a question regarding helper-address

Hi;

 

In the case we have a PC connected to IP phone and the phone is connected to the switch port and we have ISE in place to authenticate phone with "mab" and then the PC with whatever else, where do we need to forward the broadcast messages with "helper-address" command on the gateway? documents have stated that we need to forward the initial phone messages toward ISE, so ISE can do the Change of the Authentication process. but because phones need to obtain configuration files from the TFTP server (that is the same as CUCM in my lab), do we need to forward them toward the TFTP/CUCM as well as to the ISE?

Comments

  • we dont need to forward them towards tftp/cucm. Helper address is for DHCP packets, if ip phones are are getting IPS from DHCP servers then forward to dhcp server and ise. but no need to forward towards tftp/cucm.

     

    HTH

  • that's good question!  my first reaction is that u do.... worth of testing if u don't need it

  • JoeMJoeM ✭✭✭

    Hello Timaz,

    These are two different things, right?

    • The helper-address job is to "help" get a dhcp address from the DHCP server.
    • MAB is authenticaion via AAA and authentication server address

    The DHCP server will provide the tftp-server-address with option 66 along with the dhcp address, gateway, dns, etc. After the device gets its IP address, then it can communicate with the tftp server for its config files (normal routing).

  • In ISE  context, DHCP Packets are used to profile the device in question. But again it depends upon profile probes configured. If DHCP probes are configured then we need to send DHCP packets to ISE nodes.

    Best Regards,

  • Hi all again;

     

    I was busy and couldn't check the forum for a while. but now I'm here to continue from where I left. 

    actually I want to test a scenario where the PC is connected to a Cisco Phone and phone is connected to a switch port. my goal is initially authenticating the phone through MAB and then configure the CoA on switch and ISE so the ISE recognizes the phone (profile it) and push the switch port to be placed into a voice vlan. then at the final I want to authenticate the PC. 

    at the first step I created a separate vlan (vlan 500 in my case) for voice vlan on the switch directly connected to the phone and configured a DHCP pool on the switch to service the requests coming from the phone. this vlan just exists on the switch. 

    I have some questions regarding this topology. 

     

    1. after turning on the phone, it will be initially member of the data vlan. so we need to use the "helper-address" command on the data vlan SVI on the switch. am I right? (the default gateway of the data vlan is on the another device, rather than the switch).

    2. what is the correct configuration on the switch port to set the data and voice vlans? do we need to use the explicitelly configured commands on the switch port for this? 

     

    regards;

  • 1. after turning on the phone, it will be initially member of the data vlan. so we need to use the "helper-address" command on the data vlan SVI on the switch. am I right? (the default gateway of the data vlan is on the another device, rather than the switch).

    configure helper address on the layer 3 vlan interface wherever that is

    2. what is the correct configuration on the switch port to set the data and voice vlans? do we need to use the explicitelly configured commands on the switch port for this? 

    Sample data/voice configuration on an access port doing mab:

    switchport access vlan xxx
    switchport mode access
    switchport voice vlan yyy
    authentication event server dead action authorize 
    authentication event server alive action reinitialize 
    authentication host-mode multi-auth
    authentication port-control auto
    authentication timer inactivity 300
    mab

     

  • Hi;

    I'm getting this error on the switch:

     

    %PM-4-ERR_DISABLE: security-violation error detected on Gi0/8, putting Gi0/8 in err-disable state

    %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface GigabitEthernet0/8, new MAC address (38ed.1855.787c) is seen.AuditSessionID  000000000000001B016E5E5F

     

    as I said, the PC is connected to the phone and phone is connected to the switch g0/8 port. as soon as enabling the switch port, the PC is put into the data vlan, but after switch learns the phone's MAC, I get the error above and the port goes disabled. my configuration on g0/8 is as follows:

     

    interface GigabitEthernet0/8

     switchport mode access

     switchport voice vlan 500

     authentication host-mode multi-domain

     authentication port-control auto

     mab

     dot1x pae authenticator

     spanning-tree portfast

     

    any idea?

  • Try removing  dot1x pae authenticator, I believe that disables multi-host authentication

    Also, side not I do not see where you have specifically identified a data vlan.   Unless you are looking for it to default to vlan 1

  • Try removing  dot1x pae authenticator, I believe that disables multi-host authentication

    Also, side not I do not see where you have specifically identified a data vlan.   Unless you are looking for it to default to vlan 1

     

    I'm using the default vlan (vlan 1) as data vlan. also I removed the "dot1x pae authenticator" and the same error appeared on the screen. even this time it didn't show me the username/password screen on my PC monitor. 

  • This is not correct; on most platforms, after you enable authentication on the port with "authentication port-control auto", this command shows up on the port configuration, otherwise you'll have to put it manually, as this enables dot1x on the port; command tells the switch its role in the authentication process, being the authenticator :dot1x PortAutheneticationEnable authenticator".

    Try removing  dot1x pae authenticator, I believe that disables multi-host authentication

    Also, side not I do not see where you have specifically identified a data vlan.   Unless you are looking for it to default to vlan 1

     

  • This is not correct; on most platforms, after you enable authentication on the port with "authentication port-control auto", this command shows up on the port configuration, otherwise you'll have to put it manually, as this enables dot1x on the port; command tells the switch its role in the authentication process, being the authenticator :dot1x PortAutheneticationEnable authenticator".

     

    Hi Cristian. 

     

    so what might be the cause of the "security violation" error on the switch? 

  • As you run in multi-domain mode, which is correct based on the fact that you have a phone and a PC behind it; in this mode, the switch allws one MAC address in the data domain and one MAC address in the voice domain; the problem is that the phone boots up, sends untagged frames which the switch associates it with the data vlan, the phone learns about the voice domain from CDP packets from the switch and starts sending tagged frames with the voice vlan tag; at this point the switch has one MAC address in both the data vlan and the domain vlan (the ones of the phone), after which the PC shows up, the switch sees a new MAC address in the data domain and violation occurs, with default action being shutdown/errdisable, just like in the case of port-security. As you run MAB or dot1x on the port, port-security as built-in and the switch allows different number of MAC address in data and voice domain based on the host-mode you run into. 

    To fix the problem, configure "authentication violation replace" so that the switch will delete the MAC address of the phone from the data vlan; in real-life scenarios you don't run into this problem as the phone is always connected, so the switch only learns it in the voice domain.

  • As you run in multi-domain mode, which is correct based on the fact that you have a phone and a PC behind it; in this mode, the switch allws one MAC address in the data domain and one MAC address in the voice domain; the problem is that the phone boots up, sends untagged frames which the switch associates it with the data vlan, the phone learns about the voice domain from CDP packets from the switch and starts sending tagged frames with the voice vlan tag; at this point the switch has one MAC address in both the data vlan and the domain vlan (the ones of the phone), after which the PC shows up, the switch sees a new MAC address in the data domain and violation occurs, with default action being shutdown/errdisable, just like in the case of port-security. As you run MAB or dot1x on the port, port-security as built-in and the switch allows different number of MAC address in data and voice domain based on the host-mode you run into. To fix the problem, configure "authentication violation replace" so that the switch will delete the MAC address of the phone from the data vlan; in real-life scenarios you don't run into this problem as the phone is always connected, so the switch only learns it in the voice domain.

     

    Hi;

    after I turned on the servers again, nothing works, even phones are unregistered. for the sake of clarity, I explain my simple topology in which I have a 3560 switch. port g0/8 is connected to the phone and phone is connected to a PC. other ports on the switch are members of default vlan 1, that is our data vlan. ISE (10.1.150.152) and CUCM (10.1.150.150) are inside vlan 1 too and I changed their default gateway to points to the switch with IP of 10.1.1.154/16). I created a separate vlan for the voice vlan (vlan 500) and then added a vlan500 interface with the IP of 192.168.250.2/24 and finally configured the switch to be default gateway for both vlan 1 and vlan 500. also I turned IP routing on the switch on and enabled DHCP server service on the switch and configured a pool to as you'll see below. the reachability is OK and the ping with the vlan500 as source interface toward the ISE and CUCM completed successfuly. 

    the RADIUS livelog page on the ISE shows both authentication and dACL download was successful. 

     

    Policy Server: cisco-ise

    Event 5200 Authentication succeeded

    Username: 38:ED:18:55:78:7C

    User Type: Host

    Endpoint Id: 38:ED:18:55:78:7C

    Calling Station Id: 38-ED-18-55-78-7C

    Endpoint Profile: Cisco-Device

    Authentication Identity Store: Internal Endpoints

    Identity Group: Profiled

    Audit Session Id: 000000000000000E00F073B6

    Authentication Method: mab

    Authentication Protocol: Lookup

    Service Type: Call Check

    Network Device: Cisco-3560

    NAS IPv4 Address: 10.1.1.154

    NAS Port Id:  GigabitEthernet0/8

    NAS Port Type: Ethernet

    Authorization Profile: TIMAZ_AUTHO-PROFILE1

     

    epm logging revealed the following output:

     

     %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 38ed.1855.787c| AuditSessionID 000000000000000F00F8A536| EVENT APPLY

     %EPM-6-AAA: POLICY xACSACLx-IP-DENY_ALL_TRAFFIC-56161e32| EVENT DOWNLOAD_REQUEST

     %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 38ed.1855.787c| AuditSessionID 000000000000000F00F8A536| EVENT APPLY

     %EPM-6-AAA: POLICY xACSACLx-IP-DENY_ALL_TRAFFIC-56161e32| EVENT DOWNLOAD-SUCCESS

     %EPM-6-IPEVENT: IP 0.0.0.0 MAC 38ed.1855.787c| AuditSessionID 000000000000000F00F8A536| EVENT IP-WAIT

     

    the result is phone couldn't get the IP address from the DHCP pool on the switch and cannot register to the CUCM. I got empty output after issuing the "sh ip dhcp binding" and "sh ip device tracking all" commands on the switch. here is my consolidated config on the switch in the case if you think it is necessary to take a look at. 

     

    aaa new-model

    aaa group server radius RADIUS_GROUP

     server-private 10.1.150.152 key cisco

    !

    aaa authentication login default group RADIUS_GROUP local

    aaa authentication login CONSOLE_AUTHEN local

    aaa authentication dot1x default group RADIUS_GROUP

    aaa authorization network default group RADIUS_GROUP 

    !

    aaa server radius dynamic-author

     client 10.1.150.152 server-key cisco

    !

    ip routing

    ip dhcp database ftp://10.1.3.221/DHCPDB

    ip dhcp excluded-address 192.168.250.1 192.168.250.220

    !

    ip dhcp pool TEST_PoOL

     network 192.168.250.0 255.255.255.0

     option 150 ip 10.1.150.150 

     domain-name eb.com.tr

     dns-server 10.1.1.30 

     default-router 192.168.250.2 

     lease 0 5

    !

    epm logging

    !

    interface GigabitEthernet0/8

     switchport mode access

     switchport voice vlan 500

     authentication host-mode multi-domain

     authentication port-control auto

     authentication violation replace

     mab

     dot1x pae authenticator

     spanning-tree portfast

    !

    interface Vlan1

     ip address 10.1.1.154 255.255.0.0

    !         

    interface Vlan500

     ip address 192.168.250.2 255.255.255.0

     ip helper-address 10.1.150.150

    !

    ip default-gateway 10.1.1.1

     

    even "sh ip access-list" command on the switch shows that "deny ip any any" dACL has been downloaded onto the switch: 

     

    Switch(config)#do sh ip access

    Extended IP access list CISCO-CWA-URL-REDIRECT-ACL

        100 deny udp any any eq domain

        101 deny tcp any any eq domain

        102 deny udp any eq bootps any

        103 deny udp any any eq bootpc

        104 deny udp any eq bootpc any

        105 permit tcp any any eq www

    Extended IP access list preauth_ipv4_acl (per-user)

        10 permit udp any any eq domain

        20 permit tcp any any eq domain

        30 permit udp any eq bootps any

        40 permit udp any any eq bootpc

        50 permit udp any eq bootpc any

        60 deny ip any any

    Extended IP access list xACSACLx-IP-DENY_ALL_TRAFFIC-56161e32 (per-user)

        1 deny ip any any

  • hi guys; hope u are doing well. would u mind, please taking a look at this simple topology of mine. I've missed a thing but i don't know what. 

    image

     

    sw is default gateway for both of vlan 500 and vlan 1. the IP on switch are shown above. the switch is configured as dhcp server to assign IPs to phones in vlan 500. ip phone 2 is connected to g0/7 and I strickly put the g0/7 to "access vlan 500". this phone was able to register to cucm, get IP from switch and its MAC was appeared on the sw mac address table of vlan 500. but my phone number 1 that is connected to g0/8 of the switch cannot get IP from dhcp server (that is configured on the same switch) and phone caanot register itself on the cucm. analysing the RADIUS logs on the ISE shows that the MAC address of the phone has passed the MAB authentication on the ISE and dACL has been downloaded onto the switch to deny any ip traffic untill CoA is received. the command output on switch looks like this:

     

    Switch(config-if)#do sh authe sess

    Interface    MAC Address    Method  Domain  Status Fg Session ID

    Gi0/8        38ed.1855.787c mab     DATA    Auth      000000000000002201594FA5

    Session count = 1 

     

    as shown above, the mac address of the phone has been recognized by the switch but put into the data (default vlan 1) vlan rather than the voice vlan 500. the configuration on the g0/8 is as the same of my previous post in this thread. 

    the interesting part is that my pc that is connected to the phone port, can authenticate to the ISE and as expected, is put into data valn 1 by switch. 

    and I got nothing after issuing the "sh ip device tracking all" command. could you give me a hand on resolving this?

  • As said, IP Phone will start sending untagged traffic initially, after it learns via CDP about the voice VLAN it will start sending tagged traffic so the switch will put the Phone in the proper VLAN in the end.

    You have a chicken-egg-issue: to apply the dACL on the port the switch needs to learn the IP address of the connected device (so until that happens, all IP traffic is blocked from the device), while to get an IP address via DHCP the device needs to be able DHCP traffic in the network; so configure a pre-auth ACL in which you allow DHCP traffic, however depending on the code you're running on the switch, there is a default pre-auth ACL applied which allows DHCP traffic, read here about "Default ACL Used for 802.1x": http://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/119374-technote-dacl-00.html

     

  • As said, IP Phone will start sending untagged traffic initially, after it learns via CDP about the voice VLAN it will start sending tagged traffic so the switch will put the Phone in the proper VLAN in the end.

    You have a chicken-egg-issue: to apply the dACL on the port the switch needs to learn the IP address of the connected device (so until that happens, all IP traffic is blocked from the device), while to get an IP address via DHCP the device needs to be able DHCP traffic in the network; so configure a pre-auth ACL in which you allow DHCP traffic, however depending on the code you're running on the switch, there is a default pre-auth ACL applied which allows DHCP traffic, read here about "Default ACL Used for 802.1x": http://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/119374-technote-dacl-00.html

     

     

    Hi Cristian!

     

    I changed both of the static ACL on the g0/8 and the dACL on the ISE and add "permit udp any any" to them. despite now I have hits on the ACL, but still nothing works. the phone doesn't get any IP from the DHCP server, but my pc get authenticated with no problem. when I took a look at the mac address-table on switch, I saw this: 

     

    Switch(config-if)#do sh mac address-ta dy inter g0/8

              Mac Address Table

    -------------------------------------------

    Vlan    Mac Address       Type        Ports

    ----    -----------       --------    -----

     500    38ed.1855.787c    DYNAMIC     Drop

     

    the mac belongs to the phone. as you might notice, the mac address of the pc is not on the table, but I have access from the pc to the network and even ISE shows that the PC passed authentication and authorization successfuly. but the mac address of the phone dispaled as "Drop" in the voice vlan 500. the output of the "sh ip device track all" on the switch revealed just the mac address of the PC in data vlan. 

    I'm getting disappointed on this. because I'm working on this very issue more than 2 months, and despite all of the efforts and recommendations, I still didn't managed to resolve this simple problem. [:(][:(]

Sign In or Register to comment.