I am using Cisco ISE 2.7 in my infrastructure for MAB and 802.1X network access authentication. I have noticed a problem with Cisco Voip phones connected to a switch port. The problem is that after setting up the call, the person making the call cannot be heard by the person receiving the call. It seems that on the ISE and switch side everything is configured correctly, MAB authentication and 802.1x is working correctly.
I have the correct policy and profile for Voice VLan configured in ISE:
on each port of the access switch I have added acl on IN :
ip access-group ACL-PREAUTH in
ip access extend ACL-PREAUTH 10 permit udp any eq bootpc any eq bootps 20 permit udp any any eq domain 30 permit tcp any host x.x.x.x eq www # ISE_1 IP 40 permit tcp any host y.y.y.y eq www # ISE_2 IP 50 permit tcp any host x.x.x.x eq 8443 # ISE_1 IP 60 permit tcp any host y.y.y.y eq 8443 # ISE_2 IP 70 permit tcp any host x.x.x.x eq 443 # ISE_1 IP 80 permit tcp any host y.y.y.y eq 443 # ISE_2 IP 90 permit ip any host y.y.y.y # CCM_IP_1 100 permit ip any host x.x.x.x # CCM_IP_2 110 deny icmp any any echo 120 deny tcp any any range 22 telnet 130 deny icmp any any echo-reply 140 deny ip any any
All problems disappear when I remove the following from the configuration of the switch port to which the phone is connected: ip access-group ACL-PREAUTH in
change acl ACL-PREAUTH to : permit ip any any nothing helps.
I need an ACL-PREAUTH list on the ports because I want to block ssh ping and telnet for connected PCs that will not be authenticated in ISE.