Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4642
Views
10
Helpful
7
Replies

ISE Profiling issue Cisco IP Phones

Go to solution
BrianPersaud
Spotlight
Spotlight

‎08-07-2019 05:34 AM - edited ‎08-07-2019 05:36 AM

Hi All

I'm having some issues with ISE profiling Cisco IP Phones correctly.  I setup an authorization policy to allow any Cisco IP Phone on the network.  However the policy is not getting any hits because the IP phones are being detected as Cisco-Device and the deny rule is being used instead.  It used the Radius probe to determine the endpoint classification.

I followed the Cisco Profiling guide and setup DHCP probe which includes the ip helper address on the SVI.  I can confirm that ISE is getting copies of the DHCP requests as ISE is now populated with quite a few endpoints on the network.  Additionally I did a packet capture on the IP phone's port and verified that when it makes the DHCP request, the hardware identifier includes the string that ISE is checking to verify it is a Cisco IP Phone.

 

If I change the authorization policy to allow the "Cisco-Device" condition, it works and ISE gets all the information for the phone down to the exact model using the DHCP probe.  I verified this in the profiler endpoint classification.  Additionally I have the profiling settings configuration set to re authenticate.

As a work around, I enabled SNMP query and set the timer to 600 secs (minimum allowed) to poll the switch.  This used CDP to determine that it was an IP phone and allowed it on the network.  However this only polls every 10 mins which is a significant delay to allow the device.  I also enabled SNMP traps with link up and link down to initiate a polling but this did not help any it seems.

Is there a way to create an authorization policy to allow the device on the network temporarily so that it will get all the device profiling info, then once it is verified as a Cisco IP phone to move it to another authorization profile?  Or is there an easier way of doing this?  

I definitely don't want to use MAB and have to manually allow mac addresses.  That's the reason for trying to get the profiling working.

 

 

ISE version: 2.4 Patch 9

IOS: 16.6.6 Catalyst 3650

 

ISE Policy:

If Condition:Endpoints:EndpointPolicy EQUALS Cisco-Device:Cisco-IP-Phone 

Result: Cisco_IP_Phones - Voice VLAN and permit permissions

 

Switch configs:

aaa new-model
aaa authentication login default group radius local
aaa authentication enable default enable group radius
aaa authentication dot1x default group radius
aaa authorization exec default local group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting auth-proxy default start-stop group radius
aaa accounting dot1x default start-stop group radius
aaa accounting system default start-stop group radius

aaa server radius dynamic-author
client x.x.x.x server-key 7 xxxxxxxxxxx
server-key 7 xxxxxxxxxxx

aaa session-id common

radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
!
radius server ISE01
address ipv4 x.x.x.x auth-port 1812 acct-port 1813
key 7 xxxxxxxxxxxxx

 

interface GigabitEthernet1/0/1
switchport access vlan 100
switchport mode access
switchport voice vlan 50
authentication event server dead action authorize
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable

 

 

 

IP Phone Packet Capture.

Frame 6: 594 bytes on wire (4752 bits), 594 bytes captured (4752 bits) on interface 0
Ethernet II, Src: Cisco_a7:0a:2e (34:a8:4e:a7:0a:2e), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
802.1Q Virtual LAN, PRI: 3, DEI: 0, ID: 80
Internet Protocol Version 4, Src: 0.0.0.0, Dst: 255.255.255.255
User Datagram Protocol, Src Port: 68, Dst Port: 67
Dynamic Host Configuration Protocol (Discover)
Message type: Boot Request (1)
Hardware type: Ethernet (0x01)
Hardware address length: 6
Hops: 0
Transaction ID: 0x00003198
Seconds elapsed: 0
Bootp flags: 0x8000, Broadcast flag (Broadcast)
Client IP address: 0.0.0.0
Your (client) IP address: 0.0.0.0
Next server IP address: 0.0.0.0
Relay agent IP address: 0.0.0.0
Client MAC address: Cisco_a7:0a:2e (34:a8:4e:a7:0a:2e)
Client hardware address padding: 00000000000000000000
Server host name not given
Boot file name not given
Magic cookie: DHCP
Option: (53) DHCP Message Type (Discover)
Option: (61) Client identifier
Option: (12) Host Name
Option: (60) Vendor class identifier
Length: 38
Vendor class identifier: Cisco Systems, Inc. IP Phone CP-7962G
Option: (55) Parameter Request List
Option: (255) End
Padding: 000000000000000000000000000000000000000000000000…

 

 

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
howon
Cisco Employee
Cisco Employee
In response to BrianPersaud

‎08-07-2019 07:57 AM

In order for the endpoint to send DHCP request to ISE via IP helper is for it to be on the network in the first place. So your policy should allow unknown endpoint to have at least that much access to the network on VLAN 100 in order for ISE to get a copy of the DHCP transaction between the endpoint and the DHCP server. Since you are rejecting at the end, the endpoint has no way to provide DHCP information to ISE to get it profiled as a phone. Only information available is MAC address which provides MAC OUI to determine that this is a Cisco device.

