Solved: Device Sensor for MAB Profiling IP-Phone Requires "Authentication Open"

hotcave46 · ‎06-17-2020

I'm testing MAB Profiling on a 3750-X running 15.2(4)E8. I have a Cisco IP Phone connect on Gi1/0/23. I have Device Sensor setup and passing DHCP/CDP/LLDP data to ISE 2.6,p5, where my IP-Phone MAB rule lives. I'm running into a testing issues that I don't understand:

Device Sensor Config

device-sensor filter-list dhcp list TLV-DHCP
option name host-name
option name class-identifier
option name client-identifier
!
device-sensor filter-list lldp list TLV-LLDP
tlv name system-name
tlv name system-description
!
device-sensor filter-list cdp list TLV-CDP
tlv name device-name
tlv name version-type
tlv name platform-type
device-sensor filter-spec dhcp include list TLV-DHCP
device-sensor filter-spec lldp include list TLV-LLDP
device-sensor filter-spec cdp include list TLV-CDP
device-sensor accounting
device-sensor notify all-changes

Switchport Config Test 1 - FAIL - ISE receives no Device Sensor data and the IP-Phone hits the MAB Default Rule which is currently AccessAccept, and is dropped onto the DATA domain. No Additional Device Sensor data ever populates in my ISE Identity database.

interface GigabitEthernet1/0/23
description dot1x test
switchport access vlan 214
switchport mode access
switchport voice vlan 215
switchport port-security maximum 2
switchport port-security violation restrict
switchport port-security
authentication event fail action next-method
authentication event server dead action reinitialize vlan 214
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast edge
ip dhcp snooping limit rate 10
end

Switchport Config Test 2 - PASS -Adding "authentication open" to the switchport config results in all Device Sensor data being passed to ISE, and the phone correctly hits the MAB IP-Phone Policy Set and is placed onto the VOICE Domain.

I don't understand why the "authentication open" is allowing/restricting the Device Sensor data from reaching ISE when my default rule is an AccessAccept. Any thoughts?

hotcave46 · ‎07-02-2020

It appears that this is a bug in the 3750X 15.2(4)E8 code. Moving over to a 3850 running 16.6.4a resolved the issue

View solution in original post

poongarg · ‎06-18-2020

Please check if the below accounting commands are present on switch:

aaa accounting dot1x default start-stop group radius
radius-server vsa send accounting

hotcave46 · ‎06-18-2020

The "aaa accounting config..." is present and configured for my ise-radius group. I did not have "radius-server vsa send accounting" in my config, but after running a test it had no impact. The device sensor data is showing in cache on the switch, but never reaches ISE which instead is generically profiling against the OUI and nothing else:

Dot1x_test_cube#show device-sensor cache interface gi1/0/23
Device: e804.6212.25d0 on port GigabitEthernet1/0/23
--------------------------------------------------
Proto Type:Name Len Value
LLDP 6:system-description 45 0C 2B 43 69 73 63 6F 20 49 50 20 50 68 6F 6E 65
20 37 39 36 32 47 2C 56 36 2C 20 53 43 43 50 34
32 2E 39 2D 34 2D 32 53 52 33 2D 31 53
LLDP 5:system-name 17 0A 0F 53 45 50 45 38 30 34 36 32 31 32 32 35 44
30
CDP 28:secondport-status-type 7 00 1C 00 07 00 02 00
CDP 6:platform-type 23 00 06 00 17 43 69 73 63 6F 20 49 50 20 50 68 6F
6E 65 20 37 39 36 32
CDP 5:version-type 22 00 05 00 16 53 43 43 50 34 32 2E 39 2D 34 2D 32
53 52 33 2D 31 53
CDP 1:device-name 19 00 01 00 13 53 45 50 45 38 30 34 36 32 31 32 32
35 44 30

Dot1x_test_cube#

hotcave46 · ‎06-18-2020

After looking through my Radius Debug, I'm not seeing any CDP or LLDP details in the accounting.

