Solved: ISE 2.4 not authorizing Cisco Phones

David Harrell · ‎12-12-2018

Hello all,

I have a situation that I feel like needs another set of eyes. Installed ISE 2.4 last week, and had our test 7945G being profiled by the default IP Phone authorization rule, as we would expect, and "Permit Access". After configuring 802.1x for our wired domain computers, the phone still seems to be profiled, but is hitting the "Default" authorization rule which has now been changed to "Deny Access".

Here is what we see switch side:

Dec 12 15:58:15.659: %SWITCH_QOS_TB-5-TRUST_DEVICE_DETECTED: cisco-phone detected on port Fa3/0/4, port's configured trust state is now operational.
Dec 12 15:58:15.659: %SWITCH_QOS_TB-5-TRUST_DEVICE_DETECTED: cisco-phone detected on port Fa3/0/4, port's configured trust state is now operational.
Dec 12 15:58:15.684: %AUTHMGR-5-START: Starting 'dot1x' for client (001d.7060.b031) on Interface Fa3/0/4
Dec 12 15:58:16.883: %AUTHMGR-5-START: Starting 'dot1x' for client (f8b1.56a8.2d5b) on Interface Fa3/0/4
Dec 12 15:58:18.846: %DOT1X-5-SUCCESS: Authentication successful for client (f8b1.56a8.2d5b) on Interface Fa3/0/4
Dec 12 15:58:18.846: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (f8b1.56a8.2d5b) on Interface Fa3/0/4
Dec 12 15:58:19.593: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (f8b1.56a8.2d5b) on Interface Fa3/0/4
Dec 12 15:58:30.146: %DOT1X-5-FAIL: Authentication failed for client (001d.7060.b031) on Interface Fa3/0/4
Dec 12 15:58:30.146: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (001d.7060.b031) on Interface Fa3/0/4
Dec 12 15:58:30.146: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (001d.7060.b031) on Interface Fa3/0/4
Dec 12 15:58:30.146: %AUTHMGR-5-START: Starting 'mab' for client (001d.7060.b031) on Interface Fa3/0/4
Dec 12 15:58:30.146: %MAB-5-FAIL: Authentication failed for client (001d.7060.b031) on Interface Fa3/0/4
Dec 12 15:58:30.154: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'mab' for client (001d.7060.b031) on Interface Fa3/0/4
Dec 12 15:58:30.154: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (001d.7060.b031) on Interface Fa3/0/4
Dec 12 15:58:30.154: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (001d.7060.b031) on Interface Fa3/0/4
Dec 12 15:58:30.154: %AUTHMGR-5-FAIL: Authorization failed for client (001d.7060.b031) on Interface Fa3/0/4

Output of "show authen sess int f3/0/4"

Interface: FastEthernet3/0/4
MAC Address: f8b1.56a8.2d5b
IP Address: 10.2.12.185
User-Name: KEYSTONEITCR-D
Status: Authz Success
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A02C81900000AF62E0C789E
Acct Session ID: 0x00000BFC
Handle: 0xE6000AF6

Runnable methods list:
Method State
dot1x Authc Success
mab Not run

----------------------------------------
Interface: FastEthernet3/0/4
MAC Address: 001d.7060.b031
IP Address: Unknown
User-Name: 001d7060b031
Status: Authz Failed
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A02C81900000AF52E0C3B9A
Acct Session ID: 0x00000BFB
Handle: 0xA8000AF5

Runnable methods list:
Method State
dot1x Failed over
mab Failed over

Here's what the switch config looks like:

aaa group server radius JC-ISE
server 10.1.74.1 auth-port 1812 acct-port 1813
ip radius source-interface Vlan200
!
aaa authentication login default group ISE local
aaa authentication login CONSOLE local
aaa authentication dot1x default group JC-ISE
aaa authorization network default group JC-ISE
aaa accounting update newinfo periodic 2880
aaa accounting dot1x default start-stop group JC-ISE
!
!
!
aaa session-id common
!
dot1x system-auth-control

radius-server host 10.1.74.1 auth-port 1812 acct-port 1813 key blablabla
radius-server vsa send accounting
radius-server vsa send authentication

interface FastEthernet3/0/4
switchport access vlan 212
switchport mode access
switchport voice vlan 312
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
no logging event link-status
no logging event power-inline-status
srr-queue bandwidth share 10 10 60 20
priority-queue out
authentication host-mode multi-auth
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
mls qos trust device cisco-phone
mls qos trust cos
snmp trap mac-notification change added
snmp trap mac-notification change removed
auto qos voip cisco-phone
dot1x pae authenticator
dot1x timeout tx-period 7
dot1x max-reauth-req 3
spanning-tree portfast
service-policy input AutoQoS-Police-CiscoPhone
ip dhcp snooping limit rate 10
end

Attached are a few screenshots and a .txt file with all the attribute output for the 7945.

Any help would be much appreciated!

David Harrell · ‎12-14-2018

This issue is resolved. Appears that port-security is not compatible with ISE. Once we stripped the port-security commands from the ports the phones authenticated fine.

View solution in original post

Surendra · ‎12-12-2018

Please do not post sensitive information like MAC Address on this forum.

From the auth fail log you shared, I still see the profile to be Cisco-Device. If you have suppression for failed authentications (Administration > System > Settings > Protocols > RADIUS) enabled, please disable it for a little while and then try to unplug/plug the cable on the switch port.

David Harrell · ‎12-12-2018

Surendra,

I've made the change. The phone is actually connected and authorized now. Seems like I just needed to take a lunch break. I'll bounce the port though, just to see what happens.

::EDIT::

Phone is failing again after the port bounce.

Dec 12 18:20:44.257: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (xxxx.yyyy.zzzz) on Interface Fa3/0/4
Dec 12 18:20:44.257: %AUTHMGR-5-START: Starting 'mab' for client (xxxx.yyyy.zzzz) on Interface Fa3/0/4
Dec 12 18:20:44.274: %MAB-5-FAIL: Authentication failed for client (xxxx.yyyy.zzzz) on Interface Fa3/0/4
Dec 12 18:20:44.274: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'mab' for client (xxxx.yyyy.zzzz) on Interface Fa3/0/4
Dec 12 18:20:44.274: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (xxxx.yyyy.zzzz) on Interface Fa3/0/4
Dec 12 18:20:44.274: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (xxxx.yyyy.zzzz) on Interface Fa3/0/4
Dec 12 18:20:44.274: %AUTHMGR-5-FAIL: Authorization failed for client (xxxx.yyyy.zzzz) on Interface Fa3/0/4

Previous session info:

----------------------------------------
Interface: FastEthernet3/0/4
MAC Address: xxxx.yyyy.zzzz
IP Address: 10.2.112.254
User-Name: 00-1D-70-60-B0-31
Status: Authz Success
Domain: VOICE
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A02C81900000AF72E1E2D2F
Acct Session ID: 0x00000BFE
Handle: 0x5E000AF7

Runnable methods list:
Method State
dot1x Failed over
mab Authc Success

After the port bounce:

Interface: FastEthernet3/0/4
MAC Address: xxxx.yyyy.zzzz
IP Address: Unknown
User-Name: UNRESPONSIVE
Status: Authz Failed
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A02C81900000AFA2E8D158B
Acct Session ID: 0x00000C06
Handle: 0x29000AFA

Runnable methods list:
Method State
dot1x Failed over
mab Failed over

David Harrell · ‎12-12-2018

8800 series phones get profiled properly, but it appears that 7945G (which are 90% of our usage) are only profiled as "Cisco-Device", and do not continue the process of being profiled as phones.

Surendra · ‎12-12-2018

It seems like ISE isn’t getting enough information to profile your phones. You might want to check the device sensor configuration on the switches.

Here is a detailed document : https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200292-Configure-Device-Sensor-for-ISE-Profilin.html

fdharmawan · ‎12-12-2018

Hi David,

Which Cisco Switch do you use? Did you add the phone MAC address to the MAB list?

Thanks.

ognyan.totev · ‎12-12-2018

Hi , what switch version you use?

As i see there is a missing command

aaa server dynamic author

client x.x.x.x server-key xxxxx

And one more thing but i wrote this by my mobile phone and i will answer you after 30 min

David Harrell · ‎12-12-2018

As Surendra pointed out, the profiling process is happening. The issue now appears to be that the 7945G models get profiled as "Cisco-Device" instead of "Cisco_IP_Phone". In comparison, the few 8800 models that we have get profiled correctly.

David Harrell · ‎12-12-2018

3750 v2

No to adding the MACs. With over 500 phones, we purchased plus licenses for profiling of the phones.

ognyan.totev · ‎12-12-2018

This is my switch and work as expected WS-C3750-48P 12.2(55)SE12 C3750-IPSERVICESK9-M

aaa authentication dot1x default group radius

aaa authorization network default group radius
aaa authorization network auth-list group radius
aaa authorization auth-proxy default group radius
aaa authorization configuration default group radius
aaa accounting update newinfo periodic 2880
aaa accounting auth-proxy default start-stop group radius
aaa accounting dot1x default start-stop group radius

aaa server radius dynamic-author
client x.x.x.x server-key 7 xxxxxxxxx
client x.x.x.x server-key 7 xxxxxxxxx
auth-type any

radius-server dead-criteria time 10 tries 3
radius-server host x.x.x.x auth-port 1812 acct-port 1813 test username RADIUS-TEST ignore-acct-port idle-time 10
radius-server host x.x.x.x auth-port 1812 acct-port 1813 test username RADIUS-TEST ignore-acct-port idle-time 10
radius-server deadtime 15
radius-server key 7 xxxxxxxxxx
radius-server vsa send cisco-nas-port
radius-server vsa send accounting
radius-server vsa send authentication

This is working for me and i suggest for device profiling you have to enable helper adress

interface Vlan570
ip address 10.182.76.11 255.255.255.224
ip helper-address x.x.x.x (ISE IP ADRESS)

David Harrell · ‎12-14-2018

This issue is resolved. Appears that port-security is not compatible with ISE. Once we stripped the port-security commands from the ports the phones authenticated fine.