being returned from ise does not include the "voice domain" authorization. 

View solution in original post

sanchezeldorado
Level 1
Level 1

Turns out all of my issues were due to the switch being too old. I found another thread or two that had the same issues with voice vlans being put in the data domain. I could never re-create the scenario where the PC was put in the voice vlan. None of the threads had any solutions, just that the 12.2 firmware couldn't do CDP and also had issues putting devices in the voice VLAN without specifying the VLAN in ISE. Thank you guys for the info pointing me in the right direction.

View solution in original post

6 Replies 6

Damien Miller
VIP Alumni
VIP Alumni

DHCP/ip helper often won't be enough to profile a Cisco phone as a Cisco phone, the built in ISE profiles for this often rely on CDP information to be passed to ISE. CDP information is gathered by the device sensor functionality on the access switch, then forwarded to ISE as a RADIUS accounting packet. 

If the dhcp request packet doesn't include exactly "DHCP:dhcp-class-identifier CONTAINS Cisco Systems, Inc. IP Phone", then it's not getting profiled as a phone by that probe alone. 

For your phone issue I would start by checking that the device sensor functionality is configured correctly so that you receive the CDP attributes from the switch. 

As for your static mac, when an access/auth session is created for an endpoint via the dot1x or mab process, the switch programs the mac address in to the mac table as static until the session is cleared or times out. Then the drop on vlan 100 makes sense because the authorization result being returned from ise does not include the "voice domain" authorization. 

Hi @sanchezeldorado ,

 beyond what @Damien Miller said:

1. at Work Centers > Profiler > Profiling Policies > Cisco IP Phone you are able to check the Cisco IP Phone Conditions.

2. I remember old Cisco IP Phones starting with Data VLAN and then "migrating" to Voice VLAN, that's why the show mac add command has the same MAC Addr on two different VLANs.

Hope this helps !!!

Thank you both for the replies. I'm headed out for the weekend, but I'll check back next week and update this. I was looking at the endpoint classification of the phone and didn't see anything in there that showed it pulling DHCP info. I hadn't checked the CDP info, and I'm not sure exactly where to find that, but I can probably figure it out.

As for the mac addresses, I know that the mac on both VLANS is normal, and your comment about ISE assigning it as static makes sense too, but I'm not sure what would need to happen to fix this. This mac address issue is almost certainly what would cause DHCP not to profile the device because it can't send a DHCP request. I'd rather not dynamically assign a voice vlan since that is programmed on the switch and I have 4 voice vlans across my 2 sites.

sanchezeldorado
Level 1
Level 1

Ok, So I couldn't just let this go for the weekend without a little more digging. I found that my switch firmware is too old to support the CDP device sensor settings. I'll address that separately.

My remaining problem is that my phone is getting put in the "DATA" domain. From what I've been reading, it sounds like dynamic VLAN assignment is automatically enabled with 802.1x or something like that. I'm not quite sure I understand what I was reading from an old article. I then tried selecting the "Voice Domain Permission" option in the authorization profiles, shut the port and no shut it, then my devices actually ended up backwards in the VLANs.

 

Interface MAC Address Method Domain Status Session ID
Fa0/8 28af.fd2d.6c51 mab DATA Authz Success 0AB601300000018B372D0BD8
Fa0/8 c8f7.5035.2a44 dot1x VOICE Authz Success 0AB601300000018C372D102B

The mac address 28af.... is my phone. Both devices were previously in the DATA vlan. I'm not sure why my PC would get put in the voice vlan. I'm headed out the door for the weekend now, but if you guys have any ideas before then, I'd appreciate it.

sanchezeldorado
Level 1
Level 1

Turns out all of my issues were due to the switch being too old. I found another thread or two that had the same issues with voice vlans being put in the data domain. I could never re-create the scenario where the PC was put in the voice vlan. None of the threads had any solutions, just that the 12.2 firmware couldn't do CDP and also had issues putting devices in the voice VLAN without specifying the VLAN in ISE. Thank you guys for the info pointing me in the right direction.

One more update for future reference. The profiling issue was caused by not being able to use CDP because of the older version, but the issue about devices being on the voice domain or the data domain was entirely based on the authorization policy that was matched in ISE. I thought that the Voice Domain Permission was just the ability to recognize a voice vlan and that the same authorization profile could be used for both devices, but that wasn't true. I had to have two policies to match each type of device and the voice domain permission could only be on the voice policy.