ISE is standalone.
I have a number of Cisco IP phones profiled by DHCP probe and sitting in the Endpoint Identity Group "Cisco-IP-Phone" (dynamic not static).
However when this is used in an Authorization Policy it never matches.
Just a basic Policy:
if Cisco-IP-Phone (no conditions) then Cisco_IP_Phones ......no match.
I can change Identity group to ANY and it works.
Sure i must be misssing something but I've gone round and round with this.
Tried deleting enpoints and allowing them to repopulate....failed.
Tried changing endpoints to static with no luck.
Noticed the "Cisco-IP-Phone" group is under the "Profiled" group so tried using that in the policy....no change.
Whatever i've tried just ends with the Authz going to the "Default" policy.
This is pretty straight forward and should work the way you expect it. Have you confirmed that the phone is not hitting some rule above the one that you have configured?
If possible paste the following:
1. Screen shot of your policy/policy sets
2. Screen shot of the authentication from ISE
3. Output from the following command on the switch: show authentication session interface interface_name_number (this is the interface where the phone is connecting)
Hi Sorry for the delay.
Can't get access to the access switch at the moment but all is reported as being ok. dot1x authentication in data domain (no voice vlan in use).
I've attached some screens from the ISE.
01 shows phones picked up by profiler (dhcp).
02 shows phones profiled into "cisco-ip-phone" group.
03 is the authentication policy in use.
04 is the authorization policy (all except default set to monitor)
05 is the authn/authz completing.
06 is details for the phone mac ending 5490. To my eye shows the "any" policy firing on monitor and succeding on the "default"?
11, 12 and 13 are the same again except with all the authz policies enabled. 13 just seems to show the "any" rule succeding as expected.
Still cannot understand why the "Cisco-IP-Phone" group is just bypassing? Especially as these are just the default rules that already exist in the ISE out of the box!
Thank you for providing the detailed information. The problem is not with profiling as that appears to be working as expected. I believe that the issue is with your authentication policy. Looking at screen shot #2 you don't have a single policy that is enabled to allow a phone to authenticate via MAB. All of your MAB policies are showing as "disabled." The default policy is set to only use Internal Users as its Identity Store and phones won't be store there. You authorization policies look OK so I would suggest you try the following:
1. Enable the top authentication rule called "MAB"
2. Confirm that "Allow PAP/ASCII" and "Detect PAP as Host Lookup" are enabled under the Allowed Protocols
3. Ensure that "Internal Endpoints" is selected for the Identity Store
4. Test again
Thank you for rating helpful posts!
I also noticed one more thing on screenshot #6. It looks like the phone hit your "dot1x_Certs" rule. According to your authentication policies in screenshot #3 the only way "dot1x_Certs" should be hit is when the device/user is using "Wired_802.1x" Thus, you need to confirm if this phone is configured to use 802.1x or not. By default the phone would use MAB and not 802.1x.
Hi, I've taken a look at the attribute you mentioned. Afraid i don't understand how you mean I should implement it?
Far as i can see all it would do is raise the certainty factor and move the endpoint into a child profiling policy i.e from "Cisco-IP-Phone" to "Cisco-IP-Phone -> Cisco-IP-Phone-8961".
The current Authz Policy should fire on any Identity (Cisco-IP-Phone) or child identity beneath it?