Solved: VoIP phone audio problem after implementation ISE 2.7

DariuszD · ‎05-26-2023

Hello

I am using Cisco ISE 2.7 in my infrastructure for MAB and 802.1X network access authentication. I have noticed a problem with Cisco Voip phones connected to a switch port. The problem is that after setting up the call, the person making the call cannot be heard by the person receiving the call. It seems that on the ISE and switch side everything is configured correctly, MAB authentication and 802.1x is working correctly.

I have the correct policy and profile for Voice VLan configured in ISE:

Access type = ACCESS_ACCEPT
Tunnel-Private-Group-ID = 1:43
Tunnel-Type = 1:13
Tunnel-Medium-Type = 1:6
DACL = ACL_Lan_access
cisco-av-pair = device-traffic-class=voice

ACL_Lan_access
permit ip any any

on each port of the access switch I have added acl on IN :

ip access-group ACL-PREAUTH in

ip access extend ACL-PREAUTH
10 permit udp any eq bootpc any eq bootps
20 permit udp any any eq domain
30 permit tcp any host x.x.x.x eq www # ISE_1 IP
40 permit tcp any host y.y.y.y eq www # ISE_2 IP
50 permit tcp any host x.x.x.x eq 8443 # ISE_1 IP
60 permit tcp any host y.y.y.y eq 8443 # ISE_2 IP
70 permit tcp any host x.x.x.x eq 443 # ISE_1 IP
80 permit tcp any host y.y.y.y eq 443 # ISE_2 IP
90 permit ip any host y.y.y.y # CCM_IP_1
100 permit ip any host x.x.x.x # CCM_IP_2
110 deny icmp any any echo
120 deny tcp any any range 22 telnet
130 deny icmp any any echo-reply
140 deny ip any any

All problems disappear when I remove the following from the configuration of the switch port to which the phone is connected: ip access-group ACL-PREAUTH in

change acl ACL-PREAUTH to :
permit ip any any nothing helps.

I need an ACL-PREAUTH list on the ports because I want to block ssh ping and telnet for connected PCs that will not be authenticated in ISE.

Regards

Flavio Miranda · ‎05-26-2023

Hello

You are missing the RTP ports on the Access List. Usually RTP protocol use high ports between 16384 to 32767 but you better check with the Voice system admin.

Audio happens in a point-to-point fashion so one phone need to have connectivity with other in those ports.

View solution in original post

Flavio Miranda · ‎05-26-2023

Hello

You are missing the RTP ports on the Access List. Usually RTP protocol use high ports between 16384 to 32767 but you better check with the Voice system admin.

Audio happens in a point-to-point fashion so one phone need to have connectivity with other in those ports.

DariuszD · ‎05-27-2023

Thank you very much for you reply. I will check this solution ASAP

DariuszD · ‎05-29-2023

I works thank you Flavio

Dustin Anderson · ‎05-26-2023

Not sure on your layout with the tunnel commands, but you can check if the dACL is being applied with this command.

show auth session int <interface> details

This should show the dACL applied.

This is our phone auth, we have the voice vlan set on the switch

Screenshot 2023-05-26 083034.jpg

Since you are applying an ip any/any, RTP ports should not matter unless there is a firewall between the 2 phones.

DariuszD · ‎05-27-2023

Thank you for your reply, i check and port where phone is connected downlad dACL correctly:

Server Policies:
Vlan Group: Vlan: 43
ACS ACL: xACSACLx-IP-ACL_Lan_access-646f5583

Method status list:
Method State

dot1x Stopped
mab Authc Success

If i chenge dACL in authorization profile to PERMIT_ALL_IPV4_TRAFFIC problem with audio still occures.

Dustin Anderson · ‎05-30-2023

ok, so the issue isn't with the dACL, but something in the path between the devices. is there anything in the path that would block phone to phone communications?