View solution in original post

7 Replies 7

Go to solution
howon
Cisco Employee
Cisco Employee

‎08-07-2019 06:53 AM - edited ‎08-07-2019 06:54 AM

Can you confirm that endpoint details in the context directory includes all the information learned from DHCP probe are present? Also, for ip helper, it needs to be enabled on the access VLAN 100 for it to work.

0 Helpful

Go to solution
BrianPersaud
Spotlight
Spotlight
In response to howon

‎08-07-2019 07:20 AM

Hi the helper is enabled on both 100 and 50 vlans.

 

Here is the info form the endpoint classification.  The phone was authorized using the "Cisco-Device" authorization profile in this case:


endpoints 34:A8:4E:A7:0A:2E
34:A8:4E:A7:0A:2E

MAC Address: 34:A8:4E:A7:0A:2E
Username: 34-A8-4E-A7-0A-2E
Endpoint Profile: Cisco-IP-Phone-7962
Current IP Address: x.x.x.x
Location: LocationAll Locations
Applications Attributes Authentication Threats Vulnerabilities
General Attributes
Description
Static Assignment false
Endpoint Policy Cisco-IP-Phone-7962
Static Group Assignment false
Identity Group Assignment Cisco-IP-Phone
Custom Attributes
Attribute Name Attribute Value
Attribute Name
Attribute Value
No data found. Add custom attributes here.
Other Attributes
AAA-Server emvise01
AllowedProtocolMatchedRule Default
AuthenticationIdentityStore Internal Endpoints
AuthenticationMethod Lookup
AuthenticationStatus AuthenticationPassed
AuthorizationPolicyMatchedRule CISCO TEST
BYODRegistration Unknown
Called-Station-ID 00-35-1A-EC-15-8D
Calling-Station-ID 34-A8-4E-A7-0A-2E
DTLSSupport Unknown
DestinationIPAddress x.x.x.x
DestinationPort 1812
Device IP Address x.x.x.x
Device Port 1812
Device Type Device Type#All Device Types#SWITCHES
DeviceRegistrationStatus NotRegistered
ElapsedDays 0
EndPointMACAddress 34-A8-4E-A7-0A-2E
EndPointPolicy Cisco-IP-Phone-7962
EndPointProfilerServer ise01.x.x.x.x.local
EndPointSource SNMPQuery Probe
FailureReason -
IPSEC IPSEC#Is IPSEC Device#No
IdentityGroup Cisco-IP-Phone
IdentityPolicyMatchedRule Default
IdentitySelectionMatchedRule Default
InactiveDays 0
IsMachineAuthentication false
IsMachineIdentity false
IsThirdPartyDeviceFlow false
Location Location#All Locations
LogicalProfile IP-Phones
MACAddress 34:A8:4E:A7:0A:2E
MatchedPolicy Cisco-IP-Phone-7962
MessageCode 3002
NADAddress x.x.x.x
NAS-IP-Address x.x.x.x
NAS-Identifier SW01
NAS-Port 50113
NAS-Port-Id GigabitEthernet1/0/11
NAS-Port-Type Ethernet
Network Device Profile Cisco
NetworkDeviceGroups Device Type#All Device Types#SWITCHES, IPSEC#Is IPSEC Device#No, Location#All Locations
NetworkDeviceName SW01
NetworkDeviceProfileId b0699505-3150-4215-a80e-6753d45bf56c
NetworkDeviceProfileName Cisco
OUI Cisco Systems, Inc
OriginalUserName 34a84ea70a2e
PolicyVersion 12
PostureApplicable Yes
PostureAssessmentStatus NotApplicable
RadiusFlowType WiredMAB
RadiusPacketType AccessRequest
SelectedAccessService EAP-TLS_PEAP_MAB
SelectedAuthenticationIdentityStores AD, Internal Users, Internal Endpoints, Guest Users, All_AD_Join_Points
SelectedAuthorizationProfiles Cisco_IP_Phones
Service-Type Call Check
StaticAssignment false
StaticGroupAssignment false
StepData 5= DEVICE.Device Type, 7=AD_LOCAL_ISS, 8=AD, 9=AD, 10=34-A8-4E-A7-0A-2E, 11=x.x.x.x.local, 12=x.x.x.x.local, 14=ERROR_NO_SUCH_USER, 15=AD, 16=Internal Users, 19=Internal Endpoints, 25=AD, 26=34-A8-4E-A7-0A-2E, 27=x.x.x.x.local, 28=x.x.x.x.local, 30=ERROR_NO_SUCH_USER, 31=AD, 32= AD.ExternalGroups, 33= EndPoints.EndPointPolicy
Total Certainty Factor 255
UseCase Host Lookup
User-AD-Last-Fetch-Time 1565187107807
User-Fetch-User-Name 34-A8-4E-A7-0A-2E
User-Name 34-A8-4E-A7-0A-2E
UserType Host
allowEasyWiredSession false
cdpCacheAddress x.x.x.x
cdpCacheCapabilities H;P;M
cdpCacheDeviceId SEP34A84EA70A2E
cdpCachePlatform Cisco IP Phone 7962
cdpCacheVersion SCCP42.9-4-2-1S
cdpUndefined28 00:02:00
chaddr 34:a8:4e:a7:0a:2e
ciaddr 0.0.0.0
dhcp-class-identifier Cisco Systems, Inc. IP Phone CP-7962G
dhcp-client-identifier 01:34:a8:4e:a7:0a:2e
dhcp-message-type DHCPREQUEST
dhcp-parameter-request-list 1, 66, 6, 3, 15, 150, 35
dhcp-requested-address x.x.x.x
dot1xAuthAuthControlledPortControl 2
dot1xAuthAuthControlledPortStatus 2
dot1xAuthSessionUserName 34-A8-4E-A7-0A-2E
flags 0x8000
giaddr x.x.x.x
hlen 6
host-name SEP34A84EA70A2E
htype Ethernet (10Mb)
ifDescr GigabitEthernet1/0/13
ifIndex 20
ifOperStatus 1
ip x.x.x.x
op BOOTREQUEST
yiaddr 0.0.0.0
Select a filter

