Ip phone issue

Unanswered Question
Sep 27th, 2010
User Badges:

Hi,


I am using  cisco  L2 NAC OOB real ip and OOB virtual  IP .


Now when users conencted to the same ip phone port , that port has to be kept unmanaged due to phone authentication and as a result , nac is never used on the machines conencted to IP phone


Any solution would be helpful

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Faisal Sehbai Mon, 09/27/2010 - 08:38
User Badges:
  • Gold, 750 points or more

Raja,


You have to put the phone's MAC address on the CAM as an IGNORE filter list. This way the CAM ignores the MAC notifications coming with the phone's MAC address and authenticate/posture-assess the PC only.


More details on IPT setup with CCA here:


http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_oob.html#wp1191758


HTH,

Faisal

rajasbha Sun, 10/03/2010 - 23:53
User Badges:

Hi,


Thanks


But if I do not save a separate voice vlan , is there any other option available



rgds

Faisal Sehbai Mon, 10/04/2010 - 13:36
User Badges:
  • Gold, 750 points or more

Rajashree,


So your voice traffic uses the data vlan also?


Faisal

--

If you find this post helpful, please rate so others can find the answer easily

rajasbha Tue, 10/05/2010 - 01:21
User Badges:

Hi,


Thks for ur help  Faisal


Unfortunately we do not have a separate vlan .


Any  workaround ?



Regs

Faisal Sehbai Tue, 10/05/2010 - 19:26
User Badges:
  • Gold, 750 points or more

Rajashree,


Unfortunately not any good solutions then. When you have both your phone and data going through the same vlan, then you can try putting the phone MAC address in the IGNORE filter list and hope for the best that your voice quality doesn't drop. Theoratically it should work since CAM should ignore the phone's MAC address, but you'll have to also adjust your port profile to ignore any new MAC addresses.


HTH,

Faisal

--

If you find this post helpful, please rate so others can find the answer easily

rajasbha Mon, 11/08/2010 - 22:34
User Badges:

Hi,


I tested with filters , but when I bounce the pc 's  port the ip phone is also rebooting at that time .( which i dont want)


I do not want the ip phone to change vlan .at the time when Pc goes to authenticating vlan.



I suppose this cannot be achived without a separate vlan



I want to crate a separate voice vlan .


Can any one point out the steps required for OOB virtual gateway  for IP phone . I am also using AD sso  for authentication


Thanks in advance

Tiago Antunes Tue, 11/09/2010 - 01:39
User Badges:
  • Cisco Employee,

Hi,


Regarding SSO please take a look into the config example:

http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a0080884229.shtml.


OOB VG for IPT:

https://supportforums.cisco.com/docs/DOC-13892.


HTH,

Tiago


--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

rajasbha Wed, 11/10/2010 - 20:25
User Badges:

Hi,


Thanks so much for the pdf.


Now I got it partly working i.e : now ip phone does not bounce.


But when I disconnect the lan or I bounce the lan  port , pc does not go to the authentication vlan.



I do not get a pop up each time when I log into the pc


My authentication vlan is vlan 400.Creat ed a voice vlan 10 and access vlan is 1 .


but when I bounce the port , my pc does not go to vlan 400


Thanks in advance for ur help

Lauren Sullivan Fri, 11/12/2010 - 05:39
User Badges:

Are sending SNMP linkup/linkdown traps to the CAM?  Do you have the port profile configured to remove the user from the OOB list and move it back to the auth VLAN when it receives a linkdown trap?

Actions

This Discussion