Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

ISE Profiled devices not being used in authz policy.

ISE is standalone.

ver 1.2

Eval license.

I have a number of Cisco IP phones profiled by DHCP probe and sitting in the Endpoint Identity Group "Cisco-IP-Phone" (dynamic not static).

However when this is used in an Authorization Policy it never matches.

Just a basic Policy:

if Cisco-IP-Phone (no conditions) then Cisco_IP_Phones ......no match.

I can change Identity group to ANY and it works.

Sure i must be misssing something but I've gone round and round with this.

Tried deleting enpoints and allowing them to repopulate....failed.

Tried changing endpoints to static with no luck.

Noticed the "Cisco-IP-Phone" group is under the "Profiled" group so tried using that in the policy....no change.

Whatever i've tried just ends with the Authz going to the "Default" policy.

8 REPLIES
Cisco Employee

This is pretty straight

This is pretty straight forward and should work the way you expect it. Have you confirmed that the phone is not hitting some rule above the one that you have configured?

If possible paste the following:

1. Screen shot of  your policy/policy sets

2. Screen shot of the authentication from ISE

3. Output from the following command on the switch: show authentication session interface interface_name_number (this is the interface where the phone is connecting)

Community Member

Hi. thanks for getting back

Hi. thanks for getting back to me. I'll get these details soon as I can get back on the kit.

Community Member

Hi Sorry for the delay.Can't

Hi Sorry for the delay.

Can't get access to the access switch at the moment but all is reported as being ok. dot1x authentication  in data domain (no voice vlan in use).

I've attached some screens from the ISE.

01 shows phones picked up by profiler (dhcp).

02 shows phones profiled into "cisco-ip-phone" group.

03 is the authentication policy in use.

04 is the authorization policy (all except default set to monitor)

05 is the authn/authz completing.

06 is details for the phone mac ending 5490. To my eye shows the "any" policy firing on monitor and succeding on the "default"?

11, 12 and 13 are the same again except with all the authz policies enabled. 13 just seems to show the "any" rule succeding as expected.

Still cannot understand why the "Cisco-IP-Phone" group is just bypassing? Especially as these are just the default rules that already exist in the ISE out of the box!

Cisco Employee

Thank you for providing the

Thank you for providing the detailed information. The problem is not with profiling as that appears to be working as expected. I believe that the issue is with your authentication policy. Looking at screen shot #2 you don't have a single policy that is enabled to allow a phone to authenticate via MAB. All of your MAB policies are showing as "disabled." The default policy is set to only use Internal Users as its Identity Store and phones won't be store there. You authorization policies look OK so I would suggest you try the following:

1. Enable the top authentication rule called "MAB"

2. Confirm that "Allow PAP/ASCII" and "Detect PAP as Host Lookup" are enabled under the Allowed Protocols

3. Ensure that "Internal Endpoints" is selected for the Identity Store

4. Test again

 

Thank you for rating helpful posts!

 

Cisco Employee

I also noticed one more thing

I also noticed one more thing on screenshot #6. It looks like the phone hit your "dot1x_Certs" rule. According to your authentication policies in screenshot #3 the only way "dot1x_Certs" should be hit is when the device/user is using "Wired_802.1x" Thus, you need to confirm if this phone is configured to use 802.1x or not. By default the phone would use MAB and not 802.1x.

Cisco Employee

have you tried with

have you tried with "cdpCachePlatform" Attribute
 

Community Member

Thanks for the reply.Though I

Thanks for the reply.

Though I'll have to go away and look that up :-)

 

Community Member

Hi, I've taken a look at the

Hi, I've taken a look at the attribute you mentioned. Afraid i don't understand how you mean I should implement it?

Far as i can see all it would do is raise the certainty factor and move the endpoint into a child profiling policy i.e from "Cisco-IP-Phone" to "Cisco-IP-Phone -> Cisco-IP-Phone-8961".

The current Authz Policy should fire on any Identity (Cisco-IP-Phone) or child identity beneath it?

214
Views
0
Helpful
8
Replies
CreatePlease to create content