Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1756
Views
5
Helpful
5
Replies

ISE 2.3 not able to apply voice vlan with authZ profile??

Go to solution
Eric Hansen
Level 1
Level 1

‎12-17-2018 07:28 AM - edited ‎12-17-2018 08:55 AM

ISE2.3 Patch 5, Cisco 3650 16.3.7, Avaya 1608

 

So I have this 3650 and I run a heavy port config without any templates.  I don't run 'switchport access vlan XXX' or 'switchport voice vlan YYY', I assign those values via ISE authorization profile.  I'm not running any ACL's either, pretty open setup.  And for every data vlan this is working great.

However when I plug an Avaya IP Phone, the only phone at my disposal, into the port I get "Authorization failed or unapplied for client".

[Port Config]
interface GigabitEthernet1/0/47
switchport mode access
device-tracking attach-policy TRACKING_POLICY
authentication periodic
authentication timer reauthenticate server
access-session port-control auto
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 2
storm-control broadcast level bps 1m 500k
auto qos trust
spanning-tree portfast
spanning-tree bpduguard enable
service-policy type control subscriber POLICY_RADIUS
service-policy input AutoQos-4.0-Trust-Cos-Input-Policy
service-policy output AutoQos-4.0-Output-Policy
ip dhcp snooping limit rate 100
end

[Auth Pro]
Access Type = ACCESS_ACCEPT
Tunnel-Private-Group-ID = 1:110
Tunnel-Type = 1:13
Tunnel-Medium-Type = 1:6
cisco-av-pair = device-traffic-class=voice

 

 

TAC is telling me that I have to have 'switchport voice vlan XXX' on the switchport or this will never work.  But if thats the case then why does ISE have 'voice domain permission' (cisco-av-pair = device-traffic-class=voice) in the authorization profile?  This works fine with data but for some reason I can't assign the voice vlan off a Authorization Profile.... even though it seems like ISE is designed to do exactly this.

EDIT* Tested, also a problem on 16.6.4, 16.9.2.  Identical verbage in debugs.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to Eric Hansen

‎12-17-2018 09:28 AM

So a thought comes to mind after reviewing RFC 3580. Your tunnel attributes look fine, but how does the switch know that this is for the voice vlan and not the data vlan.  The RFC does not have a defined method for voice vs data, so it wouldn't surprise me that it will only work for data.  

 

I take it that "device-traffic-class=voice" only applies to a preconfigured voice vlan, which in your case doesn't exist.  The switch has no voice vlan configured, the tunnel attributes apply to the standard data vlan config, so the switch can't authorize the endpoint in to a non existent voice vlan. 

 

View solution in original post

5 Replies 5

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee

‎12-17-2018 07:33 AM

This is most likely an issue with the code running on the 3650.  Please continue to work with the TAC to determine why it behaves in that manner.

 

Regards,

-Tim

0 Helpful

Go to solution
Eric Hansen
Level 1
Level 1
In response to Timothy Abbott

‎12-17-2018 08:02 AM

TAC has already closed my case stating "you have to have switchport voice vlan XXX or this will not work".  Are you saying otherwise?

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to Eric Hansen

‎12-17-2018 09:28 AM

So a thought comes to mind after reviewing RFC 3580. Your tunnel attributes look fine, but how does the switch know that this is for the voice vlan and not the data vlan.  The RFC does not have a defined method for voice vs data, so it wouldn't surprise me that it will only work for data.  

 

I take it that "device-traffic-class=voice" only applies to a preconfigured voice vlan, which in your case doesn't exist.  The switch has no voice vlan configured, the tunnel attributes apply to the standard data vlan config, so the switch can't authorize the endpoint in to a non existent voice vlan. 

 

Go to solution
Eric Hansen
Level 1
Level 1
In response to Damien Miller

‎12-17-2018 10:10 AM

Yes that would be correct, the switch.... the switchport has no knowledge of the voice vlan, I'm depending on ISE AuthZ Profile for that. I'm using devices sensors on the 3650 for DHCP and LLDP, taking that MAC address and profiling the device a Avaya-Phone which then calls the authorization profile to set the vlan and "voice domain permission" AKA (cisco-av-pair = device-traffic-class=voice). Which tells me at that point it should work, but doesn't.

Can I run switchport voice vlan 110 on every port? Sure. The problem stems from data devices being in the same vlan, and they want to be switchport access vlan 110. So if switchport voice vlan 110 is on the port then those stop working. How would it be if I could profile and deposit the voice domain permission attribute for IP phone devices, then not deliver it for devices that need to be in that same vlan that are not voip devices.
0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to Eric Hansen

‎12-17-2018 01:46 PM

[Auth Pro]
Access Type = ACCESS_ACCEPT
Tunnel-Private-Group-ID = 1:110
Tunnel-Type = 1:13
Tunnel-Medium-Type = 1:6
cisco-av-pair = device-traffic-class=voice

which I believe would override the Voice VLAN configured on the switch interface.

I do not think you need Cisco-AVpair for voice, as you mentioned both data and voice using the same VLAN.

 

 

0 Helpful
Customers Also Viewed These Support Documents