ISE authentication with sw-to-phone-to-pc

ciscoworlds · ‎11-14-2016

hi guys; hope u are doing well. would u mind, please taking a look at this simple topology of mine. I've missed a thing but i don't know what.

sw is default gateway for both of vlan 500 and vlan 1. the IP on switch are shown above. the switch is configured as dhcp server to assign IPs to phones in vlan 500. ISE nad CUCM are located inside data vlan 1.

ip phone 2 is connected to g0/7 and I strickly put the g0/7 to "access vlan 500". this phone was able to register to cucm, get IP from switch and its MAC was appeared on the sw mac address table of vlan 500. but my phone number 1 that is connected to g0/8 of the switch cannot get IP from dhcp server (that is configured on the same switch) and phone cannot register itself on the cucm. analysing the RADIUS logs on the ISE shows that the MAC address of the phone has passed the MAB authentication on the ISE and dACL has been downloaded onto the switch to deny any ip traffic until CoA is received. the command output on switch looks like this:

Switch(config-if)#do sh authe sess

Interface MAC Address Method Domain Status Fg Session ID

Gi0/8 38ed.1855.787c mab DATA Auth 000000000000002201594FA5

Session count = 1

as shown above, the mac address of the phone has been recognized by the switch but put into the data (default vlan 1) vlan rather than the voice vlan 500. the configuration on the g0/8 is shown below:

interface GigabitEthernet0/8

switchport mode access

switchport voice vlan 500

authentication host-mode multi-domain

authentication port-control auto

authentication violation replace

mab

dot1x pae authenticator

spanning-tree portfast

!

the interesting part is that my pc that is connected to the phone port, can authenticate to the ISE and as expected, is put into data valn 1 by switch.

I got nothing after issuing the "sh ip device tracking all" command. could you give me a hand on resolving this?

ciscoworlds · ‎11-30-2016

what an active community!!!

Vivek Ganapathi · ‎12-01-2016

Hi,

Based on the info provided, I believe ISE is unable to determine the IP Phone 1 as an "IP Phone" & hence not issuing the voice domain privileges back to the switchport. The IP phone is receiving a DATA domain. Now as you mentioned you have a PC connected through the Phone & its working fine. This may not be fully true. You have two MAC address on the single domain now. Your authentication mode is "Multi-Domain" which means one mac per domain (one from DATA ; one from voice) will be permitted. If you take a look at show ip access-list interface Gi 0/8 few times you would see the IP address being replaced back & forth based on your configuration (authentication violation replace). Kind of both fighting to stay on the network :)

Can you please let me know what is ISE identifying the IP phone as from the auth logs? Also have a look at the authorization profile if you have checked the task named "Voice Domain Permission" on ISE.

Regards

Vivek

ciscoworlds · ‎12-07-2016

Hi;

because I manually added the MAC address of Cisco ip phone to the ISE, now I can see the following in the RADIUS Livelog section on ISE:

"Endpoint-Profile: Cisco-device"

and the Steps have been displayed as the following:

	15004	Matched rule - TIMAZ_MAB01
	15041	Evaluating Identity Policy
	15006	Matched Default Rule
	15013	Selected Identity Source - Internal Endpoints
	24209	Looking up Endpoint in Internal Endpoints IDStore - 38:ED:18:55:78:7C
	24211	Found Endpoint in Internal Endpoints IDStore
	22037	Authentication Passed
	15036	Evaluating Authorization Policy
	15048	Queried PIP - EndPoints.LogicalProfile
	15004	Matched rule - TIMAZ-Before-Profile
	15016	Selected Authorization Profile - TIMAZ_AUTHO-PROFILE1
	11022	Added the dACL specified in the Authorization Profile
	11002	Returned RADIUS Access-Accept

"TIMAZ-AUTHO-PROFILE1" has just a dACL with following entries inside it and "TIMAZ-Before-Profile" is an authorization rule configured as this:

Rule name: TIMAZ-Before-Profile

conditions: if "Wired-MAB"

permissions: then "TIMAZ-AUTHO-PROFILE1"

as the above logs show, the MAC address of the phone is match against internal MAC DB on the ISE and a dACL has been downloaded to the switch. this dACL has these entries:

permit udp any any
permit tcp any any eq domain
deny ip any any

"Voice Domain Permission" has been selected by default on the default authorization rule "Profiled Cisco IP Phones".

the output of the "show ip device track all" and "sh ip dhcp bind" on the switch was empty and I got this on the switch:

Switch(config-if)#do sh authe sess

Interface MAC Address Method Domain Status Session ID
Gi0/7 38ed.1855.787c mab DATA Auth 000000000000000D013D42ED

as you can see, the phone has put into the data vlan so it cannot get its IP address and register to the CUCM.

Vivek Ganapathi · ‎12-07-2016

Hi,

Endpoint seems to be getting authorization profile. But it is not being issued a "Voice" domain as the show auth session output shows up as DATA domain. This is the main reason why your IP phone doesn't acquire an IP address. Your dACL seems to be correct. Allowing all UDP & TCP 53 traffic.

Cisco-Device is a very generic identification ISE is performing. Are you doing a DHCP profiling?

Regards

Vivek

ciscoworlds · ‎12-08-2016

Hi;

I followed the documents in Cisco web site to enable DHCP profiling and CoA on ISE and yes, I double-checked them and they are enabled.

I think, ISE has determined this devices as "Cisco-Device", just because I entered phone's MAC address manually on the ISE, not because of the profiling.

and under the interface vlan500, I entered the "helper-address" with IP address of the ISE.

but at the end, it doesn't work at all.