cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
829
Views
0
Helpful
4
Replies
Beginner

Can you use ISE to force a device to Voice Vlan

Hello everyone,

 

We have a situation where a device is connecting to the network and is unable to tell the switch it should be on the voice vlan, when it should be.  Does anyone know if there is a way to tell the switch via ISE that this interface should be set to the voice vlan only?

 

We enabled the voice permission option on the auth results, and what this does is place the devices mac in both the data and voice domain, however the client stays on the data domain and does not grab a new address on the voice domain.

 

interface GigabitEthernet0/9
switchport access vlan 2160
switchport mode access
switchport voice vlan 2161 <-- Want the device to only access voice vlan, not access vlan

 

Vlan Mac Address Type Ports
---- ----------- -------- -----
2160 7845.0101.1635 STATIC Gi0/9 <-- Want this to disapear, keeping the device on vlan 2161 only
2161 7845.0101.1635 STATIC Gi0/9 
Total Mac Addresses for this criterion: 2

 

Thanks in advance!

 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Re: Can you use ISE to force a device to Voice Vlan

In your ISE Authorization Policy @ Policy > Policy Elements > Results > Authorization > Authorization Profiles you should have a default Cisco_IP_Phones profile included. If you edit it you will see the Voice Domain Permission which is the setting you want! If you scroll to the bottom and look at the Attribute Detail you will see checking that box corresponds to the RADIUS attribute

cisco-av-pair = device-traffic-class=voice

 

Whatever authorization policy you are assigning for these voice devices, be sure to check that box and that is how ISE tells the switch to put it in the Voice VLAN!

 

Everyone's tags (6)
4 REPLIES 4
Enthusiast

Re: Can you use ISE to force a device to Voice Vlan

Are you authenticating connections on the switch port using RADIUS?  If so, this is pretty straight forward using RADIUS attributes. 

 

Policy --> Policy Elements -> Results --> Authorization --> Authorization Profiles

Check VLAN under Common Tasks and include the VLAN number in the ID/Name field. 

 

You should be able to use this in your authorization rules for the the policy set after this.  Of course, the switch needs to be configured to accept this attribute and shift the VLAN. 

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.
Beginner

Re: Can you use ISE to force a device to Voice Vlan

Chris,

Thanks for the response.. I'd like to accomplish this without needing to put a vlan number in the ISE configuration. We have 40 + IDF's each with different voice vlans,, you could imagine the number of results / profiles would be pretty large. Is there any way to tell the switch port to force this device to the voice vlan thats already configured, and not use the data (access) Vlan?

Thanks,
Enthusiast

Re: Can you use ISE to force a device to Voice Vlan

Your post asked if there was anyway to use ISE to accomplish this - sorry for the confusion. Other than configuring the voice vlan on the switchport, I'm not sure what else you could do to force the device into the correct vlan.  You might find this post helpful however:

https://community.cisco.com/t5/switching/assign-vlan-based-on-mac/td-p/2622878

 

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.
Highlighted
Cisco Employee

Re: Can you use ISE to force a device to Voice Vlan

In your ISE Authorization Policy @ Policy > Policy Elements > Results > Authorization > Authorization Profiles you should have a default Cisco_IP_Phones profile included. If you edit it you will see the Voice Domain Permission which is the setting you want! If you scroll to the bottom and look at the Attribute Detail you will see checking that box corresponds to the RADIUS attribute

cisco-av-pair = device-traffic-class=voice

 

Whatever authorization policy you are assigning for these voice devices, be sure to check that box and that is how ISE tells the switch to put it in the Voice VLAN!

 

Everyone's tags (6)