QOS VoIP

Need help to understand where to apply QOS VoIP on my VPN network. Using routers C2800 with a private behind the not interface 0/1 address IP networks, only the voice, data and management of the subnets are subinterfaces for example 0/1.1 data, voice 0/1.2, etc... The IPSEC VPN are mapped on the external interface 0/0. I need to be able to prioritize outbound VPN traffic to prefer VoIP, but I don't know where and how to apply the QOS polcies generated by QOS VoIP auto feature. Thank you

If you put the rank in terms of crypto, you can apply QOS parameters on the output interface based on encapsulated pre IPSEC headers.

Tags: Cisco Security

radius_attributes.PNG

and

vendor_specific_attributes.PNG

Hello Jim,

Try to use the domain host instead of multi-auth mode multiplayer.

Kind regards

Poonam Garg

802. 1 x authentication and phones

I have just begun to roll authentication of 802. 1 x and found that although I got the authentication for the PC the data VLAN to work, phones on the VOICE VLAN are not unless I put 'host-mode authentication' to 'stream '.

We did turn not authenticated for 7 years with phones and both work of the PC.

What I want to do (i.e. what management told me to move), is to have phones connect not authenticated (CDP agreeing to handle correct assignment of VLANS) but require PC to authenticate.

I guess the simple question is; is it still possible? If this is the case, any advice is greatly appreciated. (config switch is below).

Thank you

Arch

!
version 12.2
no service button
horodateurs service debug datetime localtime show-timezone msec
Log service timestamps datetime localtime show-timezone msec
encryption password service
!
switch to hostname
!
boot-start-marker
boot-end-marker
!
emergency logging console
emergency logging monitor
enable secret 5 *.
!
AAA new-model
!
!
Group AAA dot1x default authentication RADIUS
!
!
!
AAA - the id of the joint session
clock timezone cst - 6
clock to summer time recurring cdt
1 supply ws-c3750g-24ps switch
mtu 1500 routing system
VTP transparent mode
no ip domain-lookup
!
!
interface ip igmp snooping mrouter vlan 41 item in gi1/0/27
interface ip igmp snooping mrouter vlan 41 item in gi1/0/28
!
QoS omitted MLS
!

pvst spanning-tree mode
spanning tree extend id-system
!
internal allocation policy of VLAN ascendant
!
VLAN 13
name data - VLAN
!
VLAN 857
name - VLAN VoIP
!
VLAN 1611
name comments - VLAN
LLDP run
!
!
class-map correspondence AutoQoS-VoIP-RTP-Trust
match ip dscp ef
class-map correspondence AutoQoS-VoIP-control-Trust
match ip dscp cs3 af31
!
!
Policy-map AutoQoS-Police-CiscoPhone
class AutoQoS-VoIP-RTP-Trust
DSCP ef Set
320000 8000 exceed-action of the police controlled-dscp-transmit
class AutoQoS-VoIP-control-Trust
DSCP Set cs3
32000 8000 exceed-action of the police controlled-dscp-transmit
!
!
!
GigabitEthernet1/0/1 interface
switchport access vlan 13
switchport mode access
switchport voice vlan 857
security breach port switchport protect
bandwidth share SRR-queue 10 10 60 20
form of bandwidth SRR-queue 10 0 0 0
queue-series 2
priority queue
authentication-sense in
no response from the authentication event action allow vlan 1611
stream of host-authentication mode
Auto control of the port of authentication
protect the violation of authentication
MLS qos trust device cisco-phone
MLS qos trust cos
Auto qos voip cisco-phone
dot1x EAP authenticator
spanning tree portfast
service-policy input AutoQoS-Police-CiscoPhone
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 13,857,1611
switchport mode trunk
bandwidth share SRR-queue 10 10 60 20
form of bandwidth SRR-queue 10 0 0 0
queue-series 2
MLS qos trust cos
Auto qos voip trust
!
RADIUS-server host 10.1.2.10 auth-port 1645 acct-port 1646
Server RADIUS 7 key *.
RADIUS vsa server send authentication
end

Hello

authentication with PC and phone needs "multi-domain of authentication host mode. You con use MAC address or 802. 1 X (username & password) for authentication of IP phone.

Profile authenticatipo must send "device-traffic-class = voice" to the switch. PC fits the DATA cross-domain and phone VOICE-field.

See attachment:

When ISE goes down, none of the computers can get to shared network or the Internet.

We only run Cisco ISE 1.4 with only computer authentication and recently had a power outage for about 6 hours. When the batteries of the UPS drained EHT servers are connected to the, none of the computers could connect what either. The NETWORK card on the computers had an error authentication failed. We "Rescue of unauthorized network access", selected on each computer. Is there a way to allow all computers access to the network and the internet as usual when the ISE servers are down?

