cancel
Showing results for 
Search instead for 
Did you mean: 

IC-4000 config for device behind VoIP phone

srv.seguridad_
Occasional Contributor

IC-4000 config for device behind VoIP phone

Hi, we are currently testing the MAC adress authentication feature of the IC series.

We have IC-4000, Cisco switches and a Cisco phone.

What we want to do is to connect an endpoint to a phone, and the phone to the switch. The phone voice traffic should go to a specific VLAN and the data from the PC connected to the phone should be sent to a different VLAN, depending on the success of 802.1x authentication and the assigned roles depending on the host checker compliance, etc.

The switch port is 802.1x enabled and switchport voice vlan is set to 3.

On the IC Newtork Access > Radius Attributes, we've set a new policy por VoIP phones:

VLAN = 3

Return Attribute:

tunnel-type 13

tunnel-medium-type 6

tunnel-private-group-id 3

This configuration is currently working for other VLANs where 802.1x endpoints are being connected directly to the switch with or without Oddyssey Access Client

The problem is that although the IC seems to be assigning VLAN = 3 to the phone and its corresponding role, and VLAN = 30 to the endpoint connected to the phone, and its corresponding role, (checked this on Log/Monitoring > User Access) the switch's interface keeps showing the native access VLAN, which in this case, is = 1.

I've been checking Cisco forums for switch configuration and everything seems to be ok so I wonder if there is any parameter I'm missing on the IC configuration.

Thanks,

Gorka.

2 REPLIES 2
CraigB_
Frequent Contributor

Re: IC-4000 config for device behind VoIP phone

Do you have the Cisco set for Multi Host or Multi Auth on the port?

Does a packet capture show the vlan info going back correctly?

Thanks

Craig

srv.seguridad_
Occasional Contributor

Re: IC-4000 config for device behind VoIP phone

I've tryed setting the port in both multi-host and multi-domain modes.

In multi-host, phone and endpoint authenticate and are granted access but the phone is assigned an IP from the same VLAN as the endpoint and traffic and is not even shown in the dot1x authentication table.

In multi-domain, not the phone not the endpoint authenticate.

In both cases, on the UAC logs show the devices authenticating correctly agains the RADIUS servecr, the correct roles and policies are assigned. The phone and the endpoint are assigned their different corresponding VLANs.

The switch also shows the correct VLAN for each device, but the authentication will fail.

The phone is using Mac Authentication Bypass since its not 802.1x capable and the UAC is authenticating it correctly thorugh the configured mac authentication server.

I've seen some configuration examples on the Cisco forums and the switch should display 2 separate domains on multi-domain mode. One for DATA and one for VOICE but in my case, both appear as UNKNOWN.

I've seen there is a special RADIUS returning attribute to tell the switch that the traffic coming from the phone should be assigned to the VOICE domain:

device-traffic-class=voice

I've been trying to insert it into the RADIUS policy for the IP Phones role but I'm getting a warning message:

Selection of mismatching VSA attributes, could result in rejecting the device.

I'm inserting it as

Attribute: Cisco-AVPAIR

Value: device-traffic-class=voice

Is that the correct syntax?

Thanks!