Gi1/0/23 AuditSessionID 0A32EC15000000490632DB37
001837: Jun 18 15:07:52.565 EDT: RADIUS/ENCODE(00000000):Orig. component type = Invalid
001838: Jun 18 15:07:52.565 EDT: RADIUS(00000000): Config NAS IP: 10.50.236.21
001839: Jun 18 15:07:52.565 EDT: RADIUS(00000000): Config NAS IPv6: ::
001840: Jun 18 15:07:52.565 EDT: RADIUS(00000000): sending
001841: Jun 18 15:07:52.573 EDT: RADIUS: Message Authenticator encoded
001842: Jun 18 15:07:52.573 EDT: RADIUS(00000000): Send Access-Request to 10.165.68.8:1812 onvrf(0) id 1645/32, len 261
001843: Jun 18 15:07:52.573 EDT: RADIUS: authenticator 27 71 3B 6E 52 4C 87 46 - 2E FA 0A C2 79 A9 55 40
001844: Jun 18 15:07:52.573 EDT: RADIUS: User-Name [1] 14 "e804621225d0"
001845: Jun 18 15:07:52.573 EDT: RADIUS: User-Password [2] 18 *
001846: Jun 18 15:07:52.573 EDT: RADIUS: Service-Type [6] 6 Call Check [10]
001847: Jun 18 15:07:52.573 EDT: RADIUS: Vendor, Cisco [26] 31
001848: Jun 18 15:07:52.573 EDT: RADIUS: Cisco AVpair [1] 25 "service-type=Call Check"
001849: Jun 18 15:07:52.573 EDT: RADIUS: Framed-MTU [12] 6 1500
001850: Jun 18 15:07:52.573 EDT: RADIUS: Called-Station-Id [30] 19 "30-F7-0D-E3-4D-97"
001851: Jun 18 15:07:52.573 EDT: RADIUS: Calling-Station-Id [31] 19 "E8-04-62-12-25-D0"
001852: Jun 18 15:07:52.573 EDT: RADIUS: Message-Authenticato[80] 18
001853: Jun 18 15:07:52.573 EDT: RADIUS: F6 62 A8 FE 99 55 5B 40 7C 66 28 3D 42 63 5B E0 [ bU[@|f(=Bc[]
001854: Jun 18 15:07:52.573 EDT: RADIUS: EAP-Key-Name [102] 2 *
001855: Jun 18 15:07:52.573 EDT: RADIUS: Vendor, Cisco [26] 49
001856: Jun 18 15:07:52.573 EDT: RADIUS: Cisco AVpair [1] 43 "audit-session-id=0A32EC15000000490632DB37"
001857: Jun 18 15:07:52.573 EDT: RADIUS: Vendor, Cisco [26] 18
001858: Jun 18 15:07:52.573 EDT: RADIUS: Cisco AVpair [1] 12 "method=mab"
001859: Jun 18 15:07:52.573 EDT: RADIUS: NAS-IP-Address [4] 6 10.50.236.21
001860: Jun 18 15:07:52.573 EDT: RADIUS: NAS-Port-Id [87] 23 "GigabitEthernet1/0/23"
001861: Jun 18 15:07:52.573 EDT: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
001862: Jun 18 15:07:52.573 EDT: RADIUS: NAS-Port [5] 6 50123
001863: Jun 18 15:07:52.573 EDT: RADIUS(00000000): Sending a IPv4 Radius Packet
001864: Jun 18 15:07:52.573 EDT: RADIUS(00000000): Started 5 sec timeout
001865: Jun 18 15:07:52.590 EDT: RADIUS: Received from id 1645/32 10.165.68.8:1812, Access-Accept, len 152
001866: Jun 18 15:07:52.590 EDT: RADIUS: authenticator 30 5A 5A 21 FA 97 6A F8 - D6 81 E2 DA CB 42 D9 96
001867: Jun 18 15:07:52.590 EDT: RADIUS: User-Name [1] 19 "E8-04-62-12-25-D0"
001868: Jun 18 15:07:52.590 EDT: RADIUS: Class [25] 62
001869: Jun 18 15:07:52.590 EDT: RADIUS: 43 41 43 53 3A 30 41 33 32 45 43 31 35 30 30 30 [CACS:0A32EC15000]
001870: Jun 18 15:07:52.590 EDT: RADIUS: 30 30 30 34 39 30 36 33 32 44 42 33 37 3A 43 44 [000490632DB37:CD]