The port configuration is less to:

switchport access vlan 77
switchport mode access
switchport voice vlan 777
IP access-group ACL by DEFAULT in
authentication event fail following action method
action of death event authentication server allow vlan 77
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
Server to authenticate again authentication timer
inactivity timer 180 authentication
restrict the authentication violation
MAB
no link-status of snmp trap
Auto qos voip cisco-phone
dot1x EAP authenticator
dot1x tx-time 10
QoS trust device cisco-phone
spanning tree portfast
spanning tree enable bpduguard
service-policy input AutoQos-VoIP-entry-Cos-policy
service-policy output AutoQos-VoIP-output

You must use a script of EEM to change the ip access list that you assigned to the interface, to something with "permit ip any any" inside.

'action dead event server authentication allows vlan 77' won't work that in configurations in closed mode, do not use an acl of pre approval.

Mac-auth-bypass fails MAC: 0000.0000.0000

I have an old JetDirect which does not support 802.1 x. I enabled MAB on the port where it connects, but for some reason fails any MAB. I activated the debug dot1x and stick the output in a few here. I know that my config to dot1x is good... I have clients who authenticate via RADIUS to my ACS server. I also have a different port using MAB, not a JetDirect, however, the two ports are configured in the same way. Debugging, it seems that the switch can glean from the CMA of the JetDirect. Any ideas? It is a 3750 with 12.2 (44) SE2. I tried to close/no close the interface, reset the JetDirect, nothing seems to work. I see no request on my ACS server for the MAC address of the device.

Group AAA dot1x default authentication RADIUS
Group AAA authorization network default RADIUS

host 192.168.x.x auth-port 1645 1646 RADIUS server acct-port

interface FastEthernet2/0/31
Description white A002
switchport access vlan 112
switchport mode access
switchport voice vlan 800
switchport port-security maximum 3
switchport port-security
aging of the switchport port security 2
security violation restrict port switchport
inactivity of aging switchport port-security type
bandwidth share SRR-queue 10 10 60 20
form of bandwidth SRR-queue 10 0 0 0
MLS qos trust device cisco-phone
MLS qos trust cos
Auto qos voip cisco-phone
dot1x mac-auth-bypass eap
dot1x EAP authenticator

self control-port dot1x
multi-domain host-mode dot1x
restrict the dot1x mode violation
dot1x tx-timeout 2
dot1x timeout supp-timeout 10
spanning tree portfast
spanning tree enable bpduguard

012729: 5 May 14:51:31.672: dot1x-package: dot1x_txReq: EAPOL packet sent to the default authenticator
012730: 5 May 14:51:32.586: % LINEPROTO-5-UPDOWN: Line protocol Interface FastEthernet2/0/31, changed State to
012731: 5 May 14:51:33.727: dot1x-package: from a package of EAP EAP request for mac 0000.0000.0000
012732: 5 May 14:51:33.727: dot1x - sm:Posting EAP_REQ client = 4219220
012733: 5 May 14:51:33.727: dot1x_auth_bend fa2/0/31: during the auth_bend_request State, had 7 (eapReq) event
012734: 14:51:33.727 may 5: @ dot1x_auth_bend fa2/0/31: auth_bend_request-> auth_bend_request
012735: 14:51:33.727 may 5: request_action called dot1x-sm:Fa2/0/31:0000.0000.0000:auth_bend_request_
012736: 14:51:33.727 5: dot1x-sm:Fa2/0/31:0000.0000.0000:auth_bend_request_ enter called
012737: 5 May 14:51:33.727: dot1x-package: dot1x_mgr_send_eapol: code EAP: id 0 x 1: 0 x 2 length: 0 x 0005 type: 0 x 1 data:
012738: 5 May 14:51:33.727: dot1x - ev:FastEthernet2/0/31: package EAPOL to the address of the EAP group
012739: 5 May 14:51:33.727: dot1x - ev:dot1x_mgr_pre_process_eapol_pak: determination of role not required on FastEthernet2/0/31.
012740: 5 May 14:51:33.727: dot1x-registry: registry: dot1x_ether_macaddr called
012741: 5 May 14:51:33.727: dot1x - ev:dot1x_mgr_send_eapol: on FastEthernet2/0/31 EAPOL packet is sent
012742: 14:51:33.727 may 5: dump of pak EAPOL Tx
012743: 14:51:33.727 may 5: Version EAPOL: 0 x 2 type: 0 x 0 length: 0 x 0005
012744: 5 May 14:51:33.727: code of the EAP: id 0 x 1: 0 x 2 length: 0 x 0005 type: 0x1
012745: 5 May 14:51:33.727: dot1x-package: dot1x_txReq: EAPOL packet sent to the default authenticator
012746: 5 May 14:51:35.791: dot1x-ev: received an EAP Timeout on FastEthernet2/0/31 for mac 0000.0000.0000
012747: 5 May 14:51:35.791: dot1x - sm:Posting EAP_TIMEOUT client = 4219220
012748: 14:51:35.791 5: dot1x_auth_bend fa2/0/31: during the auth_bend_request State, had 12 (eapTimeout) event
012749: 14:51:35.791 may 5: @ dot1x_auth_bend fa2/0/31: auth_bend_request-> auth_bend_timeout
012750: 14:51:35.791 may 5: called dot1x-sm:Fa2/0/31:0000.0000.0000:auth_bend_timeout_enter
012751: 14:51:35.791 may 5: called dot1x-sm:Fa2/0/31:0000.0000.0000:auth_bend_request_timeout_action
012752: 14:51:35.791 5: dot1x_auth_bend fa2/0/31: idle during the auth_bend_timeout State
012753: 5 May 14:51:35.791: @ dot1x_auth_bend fa2/0/31: auth_bend_timeout-> auth_bend_idle
012754: 5 May 14:51:35.791: dot1x-sm:Fa2/0/31:0000.0000.0000:auth_bend_idle_enter called
012755: 5 May 14:51:35.791: dot1x - sm:Posting AUTH_TIMEOUT client = 4219220
012756: 14:51:35.791 may 5: dot1x_auth fa2/0/31: during the auth_authenticating State, had 15 (authTimeout) event
012757: 14:51:35.791 may 5: @ dot1x_auth fa2/0/31: auth_authenticating-> auth_fallback
012758: 14:51:35.791 may 5: called dot1x-sm:Fa2/0/31:0000.0000.0000:auth_authenticating_exit
012759: 5 May 14:51:35.791: r called dot1x-sm:Fa2/0/31:0000.0000.0000:auth_fallback_ente
012760: 5 14:51:35.791: dot1x_auth_mab: mab_initialize of the initial State has enter
012761: 5 14:51:35.791: dot1x_auth_mab: during the mab_initialize State, had 2 (mabStart) event
012762: 14:51:35.791 may 5: @ dot1x_auth_mab: mab_initialize-> mab_acquiring
012763: 5 14:53:08.831: dot1x_auth_mab: during the mab_acquiring State, had 3 (mabResult) event (ignored)

HQ_1stFlr_3750 #sh int dot1x fa2/0/31 det

Dot1x Info FastEthernet2/0/31
-----------------------------------
EAP AUTHENTICATOR =
PortControl = AUTO
ControlDirection = both
HostMode = MULTI_DOMAIN
Violation mode = RESTRICT
A re-authentication = off
QuietPeriod = 60
ServerTimeout = 30
SuppTimeout = 10
ReAuthPeriod = 3600 (configured locally)
ReAuthMax = 2
MaxReq = 2
TxPeriod = 2
RateLimitPeriod = 0
Mac-Auth-Bypass = active (EAP)
Timeout = None

Authenticator Dot1x customer list empty

Port status = not ALLOWED

The jetdirect card uses DHCP to get an IP address? If this isn't the case, then the Jetdirect will produce any traffic out to the auhenticate switch. To test this using the front panel of the printer to send a ping packet and see if it triggers the MAB.

ISE has not found any AAA Client or network devices

During authentication using 802.1 x and MAB, I get a failure of authentication with the error 11007 (impossible to locate AAA Client or network device). The cause that ISE spits me is "Cannot find the network device or the AAA Client while accessing NAS by IP for authentication." I got almost everything by the book but instead use a loopback interface, I used a vlan with a defined ip address. Could it be the cause of the problem?

Here is the config of the port that I have tested on:

interface GigabitEthernet1/0/9
switchport access vlan 9
switchport mode access
switchport voice vlan 8
IP access-group ACL-LEAVE in
SRR-queue bandwidth share 1 30 35 5
queue-series 2
priority queue
authentication event fail following action method
action of death event authentication server reset vlan 4
action of death event authentication server allow voice
the host-mode multi-auth authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
restrict the authentication violation
MAB
MLS qos trust device cisco-phone
MLS qos trust cos
dot1x EAP authenticator
dot1x tx-time 10
Auto qos voip cisco-phone
spanning tree portfast
service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
end

Regardless of the IP address you entered in ISE when adding this switch must match the IP address of the interface configured under your command "ip source RADIUS interface. In your first post you said you use an IVR for this but in your message later, I see that your being RADIUS packets come from "TenGigabitEthernet1/0/1 interface" Doublecheck cela and make sure things.

If you have a Loopback interface configured it is strongly recommended that use you for the source of these services it (Radius, GANYMEDE +, SNMP, Syslog, etc.).

Thank you for evaluating useful messages!

rejected mac addresses are not placed in vlan comments

Hi all

I'm kind of new to the switches and learned a lot by reading the documentation sites. My job is to activate authentication aaa on our Cisco switches, we have a 3750stack, a few 3560 s and some 3550 s. I test on one of the 3560, a WS-C3560G-48PS 12.2 (53) SE1-IP-BASE running. Next week I'll update of firmware for 12.2 (55), but with this version, everything should already work.

Basically, the only thing I asked to do at the moment is Mac-Auth Bypass configuration. If the Mac address is accepted, RADIUS returns the VLAN, the device should be placed in, for the most part VLAN 4.

If the radius (freeradius v 2.1.10) server sends a rejection (see below), the port is not set to the vlan comments, because I expected.

12/21/10
4:23:19.000 PM

Dec 21 16:23:19 10.1.1.207 37473: 2204830: .Dec 21 16:20:31.950 CET: %AUTHMGR-5-FAIL: Authorization failed for client (f0de.f119.9870) on Interface Gi0/29 AuditSessionID 0A0101CF0000086CF832980B

Host=10.1.1.207
SourceType=syslog
source=udp:514
client_mac=((f0de.f119.9870))
client_action=FAIL
LINEPROTO_LINK=AUTHMGR-5

12/21/10
4:23:19.000 PM

Dec 21 16:23:19 10.1.1.207 37472: 2204808: .Dec 21 16:20:31.950 CET: %MAB-5-FAIL: Authentication failed for client (f0de.f119.9870) on Interface Gi0/29 AuditSessionID 0A0101CF0000086CF832980B

Host=10.1.1.207 http://olsplunk:8000/en-US/app/search/flashtimeline?auto_pause=true&q=search%20host%3D%2210.1.1.207%22#
SourceType=syslog
source=udp:514
client_mac=((f0de.f119.9870))
client_action=NOT http://olsplunk:8000/en-US/app/search/flashtimeline?auto_pause=true&q=search%20host%3D%2210.1.1.207%22#
LINEPROTO_LINK=MAB-5

12/21/10
4:23:18.000 PM

Dec 21 16:23:18 10.1.1.207 37471: 2204776: .Dec 21 16:20:30.935 CET: %AUTHMGR-5-START: Starting 'mab' for client (f0de.f119.9870) on Interface Gi0/29 AuditSessionID 0A0101CF0000086CF832980B

Host=10.1.1.207
SourceType=syslog
source=udp:514 http://olsplunk:8000/en-US/app/search/flashtimeline?auto_pause=true&q=search%20host%3D%2210.1.1.207%22#
client_mac=(f0de.f119.9870) http://olsplunk:8000/en-US/app/search/flashtimeline?auto_pause=true&q=search%20host%3D%2210.1.1.207%22#
client_action=START
LINEPROTO_LINK=AUTHMGR-5

Can someone tell me where I'm wrong?

Thank you

Chris

Relevant parts of the running-config:
AAA new-model
!
Group AAA dot1x default authentication RADIUS
Group AAA authorization network default RADIUS
AAA accounting delay start
start-stop radius group AAA accounting dot1x default
start-stop radius group AAA accounting network default
!
AAA - the id of the joint session

!
control-dot1x system-auth
!
interface GigabitEthernet0/29
235 a description
switchport mode access
switchport voice vlan 2
load-interval 30
bandwidth share SRR-queue 10 10 60 20
queue-series 2
priority queue
authentication event failure action allow vlan 7
action of death event authentication server allow vlan 4
living action of the server reset the authentication event
multi-domain of host-mode authentication
Auto control of the port of authentication
MAB
MLS qos trust device cisco-phone
MLS qos trust cos
Auto qos voip cisco-phone
spanning tree portfast
service-policy input AutoQoS-Police-CiscoPhone
!
interface Vlan1
IP 10.1.1.207 255.255.255.0
!
interface Vlan2
IP 10.1.10.207 255.255.255.0
!
default IP gateway - 10.1.1.201
IP classless
!
activate the IP sla response alerts
RADIUS-server host 10.1.1.24 auth-port 1812 acct-port 1813
RADIUS timeout 10 Server
Server RADIUS # 7 button wouldn't you know
RADIUS vsa server send accounting
RADIUS vsa server send authentication
!
end

Information of VLAN:

Ports of status for the name of VLAN
---- -------------------------------- --------- ------------------------------
1 default active Gi0/6, Gi0/8, Gi0/14, Gi0/15
Gi0/18, Gi0/21, Gi0/29, Gi0/30
Gi0/34, Gi0/36, Gi0/37, Gi0/49
Gi0/50, Gi0/51
2 voice active Gi0/1, Gi0/2, Gi0/3, Gi0/4
Gi0/5, Gi0/6, Gi0/7, Gi0/8
Gi0/9, Gi0/10, Gi0/11, Gi0/12
Gi0/13, Gi0/14, Gi0/15, Gi0/16
Gi0/17, Gi0/18, Gi0/19, Gi0/20
Gi0/21, Gi0/22, Gi0/23, Gi0/24
Gi0/25, Gi0/26, Gi0/27, Gi0/28
Gi0/29, Gi0/30, Gi0/31, Gi0/32
Gi0/33, Gi0/34, Gi0/35, Gi0/36
Gi0/37, Gi0/38, Gi0/39, Gi0/40
Gi0/42, Gi0/43, Gi0/44, Gi0/45
Gi0/46, Gi0/47, Gi0/49
3 active video
4 active DHCP Gi0/1 and Gi0/2, Gi0/3, Gi0/4
Gi0/5, Gi0/7, Gi0/9, Gi0/10
Gi0/11, Gi0/12, Gi0/13, Gi0/16
Gi0/17, Gi0/19, Gi0/20, Gi0/22
Gi0/23, Gi0/24, Gi0/25, Gi0/26
Gi0/27, Gi0/28, Gi0/31, Gi0/32
Gi0/33, Gi0/35, Gi0/38, Gi0/39
Gi0/40, Gi0/41, Gi0/42, Gi0/43
Gi0/44, Gi0/45, Gi0/46, Gi0/48
5 active transfer
6 active Test ESX
7 COMMENTS-VLAN active
999 native active
1002 fddi-default law/unsup
default trcrf 1003 act/unsup
1004 default fddinet law/unsup
1005 trbrf default law/unsup

Network type VLAN SAID MTU Parent RingNo BridgeNo Men BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 100001 1500 enet - 0 0
2 enet 100002 1500 - 0 0
3 100003 1500 enet - 0 0
4 100004 1500 enet - 0 0
5 enet 100005 1500 - 0 0
6 100006 1500 enet - 0 0
7 100007 1500 enet - 0 0
999 100999 1500 enet - 0 0
1002 101002 1500 fddi - 0 0
1003 trcrf 101003 4472 1005 3276 - srb 0 0
1004 etnbdf 101004 1500 - ieee - 0 0
1005 trbrf 101005 4472 - 15 ibm - 0 0

VLAN AREHops STEHops backup RTC
---- ------- ------- ----------
1003 7 7 off

VLAN SPAN remote
------------------------------------------------------------------------------

Ports of secondary primary Type
------- --------- ----------------- ------------------------------------------

Hello

Just to the user the correct names, what you want is a vlan auth failure (that you configured correctly). VLAN comments is for PCs that do not have capacity dot1x (do not respond to dot1x packages) but for the avoidance of the mac, the event of "no-response" will never happen.

Now that we have explained, your config seems therefore quite ok actually. I'd go with debugs to check what the problem is.

Debug RADIUS

debug all EMP

debugging authentication feature mab all
debugging authentication feature mda all

Nicolas

===

Remember responses of the rate that you find useful

MAB authentication fails on the port of multi-domain: dead result of authentication "server."

Hi all

First of all, I have no experience with the configuration of Cisco switches (about half a year now) but I read loads and loads of documentation.

I am trying to configure several areas (MDA) authentication on our Cisco switches using mab and spin into something strange. Currently, single mab is asked by my employer.

Switch = 48-3560G IOS version 12.2 (55) SE1

RADIUS = Freeradius (version 2.1.10)

http://www.Cisco.com/en/us/docs/switches/LAN/catalyst3560/software/release/12.2_55_se/configuration/guide/swiosfs.html is my bible

On port Gi0/29 a Cisco 7961 IP phone is connected and plugged into the phone that a laptop is connected

The switch configuration:

AAA new-model
!
Group AAA dot1x default authentication RADIUS
Group AAA authorization network default RADIUS
AAA accounting delay start
start-stop radius group AAA accounting dot1x default
start-stop radius group AAA accounting network default
!

interface GigabitEthernet0/29
235 a description
switchport access vlan 4
switchport mode access
switchport voice vlan 2
load-interval 30
bandwidth share SRR-queue 10 10 60 20
queue-series 2
priority queue
action retry authentication event 0 failure allow vlan 7
action of death event authentication server allow vlan 4
living action of the server reset the authentication event
multi-domain of host-mode authentication
Auto control of the port of authentication
restrict the authentication violation
MAB
Auto qos voip cisco-phone
spanning tree portfast
service-policy input AutoQoS-Police-CiscoPhone
!

dead-criteria 5 tent 5 times RADIUS server
RADIUS-server host 10.1.1.24 auth-port 1812 acct-port 1813
RADIUS server key 7 xxx
RADIUS vsa server send accounting
RADIUS vsa server send authentication

Radius response: (for the full reply see attached RADIUS - response.txt)

Sending acceptance of access to the port id 98 to 10.1.1.207 1645
Cisco-AVPair = "Tunnel-Type = VLAN.
Cisco-AVPair = "Tunnel-Medium-Type = 802.
Cisco-AVPair = "Tunnel-private-Group-ID = 7.
Cisco-AVPair = "Tunnel-preference.

That's why access accept with assignment data VLAN

Debugging on the switch :

001776: * Mar 1 09:27:35.606: mab-ev(Gi0/29): context MAB received create from AuthMgr
001777: * Mar 1 09:27:35.606: mab-ev(Gi0/29): MAB authorizing MACAddress
001778: * Mar 1 09:27:35.606: mab-ev(Gi0/29): client context created MAB 0x2200000F
001779: * 09:27:35.606 Mar 1: mab: State has original mab_initialize enter
001780: * Mar 1 09:27:35.606: mab-ev(Gi0/29): sent to create a new context of EAP of MAB to 0x2200000F (MACAddress) event
001781: * Mar 1 10:27:35.606 THIS: % AUTHMGR-5-START: start "mab" for the customer (MACAddress) on the Interface Gi0/29 AuditSessionID 0A0101CF0000007F0207A4AC
001782: * Mar 1 09:27:35.606: mab-sm(Gi0/29): the event received 'MAB_CONTINUE' on the 0x2200000F handle
001783: * 09:27:35.606 Mar 1: mab: during the mab_initialize State, had 1 (mabContinue) event
001784: * 09:27:35.606 Mar 1: @ mab: mab_initialize-> mab_authorizing
001785: * Mar 1 09:27:35.606: mab-ev(Gi0/29): MAC-AUTH-BYPASS boot for 0x2200000F (MACAddress)
001786: * Mar 1 09:27:35.614: mab-ev(Gi0/29): MAB received a Reject Access for 0x2200000F (MACAddress)
001787: * Mar 1 10:27:35.622 THIS: % MAB-5-FAIL: failure of authentication for the client (MACAddress) on the Interface Gi0/29 AuditSessionID 0A0101CF0000007F0207A4AC
001788: * Mar 1 09:27:35.622: mab-sm(Gi0/29): the event received 'MAB_RESULT' on the 0x2200000F handle
001789: * 09:27:35.622 Mar 1: mab: during the mab_authorizing State, had 5 (mabResult) event
001790: * 09:27:35.622 Mar 1: @ mab: mab_authorizing-> mab_terminate
001791: * Mar 1 09:27:35.622: mab-ev(Gi0/29): removed the credentials of 0x2200000F (dot1x_mac_auth_MACAddress) profile
001792: * Mar 1 09:27:35.622: mab-ev(Gi0/29): AuthMGR for MACAddress sending event (2)
001793: * Mar 1 10:27:35.622 THIS: % AUTHMGR-7-RESULT: result "dead server" authentication "mab" for the customer (MACAddress) on the Interface Gi0/29 AuditSessionID 0A0101CF0000007F0207A4AC
001794: * Mar 1 10:27:35.622 THIS: % AUTHMGR-5-VLANASSIGN: VLAN 4 assigned to Interface Gi0/29 AuditSessionID 0A0101CF0000007F0207A4AC
001795: * Mar 1 10:27:36.512 THIS: % AUTHMGR-5-SUCCESS: authorization succeeded for client (MACAddress) on the Interface Gi0/29 AuditSessionID 0A0101CF0000007F0207A4AC

So RADIUS returns an Access_Accept and the switch treats it as a rejection of access and little esteem RADIUS as dead.

Help would be appreciated!

Chris

Hi Chris,

In response to your last post, assignment of vlan dynamic could be achieved with the help of the IETF RADIUS attributes according to the link:
http://Tools.Cisco.com/Squish/d1791

or using the pair of cisco-av according to the link:
http://Tools.Cisco.com/Squish/8Bd61

As for free using the Radius and cisco-av pairs. Please can you activate debug on switch output and reproduce the problem with the attempt to authentiation of customer:
Debug RADIUS
Debug authentication of all the
debug functionality of authentication all

As a result the customer authentication event, also benefit from the following switch:
display the interface authentication sessions

I met problems with respect to the case of the pair of cisco-av. assignment of vlan for example work using the sensitive tiny "tunnel-private-group-id (# 81) = vlanid ' instead of ' tunnel-private-group-ID (# 81) = vlanid.

When testing with the 'tunnel-private-group-ID(#81) = vlanid', I get an error:

RADIUS/DECODE: parse cisco unknown vsa 'tunnel-private-group-ID' - FAIL

So the 2nd link, with the changes:
Cisco-avpair = "tunnel-type(#64) = VLAN (13).
Cisco-avpair = "tunnel-medium-type(#65) = 802 media (6).
Cisco-avpair = "tunnel-private-group-id(#81) = vlanid.

If you still have a question, please include the output of debug/display above which will shed light on the problem.

Thank you
Alex

MAB with Cisco Phone - authorization failed

Hello everyone,

I use MAB to authenticate customers and Cisco IP phones against a NPS Microsoft Radius server. Everything works perfectly, except for 1 phone Cisco. The phone is successfully authentication but authorization fails. The switch port has the following configuration.

switchport access vlan 500

switchport mode access

switchport nonegotiate

switchport voice vlan 92

no logging event link-status

srr-queue bandwidth share 1 30 35 5

priority-queue out

authentication control-direction in

authentication event server dead action authorize voice

authentication host-mode multi-domain

authentication port-control auto

authentication periodic

authentication timer reauthenticate 10800

authentication timer inactivity 1800

mab

no snmp trap link-status

mls qos trust device cisco-phone

mls qos trust cos

macro description mab

auto qos voip cisco-phone

storm-control broadcast level 5.00

storm-control action shutdown

spanning-tree portfast

spanning-tree bpduguard enable

service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY

I get the following RADIUS logging of the client authentication process.

