Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1909
Views
0
Helpful
4
Replies

CISCO ISE Avaya Profiling Question

bgl-group
Level 1
Level 1

‎02-26-2016 07:44 AM - edited ‎03-10-2019 11:31 PM

I have a strange problem with profiling Cisco IP Phones.

We have various types of phones 9630, 4622 and 4621s which work fine and 1608 and 4610s which won't profile properly.

Looking at the DHCP request I think I have found the issue.

9630 Phone

Frame 378: 590 bytes on wire (4720 bits), 590 bytes captured (4720 bits)
    Encapsulation type: Ethernet (1)
    Arrival Time: Feb 26, 2016 14:52:39.019126000 GMT Standard Time
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1456498359.019126000 seconds
    [Time delta from previous captured frame: 0.359769000 seconds]
    [Time delta from previous displayed frame: 0.000000000 seconds]
    [Time since reference or first frame: 47.424667000 seconds]
    Frame Number: 378
    Frame Length: 590 bytes (4720 bits)
    Capture Length: 590 bytes (4720 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:udp:bootp]
    [Coloring Rule Name: UDP]
    [Coloring Rule String: udp]
Ethernet II, Src: TenovisK_b1:93:e3 (00:07:3b:b1:93:e3), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
    Destination: Broadcast (ff:ff:ff:ff:ff:ff)
        Address: Broadcast (ff:ff:ff:ff:ff:ff)
        .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
        .... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
    Source: TenovisK_b1:93:e3 (00:07:3b:b1:93:e3)
        Address: TenovisK_b1:93:e3 (00:07:3b:b1:93:e3)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 0.0.0.0, Dst: 255.255.255.255
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
        0000 00.. = Differentiated Services Codepoint: Default (0)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 576
    Identification: 0xf11a (61722)
    Flags: 0x02 (Don't Fragment)
        0... .... = Reserved bit: Not set
        .1.. .... = Don't fragment: Set
        ..0. .... = More fragments: Not set
    Fragment offset: 0
    Time to live: 32
    Protocol: UDP (17)
    Header checksum: 0x6793 [validation disabled]
        [Good: False]
        [Bad: False]
    Source: 0.0.0.0
    Destination: 255.255.255.255
    [Source GeoIP: Unknown]
    [Destination GeoIP: Unknown]
User Datagram Protocol, Src Port: 68 (68), Dst Port: 67 (67)
    Source Port: 68
    Destination Port: 67
    Length: 556
    Checksum: 0x8507 [validation disabled]
        [Good Checksum: False]
        [Bad Checksum: False]
    [Stream index: 35]
Bootstrap Protocol (Discover)
    Message type: Boot Request (1)
    Hardware type: Ethernet (0x01)
    Hardware address length: 6
    Hops: 0
    Transaction ID: 0x3065de80
    Seconds elapsed: 0
    Bootp flags: 0x0000 (Unicast)
        0... .... .... .... = Broadcast flag: Unicast
        .000 0000 0000 0000 = Reserved flags: 0x0000
    Client IP address: 0.0.0.0
    Your (client) IP address: 0.0.0.0
    Next server IP address: 0.0.0.0
    Relay agent IP address: 0.0.0.0
    Client MAC address: TenovisK_b1:93:e3 (00:07:3b:b1:93:e3)
    Client hardware address padding: 00000000000000000000
    Server host name not given
    Boot file name not given
    Magic cookie: DHCP
    Option: (53) DHCP Message Type (Discover)
        Length: 1
        DHCP: Discover (1)
    Option: (57) Maximum DHCP Message Size
        Length: 2
        Maximum DHCP Message Size: 1000
    Option: (55) Parameter Request List
        Length: 7
        Parameter Request List Item: (1) Subnet Mask
        Parameter Request List Item: (28) Broadcast Address
        Parameter Request List Item: (3) Router
        Parameter Request List Item: (6) Domain Name Server
        Parameter Request List Item: (15) Domain Name
        Parameter Request List Item: (42) Network Time Protocol Servers
        Parameter Request List Item: (242) Private/Avaya IP Telephone
    Option: (12) Host Name
        Length: 9
        Host Name: AVTB193E3
    Option: (60) Vendor class identifier
        Length: 13
        Vendor class identifier: ccp.avaya.com
    Option: (255) End
        Option End: 255
    Padding: 000000000000000000000000000000000000000000000000...

1608 phone

Frame 2: 1038 bytes on wire (8304 bits), 1038 bytes captured (8304 bits)
    Encapsulation type: Ethernet (1)
    Arrival Time: Feb 26, 2016 14:33:46.926553000 GMT Standard Time
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1456497226.926553000 seconds
    [Time delta from previous captured frame: 28.158921000 seconds]
    [Time delta from previous displayed frame: 28.158921000 seconds]
    [Time since reference or first frame: 28.158921000 seconds]
    Frame Number: 2
    Frame Length: 1038 bytes (8304 bits)
    Capture Length: 1038 bytes (8304 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:udp:bootp]
    [Coloring Rule Name: UDP]
    [Coloring Rule String: udp]
Ethernet II, Src: AvayaInc_bc:5b:c0 (38:bb:3c:bc:5b:c0), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
    Destination: Broadcast (ff:ff:ff:ff:ff:ff)
        Address: Broadcast (ff:ff:ff:ff:ff:ff)
        .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
        .... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
    Source: AvayaInc_bc:5b:c0 (38:bb:3c:bc:5b:c0)
        Address: AvayaInc_bc:5b:c0 (38:bb:3c:bc:5b:c0)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 0.0.0.0, Dst: 255.255.255.255
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
        0000 00.. = Differentiated Services Codepoint: Default (0)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 1024
    Identification: 0x6746 (26438)
    Flags: 0x02 (Don't Fragment)
        0... .... = Reserved bit: Not set
        .1.. .... = Don't fragment: Set
        ..0. .... = More fragments: Not set
    Fragment offset: 0
    Time to live: 32
    Protocol: UDP (17)
    Header checksum: 0xefa7 [validation disabled]
        [Good: False]
        [Bad: False]
    Source: 0.0.0.0
    Destination: 255.255.255.255
    [Source GeoIP: Unknown]
    [Destination GeoIP: Unknown]
User Datagram Protocol, Src Port: 68 (68), Dst Port: 67 (67)
    Source Port: 68
    Destination Port: 67
    Length: 1004
    Checksum: 0xa725 [validation disabled]
        [Good Checksum: False]
        [Bad Checksum: False]
    [Stream index: 0]
Bootstrap Protocol (Discover)
    Message type: Boot Request (1)
    Hardware type: Ethernet (0x01)
    Hardware address length: 6
    Hops: 0
    Transaction ID: 0x2ec969f0
    Seconds elapsed: 0
    Bootp flags: 0x0000 (Unicast)
        0... .... .... .... = Broadcast flag: Unicast
        .000 0000 0000 0000 = Reserved flags: 0x0000
    Client IP address: 0.0.0.0
    Your (client) IP address: 0.0.0.0
    Next server IP address: 0.0.0.0
    Relay agent IP address: 0.0.0.0
    Client MAC address: AvayaInc_bc:5b:c0 (38:bb:3c:bc:5b:c0)
    Client hardware address padding: 00000000000000000000
    Server host name not given
    Boot file name not given
    Magic cookie: DHCP
    Option: (53) DHCP Message Type (Discover)
        Length: 1
        DHCP: Discover (1)
    Option: (57) Maximum DHCP Message Size
        Length: 2
        Maximum DHCP Message Size: 576
    Option: (55) Parameter Request List
        Length: 7
        Parameter Request List Item: (1) Subnet Mask
        Parameter Request List Item: (28) Broadcast Address
        Parameter Request List Item: (3) Router
        Parameter Request List Item: (6) Domain Name Server
        Parameter Request List Item: (15) Domain Name
        Parameter Request List Item: (42) Network Time Protocol Servers
        Parameter Request List Item: (242) Private/Avaya IP Telephone
    Option: (12) Host Name
        Length: 9
        Host Name: AVXBC5BC0
    Option: (255) End
        Option End: 255
    Padding: 000000000000000000000000000000000000000000000000...

Looking at these two it appears the 9630 send a vendor class identifies (60) as ccp.avaya.com. The 1608 doesn't.

The ISE Profiling rule used the VCI to identify as a Avaya-IP-Phone.

Now to get round this I could change my authentication rule to use the Avaya-Device profiling group but this seems a little bit wrong. I don't expect anything other than IP phones from Avaya but.....

Any suggestions on how best to do the profiling. I have attached the wireshark captures to this message as well.

Thanks

Giles

Labels:
captures_0.zip
0 Helpful
4 Replies 4

Aditya Ganjoo
Cisco Employee
Cisco Employee

‎02-26-2016 10:21 AM

Hi,


Can you share the show tech from one of the access switches?


What is the error message you see on the phone when you try to authenticate?


What is the authentication method that you are using?

Do we see an Access-Reject sent from ISE ?

Also,Check if EAP-MD5 is allowed and if you have checked checkbox for "Detect EAP-MD5 as Host Lookup" - this should be checked in case when you would like to use EAP-MD5 for MAB authentication.

Regards,

Aditya 

Please rate helpful posts.

0 Helpful

bgl-group
Level 1
Level 1
In response to Aditya Ganjoo

‎03-10-2016 04:28 PM

Hi Aditya

I have tried the following

Enabled Detect EAP-MD5 as host lookup (no change)

Enabled LLDP on the switch (switch gives loads more data doesn't change ISE).

The problem isn't with the switch or the access policy. It is the phone model (1608) doesn't profile correctly coming up as an 'Avaya Device' not an 'Avaya IP Phone'.

The only solution I can see is to change the authentication rules in ISE to apply my IP Phone ACL to any 'Avaya Device' unless someone can suggest a custom profile for this device?

I don't really want to do this in case someone plugs something odd into the network - i.e. Avaya made but not an IP phone.

Thanks

Giles

0 Helpful

Oliver Laue
Level 4
Level 4
In response to bgl-group

‎03-21-2016 03:29 AM

Hi,

it mainly depends on your Profiling configuration.

if the phone supports LLDP the best is normally to enable the Device Sensor on the Switch and the ISE is able to see the LLDP capabilities. If you aren't able to use device sensor or lldp isn't supported on the phones you can use the DHCP Option 242 which is requested from both phones.

0 Helpful

bforan
Level 1
Level 1
In response to bgl-group

‎10-19-2016 01:31 PM

I am experiencing the same problem.  Did you come up with a fix for this?  I was thinking of using DHCP option 60 to send the ccp.avaya.com.

0 Helpful
Customers Also Viewed These Support Documents