Hello

I am using Cisco ISE 2.7 in my infrastructure for MAB and 802.1X network access authentication. I have noticed a problem with Cisco Voip phones connected to a switch port. The problem is that after setting up the call, the person making the call cannot be heard by the person receiving the call. It seems that on the ISE and switch side everything is configured correctly, MAB authentication and 802.1x is working correctly.

I have the correct policy and profile for Voice VLan configured in ISE:

Access type = ACCESS_ACCEPT
Tunnel-Private-Group-ID = 1:43
Tunnel-Type = 1:13
Tunnel-Medium-Type = 1:6
DACL = ACL_Lan_access
cisco-av-pair = device-traffic-class=voice

ACL_Lan_access
permit ip any any

on each port of the access switch I have added acl on IN :

ip access-group ACL-PREAUTH in

ip access extend ACL-PREAUTH
10 permit udp any eq bootpc any eq bootps
20 permit udp any any eq domain
30 permit tcp any host x.x.x.x eq www  # ISE_1 IP
40 permit tcp any host y.y.y.y eq www  # ISE_2 IP
50 permit tcp any host x.x.x.x eq 8443 # ISE_1 IP
60 permit tcp any host y.y.y.y eq 8443 # ISE_2 IP
70 permit tcp any host x.x.x.x eq 443 # ISE_1 IP
80 permit tcp any host y.y.y.y eq 443 # ISE_2 IP
90 permit ip any host y.y.y.y # CCM_IP_1
100 permit ip any host x.x.x.x # CCM_IP_2
110 deny icmp any any echo
120 deny tcp any any range 22 telnet
130 deny icmp any any echo-reply
140 deny ip any any

All problems disappear when I remove the following from the configuration of the switch port to which the phone is connected: ip access-group ACL-PREAUTH in

change acl ACL-PREAUTH to :
permit ip any any nothing helps.

I need an ACL-PREAUTH list on the ports because I want to block ssh ping and telnet for connected PCs that will not be authenticated in ISE.

Regards