topic Re: Cisco IP Phone Authentication on ISE 2.3 using MD5 on HPE Comware switch in Network Access Control

Cisco IP Phone Authentication on ISE 2.3 using MD5 on HPE Comware switch

B. BELHADJ — Thu, 10 Aug 2017 05:06:46 GMT

Dear all

I have a new behavior with ISE and HPE Comware swicth when trying to authenticate Cisco IP Phone on the network using MD5.

I configured Authorization Profile named "VLANTOIP" with these attributes:

Access Type = ACCESS_ACCEPT

Egress-VLAN-Name = 1:VLAN-TOIP

H3C_AV_PAIR = device-traffic-class=voice

Tunnel-Medium-Type = 1:6 // This line is translated in ISE to indicate 802

Tunnel-Type = 1:13 // This line is translated in ISE to indicateVLAN

All other Authentication policies and Authorization Policies configuration are correct.

When the Phone try to access to the network, it is rejected by the AUthorization Profile and ISE says:

15039 Rejected per authorization profile

Selected Authorization Profile contains ACCESS_REJECT attribute

Authorization profile/s specified are not suited for this Network Access Device

The same configuration in ACS 5.8.1.4 is working fine!

My question is:

1. Why this configuration works with ACS and not with ISE?
2. Why when I change the "H3C_AV_PAIR = device-traffic-class=voice" attribute to "cisco-av-pair = device-traffic-class=voice" and "Egress-VLAN-Name = 1:VLAN-TOIP" to "Tunnel-Private-Group-ID = 1:VLAN-TOIP" the IP Phone can access the network without issue?

Any reply will be appreciated!

Best regard

Re: Cisco IP Phone Authentication on ISE 2.3 using MD5 on HPE Comware switch

paul — Thu, 10 Aug 2017 12:24:20 GMT

I haven't worked with non-Cisco switches before so this is just a guess. In your Network Device definition of the switch did you set it to an HP device profile? That is the only spot I can think of that ISE would have awareness of the type of NAD device.

Re: Cisco IP Phone Authentication on ISE 2.3 using MD5 on HPE Comware switch

B. BELHADJ — Fri, 11 Aug 2017 12:54:45 GMT

Hi paul@berbee

Thank you for your reply. It was helpeful.

The issue was not in the NAD profile (I can choose every profile).

It was an issu on the Authorization Profile that I created with HPWired Profile. Because this is a Comware OS, i chosen Any as "Network Device Profile" in the Authorization Profile and it worked well.

But the necessary attributes must be added in the "Advanced Attributes Settings".

Best regards

Re: Cisco IP Phone Authentication on ISE 2.3 using MD5 on HPE Comware switch

hslai — Sat, 12 Aug 2017 04:42:34 GMT

I am not finding H3C_AV_PAIR attribute in ISE. If you imported it or modified an existing RADIUS vendor dictionary, please provide a copy.

Is HPWired selected as the NAD profile in the NAD definition for this switch?

I've not been able to see "Rejected per authorization profile". Instead, HP:Egress-VLAN-Name is not showing up if I enabled "Allow Tagging"; HP:Egress-VLAN-Name is showing up if disabled "Allow Tagging" but not properly, either:

	Egress-VLAN-Name = "1:VLAN-TOIP"
	Tunnel-Type:1 = VLAN
	Tunnel-Medium-Type:1 = IEEE-802

BTW, is your ISE 2.3 upgraded from a previous release? Did you use the migration tool to import ACS 5.8 data to ISE?

Re: Cisco IP Phone Authentication on ISE 2.3 using MD5 on HPE Comware switch

Craig Hyps — Mon, 14 Aug 2017 19:49:19 GMT

It is critical that the Authorization Profile be set to 'Any' or to specific NAD Profile AND that the intended matching Authorization Policy Rule includes reference to the Authorization Profile which has been flagged as Any or Specific Profile name. Otherwise, the rule may match, but will not find a compatible NAD profile.

Realize that you can overload the Permissions list with multiple AuthZ Profiles such that it can match NAD Profile for Cisco OR HP or Any. Typically 'Any' would be used as a single entry versus multiple listing for specific NAD profiles.

/Craig

Re: Cisco IP Phone Authentication on ISE 2.3 using MD5 on HPE Comware switch

B. BELHADJ — Wed, 16 Aug 2017 07:56:46 GMT

Hello Hslai

Yes the H3C_AV_PAIR attribute is a modified attribute in ISE (previously added to the ACS 5.8.1.4 configuration). In attachment a capture for that.

Yes HPWired is selected as the NAD profile in the NAD definition for this switch but you can choose another one.

As I mentioned previously the issue was in the Profile defined in the "Network Device Profile" in the Authorization Profile. Because the switch uses the Comware OS I choosed Any in the Profile.

BTW, is your ISE 2.3 upgraded from a previous release? Did you use the migration tool to import ACS 5.8 data to ISE?

==> Yes

Re: Cisco IP Phone Authentication on ISE 2.3 using MD5 on HPE Comware switch

Craig Hyps — Wed, 16 Aug 2017 12:01:24 GMT

If the HPWired profile does not match the requirements for Comware based model, then duplicate or create new profile and make necessary changes such as RADIUS dictionaries, CoA settings etc. Any option is a bit more flexible for handling multiple NAD profiles, but will be limited in what it offers in Common tasks.

If it is matching the correct AuthZ policy rule and AuthZ Profile and still failing, then may be issue with the attributes itself. I would try returning same attribute in a simple policy for a Cisco device and see if it returns same error.

Again, make sure the NAD Profile includes the RADIUS dictionary that holds special attribute for vendor-specific NAD profile.

Re: Cisco IP Phone Authentication on ISE 2.3 using MD5 on HPE Comware switch

B. BELHADJ — Wed, 16 Aug 2017 17:50:49 GMT

Hello Chyps

I have already resolved the issue. Please refer to my previous comments.

Best regards