Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3990
Views
1
Helpful
6
Replies

Voice VLAN Dynamic Assignment

Go to solution
sholley
Level 1
Level 1

‎06-27-2016 06:22 PM

We have a situation where when ISE does a dynamic VLAN assignment for the voice VLAN, the voice device doe snot auth like it should. From what we can tell ISE is doing it's job. Auth logs on ISE show the phone being properly identified and assigned the VLAN/DACL/VOICE domain as expected. RADIUS debug on the switch confirms that the switch is getting the correct VLAN, but the switch appears not to apply it properly.

The switches that we are using are 2960S & 2960X switches with at the 15.2.2.e4 as the code level. Per the documentation you need to be at least at version 15.2.2.e3 to support ISE. We see this behavior on both models of 2960's.

We have tried the following:

- No voice VLAN defined:  this resulted in the auth session being put in
the voice domain, but not applying the vlan that ISE assigned and the
status was "Unauth" rather than the usual "Auth" status.


- Voice VLAN defined as quarantine VLAN:  same result as above

- Voice VLAN defined as usual/correct VLAN for the switch:  works
great.  But we're trying to avoid having to manually specify the voice
VLAN on all switch ports.


- Removed voice domain from the ISE authorization policy.  This,
surprisingly, worked-- kinda.  The switch used the VLAN specified by ISE
for the phone's auth session, but in the data domain.  But this won't
play nice with "multi-domain" authorization-- since the phone and the
workstation behind it are both put in the "data" domain, only one of
them will function at a time.


Looking over documentation and others trials and tribulations, this should work with the voice domain checked from the ISE authentication policy, The phone never gets authed, but on the data side all appears to work as expected.


Has anyone had this work as expected with the data & voice both being dynamically assigned.


Thanks,

Sam

1 Accepted Solution

Accepted Solutions

Go to solution
Craig Hyps
Level 10
Level 10

‎06-27-2016 07:53 PM

Make sure port is configured for MDA (authentication host-mode multi-domain) and not multi-auth.  Also, be sure to still send Voice VLAN permission in authorization.  You may need to also set some default Voice VLAN on port, but you can verify in testing.

Also, a point of clarification...

IOS 15.2(2)E4 is not the minimum required IOS version, but the minimum recommended version.

/Craig

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Craig Hyps
Level 10
Level 10

‎06-27-2016 07:53 PM

Make sure port is configured for MDA (authentication host-mode multi-domain) and not multi-auth.  Also, be sure to still send Voice VLAN permission in authorization.  You may need to also set some default Voice VLAN on port, but you can verify in testing.

Also, a point of clarification...

IOS 15.2(2)E4 is not the minimum required IOS version, but the minimum recommended version.

/Craig

0 Helpful

Go to solution
sholley
Level 1
Level 1
In response to Craig Hyps

‎06-27-2016 08:03 PM

Yes, we have MDA and not multi-auth set on the port and we are sending the voice VLAN permission in the authorization. We have also tried with and without a default voice vlan set on the port, and still see the same result.

Sam

0 Helpful

Go to solution
Craig Hyps
Level 10
Level 10
In response to sholley

‎06-27-2016 08:49 PM

Recommendation would be to open a TAC case.  It does not sound like an ISE issue, but behavior specific to switch model/version.

0 Helpful

Go to solution
thomas
Cisco Employee
Cisco Employee

‎06-27-2016 11:38 PM

Per Craig's comment about recommended switch version... ignore the ISE Compatibility Guides' recommended switch IOS version at your own peril.  If it doesn't work and it's not an ISE-recommended version, it's probably a switch bug.

0 Helpful

Go to solution
vibobrov
Cisco Employee
Cisco Employee

‎06-28-2016 10:54 AM

I don't think this is possible. Network devices don't take voice vlan assignment via RADIUS. Voice VLAN has to be configured statically on the switch. You can try to use auto smart ports to set the voice vlan: Auto Smartport with Custom Trigger Configuration Example - Cisco.

The phone may take extra time to register in that case because it would have to wait for a CDP update and then re-ip on a new voice vlan.

0 Helpful

Go to solution
Craig Hyps
Level 10
Level 10
In response to vibobrov

‎06-28-2016 12:13 PM

Viktor,

Dynamic Voice VLAN as the name implies is the ability to set Voice VLAN from AAA server.  For more info, can review Catalyst IOS Configuration Guides, or nice session here from Shelly Cadora in 2012 at Cisco Live: Advanced IEEE 802.1X (2012 San Diego)

Regards,

Craig

0 Helpful
Customers Also Viewed These Support Documents