 

 

0 Helpful

Go to solution
howon
Cisco Employee
Cisco Employee
In response to BrianPersaud

‎08-07-2019 07:37 AM

That is odd, since the detail has 'dhcp-class-identifier Cisco Systems, Inc. IP Phone CP-7962G' and ip Phone policy requires 'Cisco Systems, Inc. IP Phone' in the string, it should have profiled properly. Are you updating the profiling policy with feed update? If not I would schedule one during the maintenance window to update the profiling policies.

0 Helpful

Go to solution
BrianPersaud
Spotlight
Spotlight
In response to howon

‎08-07-2019 07:45 AM

Here is an example of when I use the Cisco IP phone authorization policy and it failed authentication.  Notice that it is just detecting it as a Cisco device.  The one I sent previously detected it as a Cisco IP phone because the SNMP query kicked in after 10 mins and profiled it correctly.



endpoints 1C:1D:86:C5:A9:6D
1C:1D:86:C5:A9:6D

MAC Address: 1C:1D:86:C5:A9:6D
Username: 1c1d86c5a96d
Endpoint Profile: Cisco-Device
Current IP Address:
Location: LocationAll Locations
Applications Attributes Authentication Threats Vulnerabilities
General Attributes
Description
Static Assignment false
Endpoint Policy Cisco-Device
Static Group Assignment false
Identity Group Assignment Profiled
Custom Attributes
Attribute Name Attribute Value
Attribute Name
Attribute Value
No data found. Add custom attributes here.
Other Attributes
AAA-Server ise01

