Open mode (monitor mode) with ise and catalyst switches

Unanswered Question
Nov 12th, 2012

Hi There,

Anyone know if the following observation is correct ?

From the TrustSec 2.1 "Monitor Mode" guide i get the idea that Open mode, is not really as zero impact in a data gathering part of an ISE deployment is a was expecting. The guide describes using Profiling to authorize Cisco IP phones for the Voice VLAN.

- Does this mean that regular methods like using CDP won't work to for this once i enable dot1x on an access switch port interface ?

- And that i will need to figure out which ports should be set for multi-domain (phone+pc), and which should be set for multi-auth(possibly multiple devices on one port) during the open mode period ?

Regards

Jan

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
cisconspasov Mon, 11/12/2012 - 22:15

Hello Jan-

Below is my input to your questions:

From the TrustSec 2.1 "Monitor Mode" guide i get the idea that Open mode, is not really as zero impact in a data gathering part of an ISE deployment is a was expecting.

Yes, a device is still allowed on the network even if it fails all authentication methods (MAB, 802.1x, etc). Basically you use monitor mode to perform discovery and see what would have been blocked had ISE been deployed in production.


The guide describes using Profiling to authorize Cisco IP phones for the Voice VLAN.

Yes, you can use profiling to do this. Keep in mind that you will need advanced licensing for this. Otherwise, you can either use MAB with static MACs imported/entered in the local database or EAP-TLS with phone certificates

- Does this mean that regular methods like using CDP won't work to for this once i enable dot1x on an access switch port interface ?

CDP will still work, in fact some of the profiling happens thanks to CDP, however, the device will simply not going to be allowed to get on the network and the Voice VLAN unless it passes authentication/authorization.


- And that i will need to figure out which ports should be set for multi-domain (phone+pc), and which should be set for multi-auth(possibly multiple devices on one port) during the open mode period ?

This really depends on how secure you want your network to be

Hope this helps!

Thank you for rating!

jan.nielsen Tue, 11/13/2012 - 16:01

I understand the basics of how open mode works, but thanks for the reply. But specifically for ip phones, are you saying that if i don't authenticate and authorize ip phone in open mode (monitor mode), they won't get access to the voice vlan even though cdp has told the phone to tag it's traffic in the voice vlan ?

cisconspasov Tue, 11/13/2012 - 17:45

Sorry Jan, apparently I did not read your question carefully and thoroughly enough. I see what you are asking now and my answer is "I am not 100% sure." My understanding was that in a open mode a device is allowed on the network even if it fails authentication and regardless of what rules might sit on ISE (unless you send a Radius Reject message). However, re-reading the TrustSec guide for that secion is making me question this now. The verbiage in the guide almost sounds like a radius attribute is needed for the phones to be authorized on the voice domain.

I will try to test this during the upcoming days (when I make it back to the lab) and let you know. In the meantime perhaps someone else chan chime in on this...

jan.nielsen Wed, 11/14/2012 - 07:01

I did a test last night with an ip phone, which seem to suggest that the phone can use the regular cdp information to figure out what vlan to tag it's traffic with, even when dot1x is enabled. I am doing further testing tonight, to see if an author session is created in the voice vlan on the switch, and if traffic is allowed even though i have not sent class voice attribute from ISE.

jsteffensen Wed, 12/11/2013 - 07:53

Hi

Any news on this issue?

We have the same problem. Voicetag isn't beeing negotiated using CDP when 802.1x is enabled, and the RADIUS-results from ISE is Access-Permit.

I don't really know if Cisco has really thought throug Monitor Mode thoroughly for the combination of Voice and Data VLAN's...

Any kind of authentication - Suffesfull or Failed is an option for both clients in Data Vlan and Voice Vlan.

When CDP does not help us out on the switch, we dont see how should ISE send the Voice-Tag when the devices cannot be diffrentiated (because of the authentication failed).

In adittion we have configured the ISE Authentication-Polisies to result in "DROP" - if the authentication failed.

By this "trick" we were hoping that the devices would end up in the different critical vlan's (voice and data).

Unfortenately we havent found any working soultion yet.

Greetings

Jarle

Actions

Login or Register to take actions

This Discussion

Posted November 12, 2012 at 2:04 PM
Stats:
Replies:5 Avg. Rating:
Views:1075 Votes:0
Shares:0

Related Content

Discussions Leaderboard