Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3398
Views
25
Helpful
16
Replies

3560CX Radius packets to ISE do not contain VSAs learned from CDP or LLDP. ISE not profiling correctly. Using MAB.

Go to solution
jawesterholm
Level 1
Level 1

‎01-18-2019 09:18 AM

I have a daisy chained 7965 phone and a laptop.  Laptop dot1x is functional.  Phone will not authorize correctly in ISE, it is being profiled as a 'Cisco-Device'.  When reviewing log in ISE, no cdp or lldp information is being provided.  Switch configs are:

 

Cisco IOS Software, C3560CX Software (C3560CX-UNIVERSALK9-M), Version 15.2(6)E1, RELEASE SOFTWARE (fc4)

 

aaa new-model
!
!
aaa group server tacacs+ BORAAAservers
server name BORAAAserver1
server name BORAAAserver2
!
aaa group server radius BORISE
server name IBR5LCRLXISE01R
server name IBR5DENLXISE01R
ip radius source-interface Vlan99
!
aaa authentication login BORNet group BORAAAservers local
aaa authentication dot1x default group radius
aaa authorization exec BORNet group BORAAAservers if-authenticated
aaa authorization commands 15 BORNet group BORAAAservers if-authenticated
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa accounting exec BORNet start-stop group BORAAAservers
aaa accounting commands 15 BORNet start-stop group BORAAAservers
aaa accounting network BORNet start-stop group BORAAAservers
aaa accounting connection BORNet start-stop group BORAAAservers
aaa accounting system default start-stop group BORAAAservers
!

!
aaa server radius dynamic-author
client 140.216.20.193 server-key 7xxx
client 140.215.24.14 server-key 7 xxx

 

device-sensor accounting
device-sensor notify all-changes

access-session template monitor
epm logging

lldp run

 

interface GigabitEthernet0/1
description GPR-Users
switchport access vlan 105
switchport mode access
switchport voice vlan 205
srr-queue bandwidth share 1 30 35 5
priority-queue out
authentication event fail action next-method
authentication event server dead action reinitialize vlan 105
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
mls qos trust device cisco-phone
mls qos trust cos
dot1x pae authenticator
dot1x timeout tx-period 10
auto qos voip cisco-phone
spanning-tree portfast edge
service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY

 

ip device tracking

logging origin-id ip
logging facility local1
logging source-interface Vlan99
logging host 140.215.27.38
logging host 140.219.22.2
logging host 140.216.20.193 transport udp port 20514
logging host 140.215.24.14 transport udp port 20514

 

 

snmp-server group ise-group v3 auth

radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf
radius-server dead-criteria time 5 tries 3

 

radius server IBR5LCRLXISE01R
address ipv4 140.216.20.193 auth-port 1812 acct-port 1813
key 7 xxx
!
radius server IBR5DENLXISE01R
address ipv4 140.215.24.14 auth-port 1812 acct-port 1813
key 7 xxx

----------------------------------------------

Show device-sensor cache int gig 0/1:

Device: 7cad.7421.eec0 on port GigabitEthernet0/1
--------------------------------------------------
Proto Type:Name Len Value
LLDP 8:management-address 14 10 0C 05 01 8C DB CD 9F 01 00 00 00 00 00
LLDP 0:end-of-lldpdu 2 00 00
LLDP 127:organizationally-specific 6 FE 04 00 12 BB 0B
LLDP 7:system-capabilities 6 0E 04 00 24 00 24
LLDP 6:system-description 46 0C 2C 43 69 73 63 6F 20 49 50 20 50 68 6F 6E 65
20 37 39 36 35 47 2C 56 31 31 2C 20 53 43 43 50
34 35 2E 39 2D 34 2D 32 53 52 33 2D 31 53
LLDP 5:system-name 29 0A 1B 53 45 50 37 43 41 44 37 34 32 31 45 45 43
30 2E 62 6F 72 2E 64 6F 69 2E 6E 65 74
LLDP 4:port-description 9 08 07 53 57 20 50 4F 52 54
LLDP 3:time-to-live 4 06 02 00 B4
LLDP 2:port-id 18 04 10 07 37 43 41 44 37 34 32 31 45 45 43 30 3A
50 31
LLDP 1:chassis-id 8 02 06 05 01 8C DB CD 9F
CDP 2:address-type 17 00 02 00 11 00 00 00 01 01 01 CC 00 04 8C DB CD
9F
CDP 16:power-type 6 00 10 00 06 2E E0
CDP 11:duplex-type 5 00 0B 00 05 01
CDP 25:power-request-type 12 00 19 00 0C EE C0 00 03 00 00 2E E0
CDP 28:secondport-status-type 7 00 1C 00 07 00 01 83
CDP 6:platform-type 23 00 06 00 17 43 69 73 63 6F 20 49 50 20 50 68 6F
6E 65 20 37 39 36 35
CDP 5:version-type 22 00 05 00 16 53 43 43 50 34 35 2E 39 2D 34 2D 32
53 52 33 2D 31 53
CDP 4:capabilities-type 8 00 04 00 08 00 00 04 90
CDP 3:port-id-type 10 00 03 00 0A 50 6F 72 74 20 31
CDP 1:device-name 19 00 01 00 13 53 45 50 37 43 41 44 37 34 32 31 45
45 43 30

