04-16-2020 10:07 AM
We're having an issue with some old Polycom IP-331 Phones and ISE. ISE will not authenticate any Polycom Phones that show their MAC Address in the Data VLAN (21) AND Voice VLAN (22) on a switchport. When the MAC Address table for a port only shows the PC in the Data VLAN, and the phone in the Voice VLAN, then ISE has no problem authenticating both. Do not understand why sometimes the phone lingers in the Data VLAN after being moved to the Voice VLAN, and other times it does not.
Having this issue on a 3850 Switch Stack on Denali 16.3.7 and a 3850 Switch Stack on 3.6.10.
Here's an example with the same Polycom Phone on two different switch ports that are configured identically:
#show mac address-table int g2/0/3
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
21 0004.f2aa.1111 DYNAMIC Gi2/0/3 < - polycom phone
21 a4bb.6d10.5555 DYNAMIC Gi2/0/3 < - PC
22 0004.f2aa.1111 DYNAMIC Gi2/0/3 < - polycom phone
#show auth ses int g2/0/3
Interface MAC Address Method Domain Status Fg Session ID
--------------------------------------------------------------------------------------------
Gi2/0/3 a4bb.6d10.5555 dot1x DATA Auth 0A67FE04000004FE7E292422
Gi2/0/3 0004.f2aa.1111 N/A UNKNOWN Unauth 0A67FE04000004FF7E292D25
#show mac address-table int g2/0/4
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
21 a4bb.6d10.5555 DYNAMIC Gi2/0/4 < - PC
22 0004.f2aa.1111 DYNAMIC Gi2/0/4 < - polycom phone
#show auth sess int g2/0/4
Interface MAC Address Method Domain Status Fg Session ID
--------------------------------------------------------------------------------------------
Gi2/0/4 0004.f2aa.1111 mab VOICE Auth 0A67FE04000005157E498D21
Gi2/0/4 a4bb.6d10.5555 dot1x DATA Auth 0A67FE04000005147E494A26
interface GigabitEthernet2/0/3 & GigabitEthernet2/0/4
description TEST DATA/VOIP FOR ISE
switchport access vlan 21
switchport mode access
switchport voice vlan 22
ip flow monitor Scrut_mon_input input
ip flow monitor Scrut_mon_output output
ip access-group ACL-ISE-LOWIMPACT in
authentication event fail action next-method
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server dynamic
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 7
dot1x max-reauth-req 3
spanning-tree portfast
end
Scratching my head on this one. Any help would greatly be appreciated!
Solved! Go to Solution.
04-20-2020 07:37 AM
04-16-2020 08:53 PM
04-20-2020 07:37 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide