topic Hi Scott, Use cli to in Network Security

ASA Client-ID and DHCP question

scott.bridges — Tue, 12 Mar 2019 06:36:11 GMT

Hello,

I have an ASA whose Outside interface is obtaining DHCP IP & Default Gateway. When I look at the DHCP Client Lease Information I see: Client-ID: cisco-xxxx.xxxx.xxxx-outside-HOSTNAME where x=MAC and HOSTNAME=configured ASA hostname.

I am trying to change this to a standard MAC response response only. I have the following configuration:
!
interface GigabitEthernet0/0
mac-address aaaa.bbbb.cccc
nameif outside
security-level 0
ip address dhcp setroute
!
dhcp-client client-id interface outside
!

But I am still sending the same Client-ID.

Any ideas how to make this feature work? I understand the "cisco-xxx..." Client-ID is default with ASA's, but I also understand you can change it...

Thanks

Hi Scott,This command seems

Rishabh Seth — Wed, 16 Sep 2015 10:48:15 GMT

Hi Scott,

This command seems to work fine on 9.5.1 version, what version are you using on your ASA?

Thanks,

R.Seth

Apologies,ASA 5505 running 9

scott.bridges — Thu, 17 Sep 2015 11:17:07 GMT

Apologies,

ASA 5505 running 9.1(6)8

The latest software I see posted is 9.2.4. Are you running the new X series for 9.5.1?

I'll try upgrading to 9.2.4.

Hi Scott,The mac address is

Rishabh Seth — Thu, 17 Sep 2015 12:46:45 GMT

Hi Scott,

The mac address is sent to the DHCP server with dhcp-client client-id interface <int-name> command on version 9.1(6)8 as well.

>> You can confirm if the ASA is sending the MAC address as the clinet id, by applying capture on the ASA for dhcp traffic and view the capture in wireshark and verify the client id in the packet.

>> Probably you should check the dhcp server as well.

What device is used as the dhcp server?

Thanks,

R.Seth

Hi Seth,What is the best way

scott.bridges — Thu, 17 Sep 2015 13:13:17 GMT

Hi Seth,

What is the best way to setup this type of capture on the ASA as far as sequence of events? I'm assuming since I'm coming from the Inside interface, I should:

1: remove "ip address dhcp setroute"
2: shutdown Gi0/0 (Outside)
3: setup packet capture via wizard
4: add "ip address dhcp setroute" to Gi0/0
5: no shutdown Gi0/0

Also, just to clarify with your configuration: Which Client-ID format is your ASA sending?
1: cisco-aaaa.bbbb.cccc-outside-HOSTNAME
or
2: aaaa.bbbb.cccc

My goal is to achieve option 2. My understanding is that if I set the "mac-address" option on Gi0/0 followed by "dhcp-client client-id interface outside" in global, option 2 should be the result.

Thanks again for your help

Edit: Also, I believe the DHCP server is Windows 2008, but not 100%

Hi Scott, Use cli to

Rishabh Seth — Thu, 17 Sep 2015 13:20:10 GMT

Hi Scott,

Use cli to configure captures:

cap capi interface inside match udp an an eq bootpc
cap capi interface inside match udp an an eq bootps

Export captures using:

https://asaIP/capture/capi/pcap

Note: http server should be enabled on the ASA.

>> After exporting caputre, disable captures using: no cap capi

ASA is sending the client id as:aaaa.bbbb.cccc when client id is configured.

If there nothing specified then client id is seen as: cisco-aaaa.bbbb.cccc-outside-HOSTNAME.

>> I am using another ASA as a dhcp server.

Thanks,

R.Seth

Hi Seth,Thanks for these CLI

scott.bridges — Thu, 17 Sep 2015 15:58:44 GMT

Hi Seth,

Thanks for these CLI instructions. Very cool and didn't know about the simplicity of the CLI and URL.

I ended up having to Shut/No Shut Gi0/0 (Outside) in order to produce a DHCP Request.

Within the DHCP Request I see:
Option 61: Client Identifier
Client MAC address: Transiti_aa:bb:cc (aa:aa:bb:bb:cc:cc)
Option 12: Host Name
Host Name: My-Device-Hostname

Along with other standard DHCP options. These are the two I see as most relevant.

Yet when I open up ASDM, go to Monitoring, DHCP, DHCP Client Leasing Information, I still see the same "cisco-aa.bb...." Client-ID as before.

Could this be because I merely shut/noshut Gi0/0 and didn't give it enough time to timeout the lease? Any idea on how to force the DHCP Server to renew (assuming this is the issue)?

Thank you

Hi Scott, >> Client ID that

Rishabh Seth — Thu, 17 Sep 2015 17:06:09 GMT

Hi Scott,

>> Client ID that you see on the ASDM under client-lease information is something local to ASA and not being sent to the other device.

>> What other device will see is decided in the interface configuration where you can specify the mac address to be used for client-id. Default option is Client-ID: cisco-xxxx.xxxx.xxxx-outside-HOSTNAME but one can change it to only MAC.

>> From the captures it is clear that your dhcp server will be getting only MAC address as the client-id identifier.

Hope it helps!!!

Thanks,

R.Seth

Don't forget to mark correct answer, if your queries are answered.!!!!

Hi Seth,Thank you for

scott.bridges — Thu, 17 Sep 2015 17:28:18 GMT

Hi Seth,

Thank you for clarifying that what I see in ASDM isn't exactly what is being sent to DHCP Server. I wish they would fix/change this!

Thank you for your help!