001871: Jun 18 15:07:52.590 EDT: RADIUS: 43 49 53 45 50 53 4E 30 31 2F 33 38 30 36 37 34 [CISEPSN01/380674]
001872: Jun 18 15:07:52.590 EDT: RADIUS: 31 30 30 2F 32 36 30 34 32 34 33 36 [ 100/26042436]
001873: Jun 18 15:07:52.590 EDT: RADIUS: Message-Authenticato[80] 18
001874: Jun 18 15:07:52.590 EDT: RADIUS: 92 50 95 DF B3 69 77 81 FE 95 CB DC 1D 91 37 24 [ Piw7$]
001875: Jun 18 15:07:52.590 EDT: RADIUS: Vendor, Cisco [26] 33
001876: Jun 18 15:07:52.590 EDT: RADIUS: Cisco AVpair [1] 27 "profile-name=Cisco-Device"
001877: Jun 18 15:07:52.590 EDT: RADIUS(00000000): Received from id 1645/32
001878: Jun 18 15:07:52.590 EDT: RADIUS/DECODE: parse unknown cisco vsa "profile-name" - IGNORE
001879: Jun 18 15:08:53.597 EDT: %DOT1X-5-FAIL: Authentication failed for client (e804.6212.25d0) on Interface Gi1/0/23 AuditSessionID 0A32EC15000000490632DB37
001880: Jun 18 15:08:53.597 EDT: RADIUS/ENCODE(00000000):Orig. component type = Invalid
001881: Jun 18 15:08:53.597 EDT: RADIUS(00000000): Config NAS IP: 10.50.236.21
001882: Jun 18 15:08:53.597 EDT: RADIUS(00000000): Config NAS IPv6: ::
001883: Jun 18 15:08:53.597 EDT: RADIUS(00000000): sending
001884: Jun 18 15:08:53.605 EDT: RADIUS: Message Authenticator encoded
001885: Jun 18 15:08:53.605 EDT: RADIUS(00000000): Send Access-Request to 10.165.68.8:1812 onvrf(0) id 1645/33, len 261
001886: Jun 18 15:08:53.605 EDT: RADIUS: authenticator 3C A8 75 A2 91 13 E8 09 - D1 AD BC 8E 03 E3 7D CE
001887: Jun 18 15:08:53.605 EDT: RADIUS: User-Name [1] 14 "e804621225d0"
001888: Jun 18 15:08:53.605 EDT: RADIUS: User-Password [2] 18 *
001889: Jun 18 15:08:53.605 EDT: RADIUS: Service-Type [6] 6 Call Check [10]
001890: Jun 18 15:08:53.605 EDT: RADIUS: Vendor, Cisco [26] 31
001891: Jun 18 15:08:53.605 EDT: RADIUS: Cisco AVpair [1] 25 "service-type=Call Check"
001892: Jun 18 15:08:53.605 EDT: RADIUS: Framed-MTU [12] 6 1500
001893: Jun 18 15:08:53.605 EDT: RADIUS: Called-Station-Id [30] 19 "30-F7-0D-E3-4D-97"
001894: Jun 18 15:08:53.605 EDT: RADIUS: Calling-Station-Id [31] 19 "E8-04-62-12-25-D0"
001895: Jun 18 15:08:53.605 EDT: RADIUS: Message-Authenticato[80] 18
001896: Jun 18 15:08:53.605 EDT: RADIUS: DC A0 59 14 80 60 43 B4 CC 69 91 FB 0A 61 7C BB [ Y`Cia|]
001897: Jun 18 15:08:53.605 EDT: RADIUS: EAP-Key-Name [102] 2 *
001898: Jun 18 15:08:53.605 EDT: RADIUS: Vendor, Cisco [26] 49
001899: Jun 18 15:08:53.605 EDT: RADIUS: Cisco AVpair [1] 43 "audit-session-id=0A32EC15000000490632DB37"
001900: Jun 18 15:08:53.605 EDT: RADIUS: Vendor, Cisco [26] 18
001901: Jun 18 15:08:53.605 EDT: RADIUS: Cisco AVpair [1] 12 "method=mab"
001902: Jun 18 15:08:53.605 EDT: RADIUS: NAS-IP-Address [4] 6 10.50.236.21
001903: Jun 18 15:08:53.605 EDT: RADIUS: NAS-Port-Id [87] 23 "GigabitEthernet1/0/23"