 

Debug Radius:

RADIUS(00000000): Send Access-Request to 140.216.20.193:1812 onvrf(0) id 1645/147, len 264
RADIUS: authenticator 7A 4C 52 F6 5E 23 A8 03 - 21 84 89 4A 72 5D F7 48
RADIUS: User-Name [1] 14 "7cad7421eec0"
RADIUS: User-Password [2] 18 *
RADIUS: Service-Type [6] 6 Call Check [10]
RADIUS: Vendor, Cisco [26] 31
RADIUS: Cisco AVpair [1] 25 "service-type=Call Check"
RADIUS: Framed-MTU [12] 6 1500
RADIUS: Called-Station-Id [30] 19 "70-0B-4F-22-C8-81"
RADIUS: Calling-Station-Id [31] 19 "7C-AD-74-21-EE-C0"
RADIUS: Message-Authenticato[80] 18
RADIUS: 49 6E F7 0C 4A D9 C6 5E 4F C2 8A FB 49 F0 92 54 [ InJ^OIT]
RADIUS: EAP-Key-Name [102] 2 *
RADIUS: Vendor, Cisco [26] 49
RADIUS: Cisco AVpair [1] 43 "audit-session-id=8CDB63E500000036051DFDC9"
RADIUS: Vendor, Cisco [26] 18
RADIUS: Cisco AVpair [1] 12 "method=mab"
RADIUS: Framed-IP-Address [8] 6 140.219.205.159
RADIUS: NAS-IP-Address [4] 6 140.219.99.229
RADIUS: NAS-Port-Id [87] 20 "GigabitEthernet0/1"
RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
RADIUS: NAS-Port [5] 6 50101
RADIUS(00000000): Sending a IPv4 Radius Packet
RADIUS(00000000): Started 5 sec timeout

RADIUS: Received from id 1645/147 140.216.20.193:1812, Access-Reject, len 38

 

Have tried deleting endpoint in ISE, no change.

Attached failure log from ISE

 

I have seen logs from other people on the web that contain additional VSA attribute 26 ub-types, such as Platform and System Description, which ISE uses to profile as Cisco IP Phone.  I have also added ISE ip helper addresses to the Voice VLAN interface.  No change.

 

Suggestions?  I have a TAC open but am getting no where with it.

1 person had this problem
Preview file
71 KB
Preview file
85 KB
0 Helpful
16 Replies 16

Go to solution
Peter Koltl
Level 7
Level 7

‎02-03-2019 01:53 PM

I was surprised too but our Cat3850s with IBNS2 syntax send CDP, LLDP TLV info in Access-Request packets (i. e. authC requests not Accounting requests) and ISE processes and logs them.

0 Helpful

Go to solution
Justin Walker
Level 4
Level 4

‎06-03-2019 03:24 PM

I know its an old post but I had the same issues.   Cisco Catalyst 3560-CX on IBNS 2.0 w/ Device Sensor and ISE 2.4.   No device sensor infos were being sent in accounting messages. 

 

I downgraded code to the specific release requested by the compatibility matrix, same issues.  I upgraded to 152-4.E7 starred release, bingo everything starts profiling right after the code update reboot.  Packet captures confirmed additional VSA in the accounting messages after the code upgrade. 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents