Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3275
Views
12
Helpful
18
Replies

Dynamic voice VLAN assignment when different phone systems are in play

Christopher Bell
Level 4
Level 4

‎04-11-2023 11:46 AM

First, understand I have no control over the different types of phones systems.  This is a very large enterprise that is a child of an even larger enterprise (50K plus users).  The parent organization uses a Cisco phone system while the child organization (the one I'm in) uses an NEC phone system.  The child org is health care while the parent is EDU.  The parent org has networks within our org that must be separated by vrf because of HIPPA.  One of those scenarios is voice.  Whenever the parent needs to place a voice network on one of our switches that already has our voice network on it, we have to start manually configuring ports for different voice vlans instead of just setting a default voice vlan on all the switchports.  This causes all kinds of issues with automation as you can imagine.  

My question is simply this, using Cisco ISE (3.0+) can I dynamically assign the voice VLAN for each port based on the type of device that's connecting (using either MAB or 802.1x).  I've been trying to test this but I'm not getting anywhere.  

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.
18 Replies 18

Arne Bier
VIP
VIP

‎04-20-2023 01:18 PM

Do you get hits against those AuthZ rules? And can you see that the Template has been mentioned in the Access-Accept in each case?

0 Helpful

Christopher Bell
Level 4
Level 4
In response to Arne Bier

‎04-21-2023 09:48 AM - edited ‎04-21-2023 09:51 AM

Yes in both cases.  Here's the result for one of the NEC phones I'm testing with:

ChristopherBell_0-1682095688768.png

On the switch side, it's complaining there isn't already a voice vlan and it's trying to connect the phone to the data vlan:

%DOT1X_SWITCH-5-ERR_VLAN_EQ_VVLAN: Data VLAN ^A on port TwoGigabitEthernet1/0/5 cannot be equivalent to the Voice VLAN AuditSessionID

And then ends with:

%SESSION_MGR-5-FAIL: Switch 1 R0/0: sessmgrd: Authorization failed or unapplied for client (blah blah) on Interface TwoGigabitEthernet1/0/5 AuditSessionID 0400040A00000018A4B1EC84.

 

I'll also add that I switch to 802.1x and the phone authenticates using creds we hard coded on it.  So authentication is working.  What's broken is the interface template being passed back to the switch so the switchport voice command can be applied. 

 

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.
0 Helpful

Arne Bier
VIP
VIP
In response to Christopher Bell

‎04-23-2023 04:02 PM

Have you tried putting a voice vlan on the interface (even if it's not the one you might need in the AAA case)? If this doesn't work, then I would assume that dynamic voice domain VLAN assignment just wasn't ever meant to work.

Christopher Bell
Level 4
Level 4
In response to Arne Bier

‎04-26-2023 05:48 AM

Yes, I've tried it while using MAB to authenticate but not 802.1x.  I'll try that next if I can. 

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.
0 Helpful
Customers Also Viewed These Support Documents