RADIUS/DECODE: parse unknown cisco vsa "profile-name" - IGNORE

basilzahran · ‎02-15-2013

Dear Team,

I have faced an issue with dot1x mab authorization between cisco switch 3750 and ISE 1.1. I have cisco IP phone connected on port # gig1/0/1 to authenticated through MAB with cisco ISE

--------------------------------------------------------------

int gig 1/0/1
switchport mode access
switchport access vlan 9
switchport voice vlan 410
authentication order mab dot1x
authentication priority dot1x mab
spanning-tree portfast
authentication host-mode multi-domain
authentication port-control auto
dot1x pae authenticator
mab
dot1x timeout tx-period 3
dot1x max-reauth-req 2
authentication periodic
authentication timer reauthenticate server

---------------------------------------------------------------------

I can get authentication successfuly but can't download the authorization profile on the gig1/0/1 port since I can see that everything seems fine from the ISE side. the phone is authenticated and authorized fine. so, I debug the dot1x & radius flows from the switch side and get this result.

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

RADIUS/ENCODE(00000043):Orig. component type = Dot1X
RADIUS(00000043): Config NAS IP: 1.1.1.2
RADIUS(00000043): Config NAS IPv6: ::
RADIUS/ENCODE(00000043): acct_session_id: 57
RADIUS(00000043): sending
RADIUS(00000043): Sending a IPv4 Radius Packet
RADIUS(00000043): Send Access-Request to 1.1.1.1:1812 id 1645/72, len 261
RADIUS: authenticator 82 94 D8 85 E9 E0 CF 71 - 03 FE C5 BA 76 EC 76 C4
RADIUS: User-Name           [1]   14 "00152bd20c19"
RADIUS: User-Password       [2]   18 *
RADIUS: Service-Type        [6]   6   Call Check                [10]
RADIUS: Vendor, Cisco       [26] 31
RADIUS:   Cisco AVpair       [1]   25 "service-type=Call Check"
RADIUS: Framed-MTU          [12] 6   1500
RADIUS: Called-Station-Id   [30] 19 "30-F7-0D-CD-5F-01"
RADIUS: Calling-Station-Id [31] 19 "00-15-2B-D2-0C-19"
RADIUS: Message-Authenticato[80] 18
RADIUS:   90 B9 61 65 CC A6 B2 89 BC C8 3D DC D4 14 03 C5               [ ae=]
RADIUS: EAP-Key-Name        [102] 2   *
RADIUS: Vendor, Cisco       [26] 49
RADIUS:   Cisco AVpair       [1]   43 "audit-session-id=C0A8424200000036001B2AAE"
RADIUS: NAS-Port-Type       [61] 6   Ethernet                  [15]
RADIUS: NAS-Port            [5]   6   50101
RADIUS: NAS-Port-Id         [87] 22 "GigabitEthernet1/0/1"
RADIUS: Called-Station-Id   [30] 19 "30-F7-0D-CD-5F-01"
RADIUS: NAS-IP-Address      [4]   6   1.1.1.2
RADIUS(00000043): Started 5 sec timeout
RADIUS: Received from id 1645/72 1.1.1.1:1812, Access-Accept, len 297
RADIUS: authenticator D5 2C 29 3B AC C8 A7 2F - A4 75 45 F5 51 6D 4F A8
RADIUS: User-Name           [1]   19 "00-15-2B-D2-0C-19"
RADIUS: State               [24] 40
RADIUS:   52 65 61 75 74 68 53 65 73 73 69 6F 6E 3A 43 30 [ReauthSession:C0]
RADIUS:   41 38 34 32 34 32 30 30 30 30 30 30 33 36 30 30 [A842420000003600]
RADIUS:   31 42 32 41 41 45            [ 1B2AAE]
RADIUS: Class               [25] 50
RADIUS:   43 41 43 53 3A 43 30 41 38 34 32 34 32 30 30 30 [CACS:C0A84242000]
RADIUS:   30 30 30 33 36 30 30 31 42 32 41 41 45 3A 69 73 [00036001B2AAE:is]
RADIUS:   65 33 2F 31 35 30 33 30 36 35 37 38 2F 33 38 36 [ e3/150306578/386]
RADIUS: Termination-Action [29] 6   1
RADIUS: Message-Authenticato[80] 18
RADIUS:   09 17 84 AB 27 8E B4 E0 F4 A6 93 EE 19 2A A6 34               [ '*4]
RADIUS: Vendor, Cisco       [26] 34
RADIUS:   Cisco AVpair       [1]   28 "device-traffic-class=voice"
RADIUS: Vendor, Cisco       [26] 75
RADIUS:   Cisco AVpair       [1]   69 "ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PERMIT_ALL_TRAFFIC-4fe7f797"
RADIUS: Vendor, Cisco       [26] 35
RADIUS:   Cisco AVpair       [1]   29 "profile-name=Cisco-IP-Phone"i
RADIUS(00000043): Received from id 1645/72
RADIUS/DECODE: parse unknown cisco vsa "profile-name" - IGNORE
%MAB-5-SUCCESS: Authentication successful for client (0015.2bd2.0c19) on Interface Gi1/0/1 AuditSessionID C0A8424200000036001B2AAE
%AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (0015.2bd2.0c19) on Interface Gi1/0/1 AuditSessionID C0A8424200000036001B2AAE
%DOT1X_SWITCH-5-ERR_VLAN_RSPAN: Attempt to assign RSPAN VLAN 410 to 802.1x port GigabitEthernet1/0/1. 802.1x is incompatible with RSPAN AuditSessionID C0A8424200000036001B2AAE
RADIUS/ENCODE(00000000):Orig. component type = Invalid

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

so, I notice two things :-

1-" RADIUS/DECODE: parse unknown cisco vsa "profile-name" - IGNORE " on the radius attribute since I beleive that I configure the radius vsa attribute fine as shows

aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa accounting system default start-stop group radius
!
aaa session-id common
!
aaa accounting update periodic 5
!
!
aaa server radius dynamic-author
client 1.1.1.1 server-key 0 cisco
!
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3
radius-server host 1.1.1.1 auth-port 1812 acct-port 1813 key cisco
radius-server vsa send accounting
radius-server vsa send authentication
!

2- "%DOT1X_SWITCH-5-ERR_VLAN_RSPAN:" since I didn't have any configuration related to RSPAN.

so, anybody have any idea to fix this issue.

Regards

Basel

basilzahran · ‎02-16-2013

anyone

Sent from Cisco Technical Support iPhone App

Jatin Katyal · ‎02-17-2013

Add the below listed command

radius-server attribute 6 on-for-login-auth

Try again and gather the below listed information.

Show authentication session interface gig1/0/1

It's possible none of the Authorization rules are being matched. Check the authorization rule conditions on ISE under Policy > Authorization.

You can check this by going to ISE > operations > reports > Authentication Radius today > look for the failed authentication and click on magnifying glass.

Regards,

Jatin Katyal

- Do rate helpful posts -

~Jatin

basilzahran · ‎02-17-2013

Hi Katyal ,

as I have mentioned that I can see everything seems fine from the ise side since I can see on the operation – authentication page that mab is matching the authentication & authorization profile successfully and from the switch side I can see the access-list (permit ip any any) which is related to IP phone was received from the ISE on access-accept, but it get errors when it just only receive the profile name from the ise.

I will try to add radius-server attribute 6 and tested again.

Regards

Basel

jrabinow · ‎02-19-2013

Disable full debug on the switch and try again.

There was a CDETS of this nature on certain devices where enabling debug caused similar issues.

If you find this helps I can try and dig out some of the history

basilzahran · ‎02-19-2013

Hi jrabinow ,

I disable the debuge and reload the switch but its the same. I can see the flow is match the authorization rule successfuly but its not downloaded on the switch port. since the switch is still ignore the profile-name cisco-ip-phone.

is there anyone have an example for mab with ISE,

Regards

Basel

Jatin Katyal · ‎02-20-2013

This is what we are getting as a profile name in the radius access-accept

"profile-name=Cisco-IP-Phone"i

I'm wondering why we have "i" at the end.

Jatin Katyal

- Do rate helpful posts -

~Jatin

jan.nielsen · ‎02-21-2013

Could you show us your authorization rule ? I don't understand why you are getting that vsa pair, all you should see from ise is access_accept and device-traffic-class=voice

basilzahran · ‎02-22-2013

hi gents,

thanks for your help. I used the default authorization rule for cisco ip phones which was permit all ip traffic & assign the device traffic class = voice. I didn't do any modification for this rule. as I mentioned early I can see the traffic are matching this rule and download the access-list from the ise side but the switch are ignore it.

Regards

Basel

jan.nielsen · ‎02-26-2013

It is not the ACL it is ignoring, it's the profile-name, which it should, because it has nothing to use that for. However, you should look into VLAN 410, to check and see if you have any config relating to that vlan, the only actual error i see in your logs is the one regarding assigning vlan 410. Could you please post you entire switch config, see we can see what else you might have configured.

%DOT1X_SWITCH-5-ERR_VLAN_RSPAN: Attempt to assign RSPAN VLAN 410 to 802.1x port GigabitEthernet1/0/1. 802.1x is incompatible with RSPAN AuditSessionID C0A8424200000036001B2AAE - See more at: https://supportforums.cisco.com/message/3863298#3863298

basilzahran · ‎02-27-2013

hi jan ,

I just creat L2 Vlan # 410 and assign it under the port as switchport voice vlan 410 . I only used this vlan under this port.

I will post the entire switch configuration ASAP.

Regards

Basel

basilzahran · ‎03-15-2013

Hi team,

After some troubleshooting I have fixed the issue since I have some mistake on DACL configured on ISE so, after fixing everything are working fine.

but still I have some concern. why do I need pre-ACL applied on dot1x interfaces and what's the relation between it and EPM ( enforcement policy module ).

Regards

Basel