AllowedProtocolMatchedRule Default
AuthenticationIdentityStore Internal Endpoints
AuthenticationMethod Lookup
AuthorizationPolicyMatchedRule Default
BYODRegistration Unknown
Calling-Station-ID 1C-1D-86-C5-A9-6D
DTLSSupport Unknown
DestinationIPAddress 10.114.27.123
DestinationPort 1812
Device IP Address 10.114.16.160
Device Port 1812
Device Type Device Type#All Device Types#SWITCHES
DeviceRegistrationStatus NotRegistered
ElapsedDays 0
EndPointMACAddress 1C-1D-86-C5-A9-6D
EndPointPolicy Cisco-Device
EndPointProfilerServer xxxx.domainlocal
EndPointSource RADIUS Probe
FailureReason 15039 Rejected per authorization profile
IPSEC IPSEC#Is IPSEC Device#No
IdentityGroup Profiled
IdentityPolicyMatchedRule Default
IdentitySelectionMatchedRule Default
InactiveDays 0
IsEndpointInRejectMode false
IsMachineIdentity false
IsThirdPartyDeviceFlow false
Location Location#All Locations
MACAddress 1C:1D:86:C5:A9:6D
MatchedPolicy Cisco-Device
MessageCode 5434
NAS-IP-Address 10.114.16.160
NAS-Identifier SW01
NAS-Port 50115
NAS-Port-Id GigabitEthernet1/0/15
NAS-Port-Type Ethernet
Network Device Profile Cisco
NetworkDeviceGroups Device Type#All Device Types#SWITCHES, IPSEC#Is IPSEC Device#No, Location#All Locations
NetworkDeviceName SW01
NetworkDeviceProfileId b0699505-3150-4215-a80e-6753d45bf56c
NetworkDeviceProfileName Cisco
OUI Cisco Systems, Inc
OriginalUserName 1c1d86c5a96d
PolicyVersion 12
PostureApplicable Yes
RadiusFlowType WiredMAB
RadiusPacketType AccessRequest
SelectedAccessService EAP-TLS_PEAP_MAB
SelectedAuthenticationIdentityStores AD, Internal Users, Internal Endpoints, Guest Users, All_AD_Join_Points
SelectedAuthorizationProfiles DenyAccess
Service-Type Call Check
StaticAssignment false
StaticGroupAssignment false
StepData 5= DEVICE.Device Type, 6= Normalised Radius.RadiusFlowType, 7= Network Access.Protocol, 8= Radius.NAS-Port-Type, 10=AD_LOCAL_ISS, 11=AD, 12=AD, 13=1C-1D-86-C5-A9-6D, 14=domainlocal, 15=domainlocal, 17=ERROR_NO_SUCH_USER, 18=AD, 19=Internal Users, 22=Internal Endpoints, 28=AD, 29=1C-1D-86-C5-A9-6D, 30=domainlocal, 31=domainlocal, 33=ERROR_NO_SUCH_USER, 34=AD, 35= AD.ExternalGroups, 36= EndPoints.EndPointPolicy
Total Certainty Factor 10
TotalFailedAttempts 2
TotalFailedTime 40
UseCase Host Lookup
User-AD-Last-Fetch-Time 1565188247918
User-Fetch-User-Name 1c1d86c5a96d
User-Name 1c1d86c5a96d
UserType Host
Select a filter

0 Helpful

Go to solution
howon
Cisco Employee
Cisco Employee
In response to BrianPersaud

‎08-07-2019 07:57 AM

In order for the endpoint to send DHCP request to ISE via IP helper is for it to be on the network in the first place. So your policy should allow unknown endpoint to have at least that much access to the network on VLAN 100 in order for ISE to get a copy of the DHCP transaction between the endpoint and the DHCP server. Since you are rejecting at the end, the endpoint has no way to provide DHCP information to ISE to get it profiled as a phone. Only information available is MAC address which provides MAC OUI to determine that this is a Cisco device.

Go to solution
BrianPersaud
Spotlight
Spotlight
In response to howon

‎08-07-2019 08:10 AM

Thansk for the information.  What is the best practice for allowing the device temporary access to the VLAN? Is it though a local ACL on the switchport?  I tried pushing down a policy on ISE which gave it access to DHCP.  However after it was profiled correctly using that authorization policy, it didn't attempt to reauthenticate to use the IP Phone policy.

0 Helpful

Go to solution
howon
Cisco Employee
Cisco Employee
In response to BrianPersaud

‎08-07-2019 09:11 AM

If you have guest access on the wired then IP phone will naturally get DHCP just like guest using ACL. If guest is not used, then you can use more restrictive ACL to only allow DHCP.

If you have CoA reauth turned on for profiler global setting it should have reauth'd after transitioning from unknown device to IP phone.

Phones in general reboots if it can't find the tftp server, so should eventually land in the proper network access.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents