cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8426
Views
30
Helpful
24
Replies

ISE is Profiling an IP Phone Incorrectly?

Matthew Martin
Level 5
Level 5

Hello All,

Cisco ISE: v2.0.0.306
Switch: 3560
IP Phone: 7941G

I have had many other 7941G IP Phones connected to this switch, which have all profiled/authenticated correctly.

The only difference between those phones and this one, is that this phone has not been powered on in probably a few years (*long before ISE was setup).

So I plugged the phone into the switch and after the phone powers-up its stuck on "Configuring IP". The "show auth session" command shows it attempting to auth with dot1x, which would fail as expected. However, it should pass the MAB auth, since its an IP Phone. But, the phone fails MAB authentication as well. And looking on the ISE Server's Radius LiveLog I can see the IP Phone is getting Profiled as "Cisco-Device" instead of "Cisco-IP-Phone-7941".

Also, I'm seeing something I've never seen before, as far as I can remember. Looking at the mac address-table, the phone is showing "Drop" under where the port should be. Does that have to do with it failing authentication?

Vlan    Mac Address       Type        Ports
----    -----------       -------     -----
 114    fcfb.fbcb.5eca    DYNAMIC     Drop

*Also, Vlan 114 shown above is the DATA Vlan. Voice Vlan is 124...


If I check the CDP on that port (*last device listed below), it is showing the device correctly, so I'm not sure what the problem is.

JWP-3560sw1-SP#show cdp nei
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone, 
                  D - Remote, C - CVTA, M - Two-port Mac Relay 

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
ISR4321          Fas 0/2           135             R S I  ISR4321/K Gig 0/0/0
4510R-HQ         Fas 0/1           164             R S I  WS-C4510R Gig 9/22
VG202XM-MRM      Fas 0/3           152              R B   VG202XM   Fas 0/0
SEPFCFBFBCB5ECA  Fas 0/25          125             H P M  IP Phone  Port 1


The IP Phone is plugged into Fa0/25, which you can see in the CDP above...

Any idea what could be the problem here?

Thanks in Advance,
Matt

24 Replies 24

Dinesh Moudgil
Cisco Employee
Cisco Employee

Hi Matt,


Can you please share te snippet of authentication and authorization policies?
Also share port configuration for f0/25


Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

Hey Dinesh, thanks for the reply!


Here is the Port Configuration:

3560sw1-SP#show run int Fa0/25
Building configuration...

Current configuration : 671 bytes
!
interface FastEthernet0/25
 switchport access vlan 114
 switchport mode access
 switchport voice vlan 124
 authentication event fail action next-method
 authentication event server dead action authorize vlan 114
 authentication event server dead action authorize voice
 authentication event server alive action reinitialize 
 authentication host-mode multi-auth
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication violation restrict
 mab
 snmp trap mac-notification change added
 snmp trap mac-notification change removed
 dot1x pae authenticator
 dot1x timeout tx-period 10
 spanning-tree portfast
end

Sorry, I wasn't 100% sure what you wanted to see from the ISE Server. Did you want to see the Policies configured in Policy > Policy Sets. Or the Authorization and Authentication profiles under Policy > Policy Elements > Results > Authorization/Authentication..?

I also attached a screenshot from Radius LiveLog that shows a good IP Phone that I plugged into Fa0/25 today, and then right below it, it's showing the IP Phone that's not getting profiled correctly from yesterday.

Thanks again for the reply, much appreciated!

Thanks,
Matt

Hello

looks like the phone isn't being profiled beyond being a cisco-device

cisco-device -> cisco-ip-phone -> cisco-ip-phone-7941

For the phone to be profiled as a cisco-ip-phone, ISE must receive CDP/LLDP and/or DHCP attributes. What probes are enabled on ISE and is your switch configured to send the required information?

e,g,

ISE RADIUS probe - is your switch configured to send logs (udp 20514) to your ISE MnT nodes(s)
ISE SNMP probe - is your switch/ISE configured ok for traps/queries
ISE DHCP probe - is ISE configured as a helper-address

hth
Andy

ps if you delete an already profiled 7941 phone from ISE, is it successfully re-profiled when connected to your switch?

Hi Andrew, thanks for the reply.

I just plugged in another, new IP Phone (*this phone has never been plugged into our network) into this same switch and got the same result. I then took that same phone and plugged it into our core switch (*4510R+E) where ISE is directly connected to, and at first, it failed to authenticate. But, after I went back to check it out a little while later, it was registered to the CallManager, so it did authenticate.

3560 Switch - Relevant Configuration:

!
aaa authentication dot1x default group radius
aaa authorization network default group radius 
aaa authorization auth-proxy default group radius 
aaa accounting update periodic 5
aaa accounting dot1x default start-stop group radius
aaa accounting system default start-stop group radius
!
!
aaa server radius dynamic-author
 client 192.168.2.49 server-key 7 xxxxxxxxxxxxxx
 client 10.50.10.49 server-key 7 xxxxxxxxxxxxxx
!
aaa session-id common
clock timezone EST -5
clock summer-time EDT recurring
system mtu routing 1500
authentication mac-move permit
ip routing
!
!........CUT........
ip dhcp smart-relay
!
!
ip dhcp snooping vlan 114,124
no ip dhcp snooping information option
ip dhcp snooping
ip device tracking
!
epm logging
!
!
dot1x system-auth-control
!
!........CUT........
!
interface FastEthernet0/25
 switchport access vlan 114
 switchport mode access
 switchport voice vlan 124
 authentication event fail action next-method
 authentication event server dead action authorize vlan 114
 authentication event server dead action authorize voice
 authentication event server alive action reinitialize 
 authentication host-mode multi-auth
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication violation restrict
 mab
 snmp trap mac-notification change added
 snmp trap mac-notification change removed
 dot1x pae authenticator
 dot1x timeout tx-period 10
 spanning-tree portfast
!
!........CUT........
!
snmp-server group admins v3 priv 
snmp-server group admins v3 priv context vlan-114 
snmp-server group admins v3 priv context vlan-124 
snmp-server community <community> RO
snmp-server trap-source Vlan1
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 30 tries 3
radius-server host 192.168.2.49 auth-port 1645 acct-port 1646 key 7 xxxxxxxxxxxxx
radius-server host 10.50.10.49 auth-port 1645 acct-port 1646 key 7 xxxxxxxxxxxxx
radius-server vsa send accounting
radius-server vsa send authentication
!
!........CUT........
!
mac address-table notification change
mac address-table notification mac-move
!


The DHCP Pool for the Voice network is located on the Core switch that this 3560 is connected to. But, I just checked out that Pool and I don't see any helper-addresses configured in there. Should I add the 2 ISE Servers in that DHCP Pool?

Here is the DHCP Pool from 4510R+E for Voice VLAN:

!
ip dhcp pool USEPHONES124
 network 10.60.124.0 255.255.255.0
 default-router 10.60.124.1 				--> int Vlan124
 option 150 ip 192.168.11.9 192.168.11.8 10.50.2.9 	--> CallManagers
 dns-server 192.168.5.35 10.50.1.3 			--> DNS Servers
!

The only place on the 4510 where I see the ISE Server as a helper-address is on the interface Vlan for the user workstation Vlan (*i.e. vlan114).

I'm also attaching a screenshot from the ISE server for the 3560 switch's SNMP settings under Network Devices, for that switch. Also, I have the snmp trap commands configured under each interface that's configured for authentication.

The show cdp commands seem to be working fine on the switch. Where can I check on ISE for what Probes are configured?

Thanks,
Matt

Hi Matt


To check what probes you have enabled - go to Administration > System > Deployment and select your PSN and click the Profiling Configuration tab (check both of your PSNs)

Switch configuration for the RADIUS probe (I assume you have the ISE MnT persona seperate from the PSNs):

logging monitor informational
logging origin-id ip
logging host <ISE-MnT-NODE-IP> transport udp port 20514

Switch configuration for the SNMP TRAP probe:

snmp-server enable traps snmp linkdown linkup
snmp-server host 10.50.10.49 version 3 priv netAdmin mac-notification snmp
snmp-server host 192.168.2.49 version 3 priv netAdmin mac-notification snmp

hth
Andy

Hey Andy, thanks again for the reply.

I attached a screenshot of all the Profiling probes configured on that Profiling Configuration page.

Sorry, does MnT stand for Monitoring Node and PSN stand for Primary Service Node? If so, I wasn't really sure what you meant by:

"(I assume you have the ISE MnT persona seperate from the PSNs)"


As for the switch configuration commands. Would I put those commands on any switch configured to authenticate connected clients through the ISE server?
If so, after those commands are added to each switch, does anything need to be tweaked under that Network Device's configuration page (*i.e. Administration > Network Resources > Network Devices)..?

Thanks Again,
Matt

Hi Matt

ISE has 3 personas - PAN (Policy Administration Node), PSN (Policy Services Node) and MnT (Monitoring and Troubleshooting). An ISE node can be all 3 but these personas are usually "split" between different nodes depending on the deployment. All the nodes in the deployment (and their persona(s)) can be be viewed from Administration > System > Deployment.

Yes, put these commands on switches where you wish to profile/authenticate devices - check that you have the correct snmp credentials (the sames snmp credentials used on your switch) configured under Administration > Network Resources > Network Devices. Your switch snmp may have an ACL applied - run the command "show snmp user" on the switch to see if this is the case. If so, ensure your PSNs are permitted on the ACL.

hth
Andy

Oh ok, thanks for the explanation. Much appreciated!

We only have the 2 ISE Servers. One in our HQ (*primary) and the failover node is in our DR location (*secondary). I attached screenshot of the Node's deployment configuration.

Switch Config Commands:
I came across the following switch configuration commands at the link below, from the ISE Admin Guide, and was wondering which of these commands SHOULD be added to the switches?

http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/admin_guide/b_ise_admin_guide_20/b_ise_admin_guide_20_chapter_010100.html?bookSearch=true#ID713

In the section from the URL above, it lists the following commands, some of which are already configured/enabled on our switches:

# cdp enable                                            --> *ENABLED*
# lldp run

# aaa new-model                                         --> *ENABLED*
# aaa accounting dot1x default start-stop group radius  --> *ENABLED*
# radius-server host <ip> auth-port <port> acct-port <port> key <shared-secret> --> *SEE BELOW* # radius-server vsa send accounting --> *SEE BELOW*
# device-sensor accounting
# no device-sensor accounting

# device-sensor notify all-changes
# no macro auto monitor

I marked the commands already enabled on the Switch with "--> *ENABLED*". Also, I had questions specifically about the one's labeled with "--> *SEE BELOW*"...


Question about the "radius-server host ..." command above:

On the 4510R+E (*core switch), which was configured with help from a contractor, I was instructed to add the commands below. However, it does not include the ports portion of the command like the guide(s) do. Should I edit that command to include the "auth-port" and "acct-port" options?

radius-server host 192.168.2.49 key 7 xxxxxxxxxxxxxxxxxx
radius-server host 10.50.10.49 key 7 yyyyyyyyyyyyyyyyyy

I was wondering why he wouldn't have included the ports in there, and if I should add them myself? And, if I should use the ports, how do I know which ports to use, since some of the guides seem to use different ports? Also, you may have noticed I included the auth-ports and acct-ports on the commands I configured in the 3560. But, looking at them again, I'm not sure where I got those ports I used..?

I configured the 3560 using the Cisco TrustSec How-To Guide: Global Switch Configuration guide. As well as Chapter 33 from the ISE v2.0 Admin Guide (*Ch 33. Switch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions)

The contractor who helped us configure ISE and the 4510 switch, also did not include either of the "radius-server vsa send [accounting/authentication]" commands.

Should all these commands be enabled? I wasn't sure if adding too many of these commands could cause issues, like overloading the 4510 switch?

If it would make it easier, I can add another post and include in it all the commands that are found in those guides, which ARE NOT in my 4510 switch... Would that make this a bit easier? And then you could confirm if I need them or not?

Thanks AGAIN, much appreciated!
Matt

Hi Matt

ISE nodes will listen on udp 1812/1813 and 1645/1646 for RADIUS auth/acct. As your switch RADIUS configuration is working I'd leave that for now - different ios versions will have different commands as well.

As for "radius-server vsa send " commands - yes enable these (see below blogs/guides for more details).

I wouldn't over complicate your configuration at this stage - RADIUS authentication is working ok so get profiling working and build from there

hth
Andy

Demystifying RADIUS
http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/whitepaper_C11-731907.html

Switch configuration for ISE
https://communities.cisco.com/docs/DOC-68171

Switch configuration for ISE
http://www.network-node.com/blog/2015/12/30/switch-configuration-for-dot1x

Hey, thanks again Andy!

Ok, I'm just wanting to make sure I have all of the necessary commands enabled on the switches that should be enabled.

It seems like the 4510 was configured with the minimum to get ISE authentication working. I just want to be sure we have all those profiling commands enabled, that need to be enabled. We do experience some weird issues fairly frequently while we were in production mode for ISE authentication, so maybe some of these missing commands would help...

Couple of things I noticed in my config compared to the guides.

1. The "radius-server host" Command on 4510:

### I HAVE:
radius-server host 192.168.2.49 key 7 xxxxxxxxxxxxxxxx
radius-server host 10.50.10.49 key 7 yyyyyyyyyyyyyyyy

### Some Guides Include auth-port/acct-port/a username/key, like:
radius-server host 192.168.2.49 auth-port 1812 acct-port 1813 test username <username> key 7 xxxxxxxxxxxxxxxx

So with that "radius-server host ..." command, how does my command differ? What does including those other options do, that the one I have won't do (*i.e. including the auth/acct-ports, a username and a key)? Is there any benefit to including those extra options?

2. Helper-Address Question: When this post first started I was asked if I had the ISE Servers as helper-addresses in the dhcp pools. But, in all those guides, the only time I see ISE as the helper-address is in the Interface Vlan configuration. And, even with that, it's only used in Access Vlan and not the Voice Vlan. So should ISE be added to as a helper-address in the Voice Vlan, and/or in the DHCP Pools as well?

I also have a couple of other questions. But, I'll wait for your reply on this one first.

Thanks Again,
Matt

Hi Matt

1
If you don't sepcify auth-port and acct-port the default values are 1645/1646. The key is the RADIUS secret shared with ISE - username is for periodic testing of RADIUS from the switch (i think the default username is test - you may see this in your ISE logs). It doesn't matter if this test username fails - as long as the switch receives a reply (reject or accept) from RADIUS it know the server is up. If the switch doesn't receive a reply it will mark the RADIUS server as down.

Configuring RADIUS has changed with later versions of IOS - see the link I posted earlier about demystiying RADIUS.

2
You should use the ISE probes you require to successfully profile. Your phone can be profiled successfully by ISE without it (using cdp/lldp attributes from an snmp query). Some devices may require profile using dhcp attributes like class-identifier - in that case the DHCP probe is required. You don't want to overload ISE by using probes that aren't required for particular devices.

hth
Andy

*Question #1 Follow-up:
So basically, with the command I have on the 4510. It's going to automatically use the auth and acct ports as 1645/1646 as default values (*unless specified otherwise). And the "key" in that command just has to match the Shared Secret configured under the "RADIUS Authentication Settings" section of the Network Access Device's config on the ISE Server...

I will check out that link you had posted... Thanks!

2 other questions.

1. SNMP Question: On the 3560 switch, I have these commands below in each of the Interfaces where a client will auth through ISE:

(config-if)# snmp trap mac-notification change added
(config-if)# snmp trap mac-notification change removed

I then came across the following Global Config commands in the TrustSec: Switch Config Guide I mentioned in an earlier post:

### Enable SNMP Traps for mac-notification for change/move/threshold:
(config)# snmp-server enable traps mac-notification change move threshold
### Configure ISE as Hosts to receive the snmp mac-notification traps: (config)# snmp-server host <ise-ip-1> version 3 priv mac-notification snmp (config)# snmp-server host <ise-ip-2> version 3 priv mac-notification snmp

If I use these 3 commands (*above) under Global configuration mode on the switch, would that mean I don't need to include those 2 lines at the top in each of the interfaces?

2. Interface Access-List:
In the Switch Configuration section found in the Cisco ISE v2.0 Administrator Guide (*Chapter 33). It states:

"An ACL must be configured to prepend dACLs from AAA server."

(config-if)# ip access-group ACL-ALLOW in

I attached the full snippet from this document, and it does mention that prior to IOS 12.2(55)SE this ACL was required to allow dACLs to be pushed to the client from the ISE Server, without it, dACLs would be ignored. And, after that version a default ACL is applied. So in this case, on versions after that IOS version, does the ACL "ACL-DEFAULT" get applied to the interfaces automatically, if it exists..?
Sorry, this section was a little confusing since it just says a default ACL will be automatically created and applied, so what is the default ACL...?

Thanks again for the explanations, much appreciated!

Thanks Again,
Matt

Hi Matt

1
You will need the "snmp trap mac-notification change" commands under the interfaces as well as the global commands

2
See link below - from your interface configuration you are using open mode without a static acl:

If there is no static ACL on a port in  open authentication mode:
• An auth-default-ACL-OPEN is created and allows all traffic.
• Policies are enforced with IP address insertion to prevent security breaches.
• Web authentication is subject to the auth-default-ACL-OPEN.

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-2_55_se/configuration/guide/scg3750/sw8021x.html

hth
Andy

Wow really... That seems silly to need that on every interface, instead of just being able to enable it globally.. But oh well, thanks for the info!

As for #2... My User-Workstation/Client interface configurations don't currently have "authentication open" enabled on them. We did in the beginning when we first put this in place for testing, so we would have full visibility of the devices on each interface. But, we don't have that on the interfaces anymore. Sorry if that's not the command you were referring to...
If "authentication open" was the command you were referring to (*for open authentication mode), then it sounds like the default ACL that gets created (*when "auth open" is on the interface) is just a permit all. Otherwise, without that auth open command, its a deny all?

Sorry if I'm misunderstanding that one...

Below are the last 2 question that I have for now...

#1. Enabling DHCP Snooping?

Should I be enabling "ip dhcp snooping" on the 4510 core-switch, does it help with profiling? I enabled snooping on the 3560 switch because that is a switch that only we use in the IT department, so I'm not worried about testing stuff on that switch. But, wasn't sure if I should enable it on the 4510..?
Since we have the DHCP probe enabled under Administration > System > Deployment > ISE Server > Profiling Configuration. Is that Probe not necessarily doing anything unless dhcp snooping is enabled on the switch?
If this is something that I should enable (*i.e. the Commands "ip dhcp snooping" and "ip dhcp snooping <vlanX>-,<vlanY>), I read that you should also be using the interface command "ip dhcp snooping trust" on the interface facing the ISE server. Is this true? I ask because in the Switch config guides, they all seem to use the 2 snooping commands, but not the "... trust" command. So I wasn't sure the purpose of this command if the guides aren't showing being used.
And also, it looks like "ip device tracking", which is shown in the same section of the guide as the snooping cmds, is a default command. So it won't actually be shown in the config unless you disable it with the no ip device tracking command... From what I can tell.



#2. Deprecated "radius-server host ..." Command:

According to the Demystifying Radius Server Configurations link in your post, the command below is now deprecated:

radius-server host <ise-server-ip> auth-port <port> acct-port <port> key ......etc......

And instead, you should now use the command:

radius server <NAME>
 address <ipv4-address> auth-port <port> acct-port <port> ...etc...
key 7 xxxxxxxxxxxxxxxxxxx

So if I want to change the 4500 Switch to the newer, non-deprecated version of that command (*because we plan on upgrading the IOS soon anyway) do I need to remove the existing "radius-server host ..." commands before I can add the new version of that cmd, or will it automatically remove it for me when the new one is added? Also, should that be done after-hours? I wasn't sure if I remove the old one and add the new command, if all the connected clients would need to re-authenticate, or something along those lines.?


Sorry for all the questions.... But, this is really helping me, so thanks!

Thanks AGAIN,
Matt