001904: Jun 18 15:08:53.605 EDT: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
001905: Jun 18 15:08:53.605 EDT: RADIUS: NAS-Port [5] 6 50123
001906: Jun 18 15:08:53.605 EDT: RADIUS(00000000): Sending a IPv4 Radius Packet
001907: Jun 18 15:08:53.605 EDT: RADIUS(00000000): Started 5 sec timeout
001908: Jun 18 15:08:53.622 EDT: RADIUS: Received from id 1645/33 10.165.68.8:1812, Access-Accept, len 152
001909: Jun 18 15:08:53.622 EDT: RADIUS: authenticator 3D B1 28 9B 58 EC 35 9E - 3E AD 7F D9 A4 95 4F E9
001910: Jun 18 15:08:53.622 EDT: RADIUS: User-Name [1] 19 "E8-04-62-12-25-D0"
001911: Jun 18 15:08:53.622 EDT: RADIUS: Class [25] 62
001912: Jun 18 15:08:53.622 EDT: RADIUS: 43 41 43 53 3A 30 41 33 32 45 43 31 35 30 30 30 [CACS:0A32EC15000]
001913: Jun 18 15:08:53.622 EDT: RADIUS: 30 30 30 34 39 30 36 33 32 44 42 33 37 3A 43 44 [000490632DB37:CD]
001914: Jun 18 15:08:53.622 EDT: RADIUS: 43 49 53 45 50 53 4E 30 31 2F 33 38 30 36 37 34 [CISEPSN01/380674]
Dot1x_test_cube#
001915: Jun 18 15:08:53.622 EDT: RADIUS: 31 30 30 2F 32 36 30 34 33 39 39 38 [ 100/26043998]
001916: Jun 18 15:08:53.622 EDT: RADIUS: Message-Authenticato[80] 18
001917: Jun 18 15:08:53.622 EDT: RADIUS: DB 15 AE DB 54 02 5F D2 A4 69 67 44 15 D2 81 3D [ T_igD=]
001918: Jun 18 15:08:53.622 EDT: RADIUS: Vendor, Cisco [26] 33
001919: Jun 18 15:08:53.622 EDT: RADIUS: Cisco AVpair [1] 27 "profile-name=Cisco-Device"
001920: Jun 18 15:08:53.622 EDT: RADIUS(00000000): Received from id 1645/33
001921: Jun 18 15:08:53.622 EDT: RADIUS/DECODE: parse unknown cisco vsa "profile-name" - IGNORE

hotcave46 · ‎06-18-2020

I think I've partially found the answer here: https://www.ise-support.com/2019/07/02/switch-device-sensors-and-access-reject/#comment-51
My CDP details aren't being submitted via accounting. I tried this method, which should be more restrictive than a full Access-Accept default rule, and unfortunately it didn't work. "Authentication Open" remains the only way for me to profile this phone.

poongarg · ‎06-19-2020

I think the device is hitting the below defect:
CSCvk31115: Device-sensor doesn't send data off initial boot
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvk31115

Can you check if the below workaround fixes your issue:
Remove and add 'device-sensor accounting'.

hotcave46 · ‎06-19-2020

No luck. I tried removing and then adding back the "device-sensor accounting" without success. Our switches are on code 15.2(4)E8 which was not listed under CSCvk31115.

poongarg · ‎06-19-2020

The debug radius output you have given is for RADIUS Access-Request not for Accounting-Request. If you can re-validate the Accounting-Request, if the attributes are sent by switch or not.

hotcave46 · ‎07-02-2020

It appears that this is a bug in the 3750X 15.2(4)E8 code. Moving over to a 3850 running 16.6.4a resolved the issue