We have ISE 2.2 deployment.
Data domain is configured for Guest network and ISE assigns different VLAN dynamically based on authentication. Works perfect, no issues.
On voice side, voice domain is configured on switch to use a blackhole vlan for voice(non-routed, goes nowhere). ISE dynamically assigns a vlan that allows collaboration endpoints to reach CUCM, other endpoints, etc. Works perfectly fine for phones. Works 99% of the time for video endpoints and touch panels. The other 1% is a pain in the ass. Sometimes, video endpoints will unregister from CUCM or show down in TMS and we have to either bounce port to get them on the network again or sometimes even take ISE config off port temporarily because the endpoint can't grab an IP from DHCP. Even static IP endpoints can't talk in these instances. "show authentication interface gi1/0/1 details" however shows that the correct VLAN has been assigned to the port and spanning-tree is forwarding on the port. The MAC is also seen on the port and on the correct VLAN.
Cisco TAC's response has been "Dynamic VLAN assignment isn't supported for voice". My response was, "Really?"
Has anyone had similar issues but only with video endpoints and touch panels? The policies in ISE are the same as are the switchport configs.
Switches vary, either 9300 running 16.6.6 or 2960X running 15.2(4)E6/E8
Switchport config:
switchport access vlan 224
switchport mode access
switchport voice vlan 281
authentication control-direction in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 224
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
no authentication open
mab
dot1x pae authenticator
dot1x timeout quiet-period 300
dot1x timeout tx-period 7
dot1x timeout ratelimit-period 300
spanning-tree portfast
Auto qos voip cisco-phone
Trust device cisco-phone
No comments:
Post a Comment