This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
Anyone know if the following observation is correct ?
From the TrustSec 2.1 "Monitor Mode" guide i get the idea that Open mode, is not really as zero impact in a data gathering part of an ISE deployment is a was expecting. The guide describes using Profiling to authorize Cisco IP phones for the Voice VLAN.
- Does this mean that regular methods like using CDP won't work to for this once i enable dot1x on an access switch port interface ?
- And that i will need to figure out which ports should be set for multi-domain (phone+pc), and which should be set for multi-auth(possibly multiple devices on one port) during the open mode period ?
I understand the basics of how open mode works, but thanks for the reply. But specifically for ip phones, are you saying that if i don't authenticate and authorize ip phone in open mode (monitor mode), they won't get access to the voice vlan even though cdp has told the phone to tag it's traffic in the voice vlan ?
Sorry Jan, apparently I did not read your question carefully and thoroughly enough. I see what you are asking now and my answer is "I am not 100% sure." My understanding was that in a open mode a device is allowed on the network even if it fails authentication and regardless of what rules might sit on ISE (unless you send a Radius Reject message). However, re-reading the TrustSec guide for that secion is making me question this now. The verbiage in the guide almost sounds like a radius attribute is needed for the phones to be authorized on the voice domain.
I will try to test this during the upcoming days (when I make it back to the lab) and let you know. In the meantime perhaps someone else chan chime in on this...
I did a test last night with an ip phone, which seem to suggest that the phone can use the regular cdp information to figure out what vlan to tag it's traffic with, even when dot1x is enabled. I am doing further testing tonight, to see if an author session is created in the voice vlan on the switch, and if traffic is allowed even though i have not sent class voice attribute from ISE.
Any news on this issue?
We have the same problem. Voicetag isn't beeing negotiated using CDP when 802.1x is enabled, and the RADIUS-results from ISE is Access-Permit.
I don't really know if Cisco has really thought throug Monitor Mode thoroughly for the combination of Voice and Data VLAN's...
Any kind of authentication - Suffesfull or Failed is an option for both clients in Data Vlan and Voice Vlan.
When CDP does not help us out on the switch, we dont see how should ISE send the Voice-Tag when the devices cannot be diffrentiated (because of the authentication failed).
In adittion we have configured the ISE Authentication-Polisies to result in "DROP" - if the authentication failed.
By this "trick" we were hoping that the devices would end up in the different critical vlan's (voice and data).
Unfortenately we havent found any working soultion yet.