04-04-2016 06:19 PM - edited 03-08-2019 05:13 AM
Hi,
I'm working in the deployment of ISE ver2.0. currently I have carried out some test with 802.1X, PCs that are in the domain get access to network, the PCs that are not in the domain are rejected to get access to network. That's ok.
Now when I connect an ip phone 7945 to the switch's port configured to handle 802.1X ,the phone does not registered with CUCM. If I connect my laptop to ipphone, the laptop is authenticated . For the moment I don't need 802.1.X for ip phones.
The current config I have is the next, is something left or something wrong
interface GigabitEthernet1/0/15
switchport mode access
switchport voice vlan 10
authentication event no-response action authorize vlan 50
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
spanning-tree portfast
is something left or something wrong , so that the ip phone can registered in this port??
Interface MAC Address Method Domain Status Fg Session ID
Gi1/0/15 3417.eb5a.a7ac N/A DATA Auth C0A800900000002D017A5D44
Gi1/0/15 0024.142d.d847 N/A UNKNOWN Unauth C0A800900000002E017A6338 (IP PHONE)
if I change authentication host-mode multi-auth to authentication host-mode multi-host, the ip phone can registered but the laptop does not
authenticate, it is assigned vlan guest network segment (vlan 50).
SW_ISE#sh authentication sessions
Interface MAC Address Method Domain Status Fg Session ID
Gi1/0/15 3417.eb5a.a7ac N/A DATA Auth C0A800900000001100DD998F (laptop does not authenticate, received vlan 50 ip address)
regards
04-06-2016 12:35 AM
Hi,
so the IP phone should be authenticated by MAB?
And CDP is permitted on the switch port to recognize Cisco IP phones?
I guess you can see the phone's MAC address among Cisco IP phones in your ISE Identity Endpoint database?
And finally the Authorization Profile for Cisco IP Phones on your ISE is assigning them to the Voice Domain?
Best regards,
Milan
04-06-2016 09:02 AM
Hi Milan, thanks for your recommendations and time.
yes, I want IP phone authenticated by MAB and the computer connected to ip phone must authenticated by 802.1X.
IP phone is shown in database and authorization profile for ip phone has the following options as is shown in screenshot.
SW_ISE#sh authentication sessions
Interface MAC Address Method Domain Status Fg Session ID
Gi1/0/15 0024.142d.d847 N/A UNKNOWN Unauth C0A8009000000010004753F4
Any other option I can check?
regards
04-06-2016 09:25 AM
Hi,
how does you authentication/authorization policy for MAB look like then?
Can't you se anything from the ISE Authentication Detail Report for the phone?
BR,
Milan
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: