Solved: Re: Polycom IP-331 Data/Voice VLAN & Cisco ISE

Joshua Schroth · ‎04-16-2020

We're having an issue with some old Polycom IP-331 Phones and ISE. ISE will not authenticate any Polycom Phones that show their MAC Address in the Data VLAN (21) AND Voice VLAN (22) on a switchport. When the MAC Address table for a port only shows the PC in the Data VLAN, and the phone in the Voice VLAN, then ISE has no problem authenticating both. Do not understand why sometimes the phone lingers in the Data VLAN after being moved to the Voice VLAN, and other times it does not.

Having this issue on a 3850 Switch Stack on Denali 16.3.7 and a 3850 Switch Stack on 3.6.10.

Here's an example with the same Polycom Phone on two different switch ports that are configured identically:

#show mac address-table int g2/0/3
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
21 0004.f2aa.1111 DYNAMIC Gi2/0/3 < - polycom phone
21 a4bb.6d10.5555 DYNAMIC Gi2/0/3 < - PC
22 0004.f2aa.1111 DYNAMIC Gi2/0/3 < - polycom phone

#show auth ses int g2/0/3
Interface MAC Address Method Domain Status Fg Session ID
--------------------------------------------------------------------------------------------
Gi2/0/3 a4bb.6d10.5555 dot1x DATA Auth 0A67FE04000004FE7E292422
Gi2/0/3 0004.f2aa.1111 N/A UNKNOWN Unauth 0A67FE04000004FF7E292D25

#show mac address-table int g2/0/4
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
21 a4bb.6d10.5555 DYNAMIC Gi2/0/4 < - PC
22 0004.f2aa.1111 DYNAMIC Gi2/0/4 < - polycom phone

#show auth sess int g2/0/4
Interface MAC Address Method Domain Status Fg Session ID
--------------------------------------------------------------------------------------------
Gi2/0/4 0004.f2aa.1111 mab VOICE Auth 0A67FE04000005157E498D21
Gi2/0/4 a4bb.6d10.5555 dot1x DATA Auth 0A67FE04000005147E494A26

interface GigabitEthernet2/0/3 & GigabitEthernet2/0/4
description TEST DATA/VOIP FOR ISE
switchport access vlan 21
switchport mode access
switchport voice vlan 22
ip flow monitor Scrut_mon_input input
ip flow monitor Scrut_mon_output output
ip access-group ACL-ISE-LOWIMPACT in
authentication event fail action next-method
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server dynamic
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 7
dot1x max-reauth-req 3
spanning-tree portfast
end

Scratching my head on this one. Any help would greatly be appreciated!

Joshua Schroth · ‎04-20-2020

This issue was resolved by configuring device-tracking and enabling DHCP Snooping.

View solution in original post

Francesco Molino · ‎04-16-2020

Hi

The important thing is to have an authorization profile pushed to polycom to out them into the voice domain.

Do you use lldp (some polycom supports cdp)? If configured correctly (not a lot of knowledge in polycom configuration) but they can get their voice vlan from lldp otherwise they start sending data on the data domain until they retrieve their config file and then move to the voice vlan.

You're not doing multi domain authentication which can result in many issues in that specific case. You're using multi auth which isn't impacting anything if you push them into the voice domain with their voice vlan.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Joshua Schroth · ‎04-20-2020

This issue was resolved by configuring device-tracking and enabling DHCP Snooping.