May 7 15:24:53.349: RADIUS: 4D 8F 05 AB 00 00 01 37 00 01 02 00 0A 19 0A 84 00 00 00 00 00 00 00 00 00 00 00 00 01 CE 47 DF 2A A4 B3 70 00 00 00 00 00 00 5F 79 [ M7G*p_y]

May 7 15:24:53.349: RADIUS: Vendor, Cisco [26] 34

May 7 15:24:53.349: RADIUS: Cisco AVpair [1] 28 "device-traffic-class=voice"

May 7 15:24:53.358: RADIUS(00002749): Received from id 1645/128

May 7 15:24:53.366: %MAB-5-SUCCESS: Authentication successful for client (442b.03a2.f9e8) on Interface Gi1/0/39 AuditSessionID 0A194B0400002706ED82EB13

May 7 15:24:53.374: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (442b.03a2.f9e8) on Interface Gi1/0/39 AuditSessionID 0A194B0400002706ED82EB13

SER-02-SW01#clear authentication

May 7 15:24:53.383: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (442b.03a2.f9e8) on Interface Gi1/0/39 AuditSessionID 0A194B0400002706ED82EB13

I checked online and blogs and forums suggest to check the use of the downloadable access list, but they are not used in the switch. As mentioned, all Cisco IP phones works perfectly, except this one. I have already removed the Active Directory object and created a new object from scratch, but the same result. I also tried another port in the switch, yet an authorization failure.

Currently, I don't know where to look further, then maybe some of you can help me!

Thanks for the update of René. I have suggested for deactivation and reactivation of the dot1x in the world to see where it got stuck somewhere. However, it seems the thought is not okay. Would appreciate if you mark it resolved so that someone else can take advantages out of it.

Your welcome

Good day!

Jatin kone

-Does the rate of useful messages-

can't ssh, or navigate in remote devices phone MX300 or EX90

Hello

For devices EX90 use a second monitor, I can remote into the laptop.

interface GigabitEthernet4/0/24

EX90 description

switchport access vlan 20

switchport mode access

switchport voice vlan 799

bandwidth share SRR-queue 10 10 60 20

queue-series 2

priority queue

MLS qos trust cos

Auto qos voip trust

spanning tree portfast

end

For MX300 devices configuration interface is:

interface GigabitEthernet2/0/20

VIDEO MX300 description

switchport access vlan 99

switchport mode access

spanning tree portfast

end

Hello

The first things you should study Yes:

Can you ping the device?

The network configuration are correct?

The device is configured with a VLAN static?

Enable CDP is?

If you connect a PC directly on your device, you are able to access SSH or Web?

You can try the another network cable?

Concerning

Paulo Souza

My answer was helpful? Please note the useful answers and do not forget to mark questions resolved as "responded."

Setup of QoS for Whatsapp and VOIP application

Hello guys,.

I have a modem WAG320N. I have wasnted to configure the QoS priority for 2 applications 'Whatsapp' and a VOIP application that allows me to call from a computer to a mobile phone. I use torrent applications and that they take all the bandwidth. That's why I was looking for to configure QoS for these two applications.

I went to the page of QoS and they are wondering about the details of the application as the range of ports etc.. I don't know what value to be filled. I posted a screenshot below of his request. Can someone help me fill out these details for both applications.

Thanks in advance

Image: http://i40.tinypic.com/2qi02z5.jpg

You can add essentially Viber on QoS. Under the games and Applications, QoS, click on enable priority access Internet. On the category, find the Applications > add a new Application. You can enter the name of the Application. You can now add the port numbers. And since it is a specific port and no beach, do you this way;

5242 - 5242 TCP (for Protocol)
4244 4244 TCP
5243 5243 UDP
9785 9785 UDP

I hope this helps.

SGE2000p QoS for VoIP

I am trying to increase our quality of telephone problems. Things like backup tapes, download heavy etc. are originally phones get all cracked. I don't know where to start. Everyone says of VLANS, but I don't know if this is the best choice. I don't know anything about QoS in the SGE2000P switches. I keep reading, but he gets no more clear. I need a little help direction. I see things on the VLAN, basic QoS, QoS advanced and do not know which route to go.

I have 3 batteries of the total of 8 switches switches network segment all the same SGE2000P. The main chimney is connected to smaller piles by a fibre optic cable. Some computers are connected to the voip phones due to the absence of inside wiring of the building, but a lot of phones have a line dedicated to the switches.

Consider phones like three switches of ports (because that's what they are). A port is the phone, going to a single port and a port goes to a PC. A switch when you set a port as a trunk you can tag the traffic for VLANs, create separate virtual local networks on a single physical link. Similarly, on the side of the phone when you configure an IP to use phone a VLAN you say the switch to have a trunk port to your switch and the telephone to communicate on this VLAN tagged.

The VLAN native is the VLAN untagged. Computers don't understand VLAN and just send the traffic untagged so when you connect the PC to the back of the phone it will operate the same as it does now. the difference will be that the phone will be on a different subnet and VLAN.

Taking example of VLAN 100 for voice, you need to change the IP address of your IP PBX for something in a new subnet as 192.168.100.1/24 and create a port on a switch, a put in VLAN 100. Connect to your firewall for routing inter - vlan. Then find a way to get the phones IP address in the subnet and configs updated to use VLAN 100 and enter 192.168.100.1. If you configure inter - vlan routing properly advance, you should be able to have a reboot of the phone, coming up on the data VLAN, get a new configuration that specifies the use of VLAN 100, reset again and this time come on VLAN 100 with the new address and function properly.

Implementation of VLAN / QoS for VOIP on RV180

I posted earlier about setting up VLAN / QoS for VOIP on the SG200-18 (see: https://supportforums.cisco.com/discussion/12193666/setting-vlan-and-qos...).

I did go ahead and buy the RV180. I connected to SG200-18.

I wish to proceed with the implementation of VLAN / QoS on the RV180 so my phone (Grandstream VOIP wireless phone) VOIP is on its own VLAN separate from the rest of the network, so make sure that all QoS settings are optimized to give the first priority of VOIP network telephone.

Currently I still have the VOIP phone connected to SG200-18 as stated in the previous post.

Here are my questions:

1 should I leave the VOIP phone connected to the SG200-18 and config all the VLANS, VLANS and VLAN Switch voice settings down to the VOIP phone, or should I plugged the phone VOIP in the RV180? Which would give me better performance and easier to do?

2. How can I place the VOIP phone on its own VIRTUAL LAN, in addition to optimizing QoS settings so it gets a top priority for the network?

3. I currently have set VOIP telephone in order to reserve a DHCP address in the 192.168.x range. When you move to the VLAN, should I set the DHCP reservation and/or my firewall settings (I through the firewall as well)

4. I also get a beta-test VOIP Grandstream office phone. Time of its installation, what I have to plug directly into the RV180 or the SG200-18, and I have to put it on the same VLAN as the phone VOIP without wire Grandstream or VLAN different? It also supports PoE, but the RV180 or SG200-18 model I does not work. If I use an external power supply, connect each device will be OK or might that it became fried?

Thank you!

Hello

1 should I leave the VOIP phone connected to the SG200-18 and config all the VLANS, VLANS and VLAN Switch voice settings down to the VOIP phone, or should I plugged the phone VOIP in the RV180? Which would give me better performance and easier to do?

It will not be much difference between being on the switch or on the router, so it is for the most part to the simplicity of configuration performance. If you plug the phone directly on the router, you will really not disturb trunking VLAN or none of this switch.

This is really what is more convenient, but if you are able to plug into the RV directly I wouldn't worry QoS on the switch.

So let's talk about implementation of the RV180.

First go to network > LAN > belonging to a VLAN. Enable VLANs, and add a new VLAN for voice (most people use 100 for voice for a reason, but it does not matter). You will take care to set the port that the phone is plugged in not tagged to the new voice VLAN, and you can exclude the data VLAN of the port.

Then go to several VIRTUAL local network subnets and configure the address range for it configuration DHCP / new subnet (for example 192.168.100.0) If you do not want to use it (makes things a bit easier)

Finally, to enable QoS on the RV go to QoS > QoS WAN profiles. Activate the WAN QoS, make sure that it is set to the priority mode and add a new entry to the table. You can name it anything you want (I used VoiP), then set it high priority.

Then go down on the link profile page and add a new entry here. Select the profile you just created in the drop-down menu, set the service to one, select traffic selector VLAN and make sure the drop-down menu for VLAN is the VoIP VLAN.

At this point, we have a configuration where the voice traffic (or basically anything on the VLAN voice) will have priority when it comes out the WAN interface.

3. I currently have set VOIP telephone in order to reserve a DHCP address in the 192.168.x range. When you move to the VLAN, should I set the DHCP reservation and/or my firewall settings (I through the firewall as well)

The second VIRTUAL LAN should have a configuration of different subnet for him, because I spoke up. During this process you will place the DHCP server for the new VLAN as well. You can adjust your reservations for the phones, but it does not really matter what IP they get, since we are prioritizing voice any VLAN, so you don't have set up a reserve, unless you really want to.

4. the Grandstream phone.

I would put the Grandstream (and all the other VoIP phones that you could get) in the voice VLAN so that he would get the same priority treatment. At this point with multiple devices, you can indeed install a trunk to the switch (VLAN normal unidentified and voice VLAN Tag) and configure the ports to the voice VLAN for these phones. Who will ensure that the switch gives priority to the traffic of voice, even if it is probably not as important in their own country on the WAN.

Regarding the PoE device connected to a non PoE switch or a router, there will be no problems. I'm guessing that the phone also comes with an AC adapter. It will not feed this power in the thread just because it's PoE, it's pretty much a one-way circuit.

Hope that helps,

Christopher Ebert - Advanced Network Support Engineer

Cisco Small Business Support Center

* Please note the useful messages *.

QOS VoIP

Similar Questions

Switch terminal logs:

Config switch:

Configuration interface:

NPS Windows Server policy:

radius_attributes.PNG

vendor_specific_attributes.PNG

Maybe you are looking for