cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
947
Views
0
Helpful
2
Replies

ISE MAB with Aastra 5370ip (no LLDP or CDP)

Hi guys,

 

We are using Aastra IP phones, that does't support LLDP og CDP. The phones connect to a user subnet for FTP download for the config. After the config is installed, the phone puts voice traffic in VLAN 40.

 

How can I make a MAB policy that, allows the phone onto the user VLAN for config, and afterwards ISE makes a CoA, and puts the phone onto VLAN 40. If I put the phone directly in VLAN 40 via the AuthZ policy, it doesn't get an IP address, since the traffic should be tagged to VLAN 40.

 

My 802.1x deployment is stuck, until I find a workaround!

 

Br,

Michael  

2 Replies 2

michoudi
Level 1
Level 1

Create a MAB AuthZ policy that matches the vendor MAC address to place the phone into the user vlan. Include 802.1x configuration for the phone config that is downloaded. Then create a 802.1x AuthZ policy for phones that have been configured that puts them on your voice vlan. Unconfigured phones will match MAB and go into the user vlan, configured phones will match the 802.1x policy and go into the voice vlan.

 

If the switchport's authentication priority and order are 802.1x first, you won't even need to do CoA. The switchport will see that the phone is now trying to authenticate with 802.1x re-authenticate it.

It sounds like a solution that will work. The phones support dot1x, so I'll have to go into the configs and tests. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: