06-01-2017 11:49 AM - edited 03-11-2019 12:45 AM
Hello All,
Cisco ISE: v2.0.0.306
Switch: 3560
IP Phone: 7941G
I have had many other 7941G IP Phones connected to this switch, which have all profiled/authenticated correctly.
The only difference between those phones and this one, is that this phone has not been powered on in probably a few years (*long before ISE was setup).
So I plugged the phone into the switch and after the phone powers-up its stuck on "Configuring IP". The "show auth session" command shows it attempting to auth with dot1x, which would fail as expected. However, it should pass the MAB auth, since its an IP Phone. But, the phone fails MAB authentication as well. And looking on the ISE Server's Radius LiveLog I can see the IP Phone is getting Profiled as "Cisco-Device" instead of "Cisco-IP-Phone-7941".
Also, I'm seeing something I've never seen before, as far as I can remember. Looking at the mac address-table, the phone is showing "Drop" under where the port should be. Does that have to do with it failing authentication?
Vlan Mac Address Type Ports
---- ----------- ------- -----
114 fcfb.fbcb.5eca DYNAMIC Drop
*Also, Vlan 114 shown above is the DATA Vlan. Voice Vlan is 124...
If I check the CDP on that port (*last device listed below), it is showing the device correctly, so I'm not sure what the problem is.
JWP-3560sw1-SP#show cdp nei Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone, D - Remote, C - CVTA, M - Two-port Mac Relay Device ID Local Intrfce Holdtme Capability Platform Port ID ISR4321 Fas 0/2 135 R S I ISR4321/K Gig 0/0/0 4510R-HQ Fas 0/1 164 R S I WS-C4510R Gig 9/22 VG202XM-MRM Fas 0/3 152 R B VG202XM Fas 0/0 SEPFCFBFBCB5ECA Fas 0/25 125 H P M IP Phone Port 1
The IP Phone is plugged into Fa0/25, which you can see in the CDP above...
Any idea what could be the problem here?
Thanks in Advance,
Matt
06-01-2017 05:23 PM
Hi Matt,
Can you please share te snippet of authentication and authorization policies?
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
06-02-2017 09:12 AM
Hey Dinesh, thanks for the reply!
Here is the Port Configuration:
3560sw1-SP#show run int Fa0/25 Building configuration... Current configuration : 671 bytes ! interface FastEthernet0/25 switchport access vlan 114 switchport mode access switchport voice vlan 124 authentication event fail action next-method authentication event server dead action authorize vlan 114 authentication event server dead action authorize voice authentication event server alive action reinitialize authentication host-mode multi-auth authentication order dot1x mab authentication priority dot1x mab authentication port-control auto authentication violation restrict mab snmp trap mac-notification change added snmp trap mac-notification change removed dot1x pae authenticator dot1x timeout tx-period 10 spanning-tree portfast end
Sorry, I wasn't 100% sure what you wanted to see from the ISE Server. Did you want to see the Policies configured in Policy > Policy Sets. Or the Authorization and Authentication profiles under Policy > Policy Elements > Results > Authorization/Authentication..?
I also attached a screenshot from Radius LiveLog that shows a good IP Phone that I plugged into Fa0/25 today, and then right below it, it's showing the IP Phone that's not getting profiled correctly from yesterday.
Thanks again for the reply, much appreciated!
Thanks,
Matt
06-03-2017 06:07 AM
Hello
looks like the phone isn't being profiled beyond being a cisco-device
cisco-device -> cisco-ip-phone -> cisco-ip-phone-7941
For the phone to be profiled as a cisco-ip-phone, ISE must receive CDP/LLDP and/or DHCP attributes. What probes are enabled on ISE and is your switch configured to send the required information?
e,g,
ISE RADIUS probe - is your switch configured to send logs (udp 20514) to your ISE MnT nodes(s)
ISE SNMP probe - is your switch/ISE configured ok for traps/queries
ISE DHCP probe - is ISE configured as a helper-address
hth
Andy
ps if you delete an already profiled 7941 phone from ISE, is it successfully re-profiled when connected to your switch?
06-05-2017 02:44 PM
Hi Andrew, thanks for the reply.
I just plugged in another, new IP Phone (*this phone has never been plugged into our network) into this same switch and got the same result. I then took that same phone and plugged it into our core switch (*4510R+E) where ISE is directly connected to, and at first, it failed to authenticate. But, after I went back to check it out a little while later, it was registered to the CallManager, so it did authenticate.
3560 Switch - Relevant Configuration:
! aaa authentication dot1x default group radius aaa authorization network default group radius aaa authorization auth-proxy default group radius aaa accounting update periodic 5 aaa accounting dot1x default start-stop group radius aaa accounting system default start-stop group radius ! ! aaa server radius dynamic-author client 192.168.2.49 server-key 7 xxxxxxxxxxxxxx client 10.50.10.49 server-key 7 xxxxxxxxxxxxxx ! aaa session-id common clock timezone EST -5 clock summer-time EDT recurring system mtu routing 1500 authentication mac-move permit ip routing ! !........CUT........ ip dhcp smart-relay ! ! ip dhcp snooping vlan 114,124 no ip dhcp snooping information option ip dhcp snooping ip device tracking ! epm logging ! ! dot1x system-auth-control ! !........CUT........ ! interface FastEthernet0/25 switchport access vlan 114 switchport mode access switchport voice vlan 124 authentication event fail action next-method authentication event server dead action authorize vlan 114 authentication event server dead action authorize voice authentication event server alive action reinitialize authentication host-mode multi-auth authentication order dot1x mab authentication priority dot1x mab authentication port-control auto authentication violation restrict mab snmp trap mac-notification change added snmp trap mac-notification change removed dot1x pae authenticator dot1x timeout tx-period 10 spanning-tree portfast ! !........CUT........ ! snmp-server group admins v3 priv snmp-server group admins v3 priv context vlan-114 snmp-server group admins v3 priv context vlan-124 snmp-server community <community> RO snmp-server trap-source Vlan1 radius-server attribute 6 on-for-login-auth radius-server attribute 8 include-in-access-req radius-server attribute 25 access-request include radius-server dead-criteria time 30 tries 3 radius-server host 192.168.2.49 auth-port 1645 acct-port 1646 key 7 xxxxxxxxxxxxx radius-server host 10.50.10.49 auth-port 1645 acct-port 1646 key 7 xxxxxxxxxxxxx radius-server vsa send accounting radius-server vsa send authentication ! !........CUT........ ! mac address-table notification change mac address-table notification mac-move !
The DHCP Pool for the Voice network is located on the Core switch that this 3560 is connected to. But, I just checked out that Pool and I don't see any helper-addresses configured in there. Should I add the 2 ISE Servers in that DHCP Pool?
Here is the DHCP Pool from 4510R+E for Voice VLAN:
! ip dhcp pool USEPHONES124 network 10.60.124.0 255.255.255.0 default-router 10.60.124.1 --> int Vlan124 option 150 ip 192.168.11.9 192.168.11.8 10.50.2.9 --> CallManagers dns-server 192.168.5.35 10.50.1.3 --> DNS Servers !
The only place on the 4510 where I see the ISE Server as a helper-address is on the interface Vlan for the user workstation Vlan (*i.e. vlan114).
I'm also attaching a screenshot from the ISE server for the 3560 switch's SNMP settings under Network Devices, for that switch. Also, I have the snmp trap commands configured under each interface that's configured for authentication.
The show cdp commands seem to be working fine on the switch. Where can I check on ISE for what Probes are configured?
Thanks,
Matt
06-05-2017 03:22 PM
Hi Matt
To check what probes you have enabled - go to Administration > System > Deployment and select your PSN and click the Profiling Configuration tab (check both of your PSNs)
Switch configuration for the RADIUS probe (I assume you have the ISE MnT persona seperate from the PSNs):
logging monitor informational
logging origin-id ip
logging host <ISE-MnT-NODE-IP> transport udp port 20514
Switch configuration for the SNMP TRAP probe:
snmp-server enable traps snmp linkdown linkup
snmp-server host 10.50.10.49 version 3 priv netAdmin mac-notification snmp
snmp-server host 192.168.2.49 version 3 priv netAdmin mac-notification snmp
hth
Andy
06-06-2017 09:38 AM
Hey Andy, thanks again for the reply.
I attached a screenshot of all the Profiling probes configured on that Profiling Configuration page.
Sorry, does MnT stand for Monitoring Node and PSN stand for Primary Service Node? If so, I wasn't really sure what you meant by:
"(I assume you have the ISE MnT persona seperate from the PSNs)"
As for the switch configuration commands. Would I put those commands on any switch configured to authenticate connected clients through the ISE server?
If so, after those commands are added to each switch, does anything need to be tweaked under that Network Device's configuration page (*i.e. Administration > Network Resources > Network Devices)..?
Thanks Again,
Matt
06-06-2017 10:48 AM
Hi Matt
ISE has 3 personas - PAN (Policy Administration Node), PSN (Policy Services Node) and MnT (Monitoring and Troubleshooting). An ISE node can be all 3 but these personas are usually "split" between different nodes depending on the deployment. All the nodes in the deployment (and their persona(s)) can be be viewed from Administration > System > Deployment.
Yes, put these commands on switches where you wish to profile/authenticate devices - check that you have the correct snmp credentials (the sames snmp credentials used on your switch) configured under Administration > Network Resources > Network Devices. Your switch snmp may have an ACL applied - run the command "show snmp user" on the switch to see if this is the case. If so, ensure your PSNs are permitted on the ACL.
hth
Andy
06-06-2017 11:41 AM
Oh ok, thanks for the explanation. Much appreciated!
We only have the 2 ISE Servers. One in our HQ (*primary) and the failover node is in our DR location (*secondary). I attached screenshot of the Node's deployment configuration.
Switch Config Commands:
I came across the following switch configuration commands at the link below, from the ISE Admin Guide, and was wondering which of these commands SHOULD be added to the switches?
In the section from the URL above, it lists the following commands, some of which are already configured/enabled on our switches:
# cdp enable --> *ENABLED* # lldp run # aaa new-model --> *ENABLED* # aaa accounting dot1x default start-stop group radius --> *ENABLED*
# radius-server host <ip> auth-port <port> acct-port <port> key <shared-secret> --> *SEE BELOW* # radius-server vsa send accounting --> *SEE BELOW*
# device-sensor accounting
# no device-sensor accounting
# device-sensor notify all-changes
# no macro auto monitor
I marked the commands already enabled on the Switch with "--> *ENABLED*". Also, I had questions specifically about the one's labeled with "--> *SEE BELOW*"...
Question about the "radius-server host ..." command above:
On the 4510R+E (*core switch), which was configured with help from a contractor, I was instructed to add the commands below. However, it does not include the ports portion of the command like the guide(s) do. Should I edit that command to include the "auth-port" and "acct-port" options?
radius-server host 192.168.2.49 key 7 xxxxxxxxxxxxxxxxxx radius-server host 10.50.10.49 key 7 yyyyyyyyyyyyyyyyyy
I was wondering why he wouldn't have included the ports in there, and if I should add them myself? And, if I should use the ports, how do I know which ports to use, since some of the guides seem to use different ports? Also, you may have noticed I included the auth-ports and acct-ports on the commands I configured in the 3560. But, looking at them again, I'm not sure where I got those ports I used..?
I configured the 3560 using the Cisco TrustSec How-To Guide: Global Switch Configuration guide. As well as Chapter 33 from the ISE v2.0 Admin Guide (*Ch 33. Switch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions)
The contractor who helped us configure ISE and the 4510 switch, also did not include either of the "radius-server vsa send [accounting/authentication]" commands.
Should all these commands be enabled? I wasn't sure if adding too many of these commands could cause issues, like overloading the 4510 switch?
If it would make it easier, I can add another post and include in it all the commands that are found in those guides, which ARE NOT in my 4510 switch... Would that make this a bit easier? And then you could confirm if I need them or not?
Thanks AGAIN, much appreciated!
Matt
06-06-2017 12:33 PM
Hi Matt
ISE nodes will listen on udp 1812/1813 and 1645/1646 for RADIUS auth/acct. As your switch RADIUS configuration is working I'd leave that for now - different ios versions will have different commands as well.
As for "radius-server vsa send " commands - yes enable these (see below blogs/guides for more details).
I wouldn't over complicate your configuration at this stage - RADIUS authentication is working ok so get profiling working and build from there
hth
Andy
Demystifying RADIUS
http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/whitepaper_C11-731907.html
Switch configuration for ISE
https://communities.cisco.com/docs/DOC-68171
Switch configuration for ISE
http://www.network-node.com/blog/2015/12/30/switch-configuration-for-dot1x
06-07-2017 09:43 AM
Hey, thanks again Andy!
Ok, I'm just wanting to make sure I have all of the necessary commands enabled on the switches that should be enabled.
It seems like the 4510 was configured with the minimum to get ISE authentication working. I just want to be sure we have all those profiling commands enabled, that need to be enabled. We do experience some weird issues fairly frequently while we were in production mode for ISE authentication, so maybe some of these missing commands would help...
Couple of things I noticed in my config compared to the guides.
1. The "radius-server host" Command on 4510:
### I HAVE:
radius-server host 192.168.2.49 key 7 xxxxxxxxxxxxxxxx
radius-server host 10.50.10.49 key 7 yyyyyyyyyyyyyyyy
### Some Guides Include auth-port/acct-port/a username/key, like:
radius-server host 192.168.2.49 auth-port 1812 acct-port 1813 test username <username> key 7 xxxxxxxxxxxxxxxx
So with that "radius-server host ..." command, how does my command differ? What does including those other options do, that the one I have won't do (*i.e. including the auth/acct-ports, a username and a key)? Is there any benefit to including those extra options?
2. Helper-Address Question: When this post first started I was asked if I had the ISE Servers as helper-addresses in the dhcp pools. But, in all those guides, the only time I see ISE as the helper-address is in the Interface Vlan configuration. And, even with that, it's only used in Access Vlan and not the Voice Vlan. So should ISE be added to as a helper-address in the Voice Vlan, and/or in the DHCP Pools as well?
I also have a couple of other questions. But, I'll wait for your reply on this one first.
Thanks Again,
Matt
06-07-2017 11:13 AM
Hi Matt
1
If you don't sepcify auth-port and acct-port the default values are 1645/1646. The key is the RADIUS secret shared with ISE - username is for periodic testing of RADIUS from the switch (i think the default username is test - you may see this in your ISE logs). It doesn't matter if this test username fails - as long as the switch receives a reply (reject or accept) from RADIUS it know the server is up. If the switch doesn't receive a reply it will mark the RADIUS server as down.
Configuring RADIUS has changed with later versions of IOS - see the link I posted earlier about demystiying RADIUS.
2
You should use the ISE probes you require to successfully profile. Your phone can be profiled successfully by ISE without it (using cdp/lldp attributes from an snmp query). Some devices may require profile using dhcp attributes like class-identifier - in that case the DHCP probe is required. You don't want to overload ISE by using probes that aren't required for particular devices.
hth
Andy
06-07-2017 01:03 PM
*Question #1 Follow-up:
So basically, with the command I have on the 4510. It's going to automatically use the auth and acct ports as 1645/1646 as default values (*unless specified otherwise). And the "key" in that command just has to match the Shared Secret configured under the "RADIUS Authentication Settings" section of the Network Access Device's config on the ISE Server...
I will check out that link you had posted... Thanks!
2 other questions.
1. SNMP Question: On the 3560 switch, I have these commands below in each of the Interfaces where a client will auth through ISE:
(config-if)# snmp trap mac-notification change added
(config-if)# snmp trap mac-notification change removed
I then came across the following Global Config commands in the TrustSec: Switch Config Guide I mentioned in an earlier post:
### Enable SNMP Traps for mac-notification for change/move/threshold:
(config)# snmp-server enable traps mac-notification change move threshold
### Configure ISE as Hosts to receive the snmp mac-notification traps: (config)# snmp-server host <ise-ip-1>version 3 priv mac-notification snmp (config)# snmp-server host <ise-ip-2> version 3 priv mac-notification snmp
If I use these 3 commands (*above) under Global configuration mode on the switch, would that mean I don't need to include those 2 lines at the top in each of the interfaces?
2. Interface Access-List:
In the Switch Configuration section found in the Cisco ISE v2.0 Administrator Guide (*Chapter 33). It states:
"An ACL must be configured to prepend dACLs from AAA server."
(config-if)# ip access-group ACL-ALLOW in
I attached the full snippet from this document, and it does mention that prior to IOS 12.2(55)SE this ACL was required to allow dACLs to be pushed to the client from the ISE Server, without it, dACLs would be ignored. And, after that version a default ACL is applied. So in this case, on versions after that IOS version, does the ACL "ACL-DEFAULT" get applied to the interfaces automatically, if it exists..?
Sorry, this section was a little confusing since it just says a default ACL will be automatically created and applied, so what is the default ACL...?
Thanks again for the explanations, much appreciated!
Thanks Again,
Matt
06-07-2017 03:21 PM
Hi Matt
1
You will need the "snmp trap mac-notification change" commands under the interfaces as well as the global commands
2
See link below - from your interface configuration you are using open mode without a static acl:
If there is no static ACL on a port in open authentication mode:
• An auth-default-ACL-OPEN is created and allows all traffic.
• Policies are enforced with IP address insertion to prevent security breaches.
• Web authentication is subject to the auth-default-ACL-OPEN.
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-2_55_se/configuration/guide/scg3750/sw8021x.html
hth
Andy
06-07-2017 04:42 PM
Wow really... That seems silly to need that on every interface, instead of just being able to enable it globally.. But oh well, thanks for the info!
As for #2... My User-Workstation/Client interface configurations don't currently have "authentication open" enabled on them. We did in the beginning when we first put this in place for testing, so we would have full visibility of the devices on each interface. But, we don't have that on the interfaces anymore. Sorry if that's not the command you were referring to...
If "authentication open" was the command you were referring to (*for open authentication mode), then it sounds like the default ACL that gets created (*when "auth open" is on the interface) is just a permit all. Otherwise, without that auth open command, its a deny all?
Sorry if I'm misunderstanding that one...
Below are the last 2 question that I have for now...
#1. Enabling DHCP Snooping?
Should I be enabling "ip dhcp snooping" on the 4510 core-switch, does it help with profiling? I enabled snooping on the 3560 switch because that is a switch that only we use in the IT department, so I'm not worried about testing stuff on that switch. But, wasn't sure if I should enable it on the 4510..?
Since we have the DHCP probe enabled under Administration > System > Deployment > ISE Server > Profiling Configuration. Is that Probe not necessarily doing anything unless dhcp snooping is enabled on the switch?
If this is something that I should enable (*i.e. the Commands "ip dhcp snooping" and "ip dhcp snooping <vlanX>-,<vlanY>), I read that you should also be using the interface command "ip dhcp snooping trust" on the interface facing the ISE server. Is this true? I ask because in the Switch config guides, they all seem to use the 2 snooping commands, but not the "... trust" command. So I wasn't sure the purpose of this command if the guides aren't showing being used.
And also, it looks like "ip device tracking", which is shown in the same section of the guide as the snooping cmds, is a default command. So it won't actually be shown in the config unless you disable it with the no ip device tracking command... From what I can tell.
#2. Deprecated "radius-server host ..." Command:
According to the Demystifying Radius Server Configurations link in your post, the command below is now deprecated:
radius-server host <ise-server-ip> auth-port <port> acct-port <port> key ......etc......
And instead, you should now use the command:
radius server <NAME>address <ipv4-address> auth-port <port> acct-port <port> ...etc...
key 7 xxxxxxxxxxxxxxxxxxx
So if I want to change the 4500 Switch to the newer, non-deprecated version of that command (*because we plan on upgrading the IOS soon anyway) do I need to remove the existing "radius-server host ..." commands before I can add the new version of that cmd, or will it automatically remove it for me when the new one is added? Also, should that be done after-hours? I wasn't sure if I remove the old one and add the new command, if all the connected clients would need to re-authenticate, or something along those lines.?
Sorry for all the questions.... But, this is really helping me, so thanks!
Thanks AGAIN,
Matt
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide