Cisco IP Phone MAB
This article shows you how to use Cisco Catalyst 3850 switch working with Cisco ISE to perform simple 802.1x MAB access. The following devices will be used:
CUCM : 11.5
ISE: 2.6
C3850 switch
IP phone 7965
Commands to enable Radius on switch
aaa new-model
!
!
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
!
aaa server radius dynamic-author
client ISE_IP server-key cisco
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3
radius-server host ISE_IP
radius-server key cisco
radius-server vsa send authentication
!
2. default acl given to interface
ip access-list extended ACL-DEFAULT
remark DHCP
permit udp any eq bootpc any eq bootps
remark DNS
permit udp any any eq domain
remark Ping
permit icmp any any
remark TFTP
permit udp any any eq tftp
deny ip any any
IP Phone interface configuration:
interface GigabitEthernet1/0/25
switchport access vlan 77
switchport mode access
ip access-group ACL-DEFAULT in
authentication event fail action next-method
authentication event server dead action authorize vlan 99
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
spanning-tree portfast
Go to Cisco ISE and add MAC address of the ip phone to specific identity group
Create a download ACL which allows all traffic for authorization:
Create an authorization profile to specify download ACL and a VLAN id
![Machine generated alternative text:
Identity Services Engine
CISCO
Home
Context Visibility Operations
Administration
Work Centers
Policy Sets
Dictionaries
Profiling Posture Client Provisioning
Policy Elements
Conditions
Results
O
Authentication
Allowed Protocols
Authorization
Authorization Profiles
Downloadable ACLs
Profiling
Posture
Client Provisioning
Authorization Profiles > WIab-IP Phones
Authorization Profile
* Name
Description
* Access Type
Network Device Profile
Service Template
Track Movement
Passive Identity Tracking
Common Tasks
Z] DACL Name
D IPv6 DACL Name
ACL (Filter-ID)
WIab-IP Phones
ACCESS ACCEPT
..l l" Cisco
WLAB-DACL](https://lh4.googleusercontent.com/Re5_8Zn0kFWggBdnhYZJHSz75d6KBB-VEUP7d_OuyML4vnLaIilRNO3pMXVkiBJiem5fUIVoTKvuMI78bLT3POgmHvQI7xrT9CnjYQy4YWdPJuaiiLZoy6o36qTi9yvwyRl8OxqLZbPr3bJ99g)
7 . There is already a default allow MAB rule in authentication, create a rule in authorization grant the previous created profile:
Verify :
#show authentication sessions interface g1/0/25 details
Interface: GigabitEthernet1/0/25
IIF-ID: 0x1075900000000A9
MAC Address: 188b.xxxx.xxxx
IPv6 Address: Unknown
IPv4 Address: 172.88.88.194
User-Name: 18-8B-45-19-94-45
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Common Session ID: AC6363020000105906ED094A
Acct Session ID: 0x00001069
Handle: 0x0D00002A
Current Policy: POLICY_Gi1/0/25
Server Policies:
Vlan Group: Vlan: 88
ACS ACL: xACSACLx-IP-WLAB-DACL-5f6e6282
Method status list:
Method State
mab Authc Success
