QOS VoIP
Need help to understand where to apply QOS VoIP on my VPN network. Using routers C2800 with a private behind the not interface 0/1 address IP networks, only the voice, data and management of the subnets are subinterfaces for example 0/1.1 data, voice 0/1.2, etc... The IPSEC VPN are mapped on the external interface 0/0. I need to be able to prioritize outbound VPN traffic to prefer VoIP, but I don't know where and how to apply the QOS polcies generated by QOS VoIP auto feature. Thank you
If you put the rank in terms of crypto, you can apply QOS parameters on the output interface based on encapsulated pre IPSEC headers.
Tags: Cisco Security
Similar Questions
-
Hi all. I tried to configure my SG300 - 28 p for my 2960S, but using the following commands:
conf t
int row item in gi1-28
Auto qos voip cisco-phone
But there is no other command I can find on the SG300. Did someone familiar with a similar command? Or is a completely manual process on the SG300-QOS?
I'm on the 1.3.7.18 firmware version
Hi Ksuchewie,
There is no auto qos in Cisco small business switches. This feature of routers, catalyst and enterpirce. Cisco small business voice switch vlan by default use DSCP 46 and CoS 5
This average DSCP EF 46 mode
My adivce replace DSCP 26 so it will match AF31 drops low. Also I'll leave CoS in 5 locations.
I'll give you an example how config qos voice vlan siwtch small business
my example is DATA vlan 1 and vlan VoIP is 100
quick order
config t
ID of the vlan 100 voices
Voice vlan cos 5
Voice vlan dscp 26
WR mem
Thank you
Ministry of health
-
Command switchport mode access
Hello
I was curious about the switchport mode access command and its interoperability with the switchport command in vlan voice.
If I set up a switchport with the switchport mode access commmand, which will make it impossible for the switchport create a trunk special cases with the IP phone? Even if I set up switchport vlan speech?
And if so, the port should be configured as switchport mode dynamic auto? Or desirable?
Thank you, Pat
Pat, you can configure a port as an access port, add the configuration of vlan voice and connect a phone and another device. The trunk will form. With the "vlan voice" Cisco obscures the fact that forms a trunk. I don't necessarily agree with this strategy, and it wasn't always in this way. I remember configuration of phones on a 3500XL and ports have been configured in trunks.
You made me think, so I issued a few commands on a WS-C3560V2-48PS-S running IOS 12.2 (58) SE2 who has 12 phones connected on it.
Here is the config for a port that has a connected phone:
Switch #sho int f0/2nd round
Building configuration...
Current configuration: 475 bytes
!
interface FastEthernet0/2
switchport access vlan 11
switchport trunk encapsulation dot1q
switchport trunk vlan 11 native
switchport trunk allowed vlan 2, 10-19
switchport mode access
switchport nonegotiate
switchport voice vlan 12
SRR-queue bandwidth share 1 30 35 5
priority queue
MLS qos trust device cisco-phone
MLS qos trust cos
Auto qos voip cisco-phone
No auto mdix
spanning tree portfast
service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
end
If I show the status of the trunk for an individual port that IOS recognizes that the port with the attached telephone is actually a trunk:
Switch #sho int f0/2 trunk
VLAN Mode Encapsulation native port State
FA0/2 off 802. 1 q non-gaine 11
Port VLAN allowed on trunk
FA0/2, 11-12
Port VLAN authorized and active in the field of management
FA0/2, 11-12
VLAN port extending on transmission State and no tree pruned
FA0/2, 11-12
However if I do a "sho int trunk" to display all the ports on the switch IOS trunk does not include telephone ports in the output.
Trunk switch #sho int
VLAN Mode Encapsulation native port State
FA0/45 on 802. 1 q 12 trunking
FA0/46 / 802. 1 q 12 trunking
Gi0/1 on 802. 1 q sheath 11
Gi0/2 of 802. 1 q sheath 11
Port VLAN allowed on trunk
FA0/45 2: 10-19
FA0/46 2: 10-19
Gi0/1, 2, 10-19
Gi0/2, 2, 10-19
Port VLAN authorized and active in the field of management
FA0/45 13, 16-2, 11-17
FA0/46 13, 16-2, 11-17
Gi0/1, 2, 11-13, 16-17
Gi0/2 13, 16-2, 11-17
VLAN port extending on transmission State and no tree pruned
FA0/45 13, 16-2, 11-17
FA0/46 13, 16-2, 11-17
Gi0/1, 2, 11-13, 16-17
Gi0/2 13, 16-2, 11-17
So firstly IOS says "Yes, it is a trunk" and on the other hand it is said ' Nope, no trunks here! So notice that 'spanning-tree portfast' is configured on f0/2, no 'portfast spanning-tree trunk. PortFast is still active on this port.
Switch #sho span int f0/2 selection
VLAN0011 enabled
VLAN0012 enabled
Conversely on 45 port, we have a VG-224 connected and it is configured with "switchport mode trunk" and "trunk spanning-tree portfast '. If I change than just "spanning-tree portfast' we see this:
Switch #sho span int f0/45 selection
VLAN0002 disabled
VLAN0011 disabled
VLAN0012 disabled
VLAN0013 disabled
VLAN0016 disabled
VLAN0017 disabled
Cisco has confused the issue here. I would prefer if we called a trunk, a trunk, but for some reason, they do not.
See you soon,.
-Jeff
---
Posted by Jeff Davis of the Cisco support community App WebUser
-
I'm getting a strange behavior with a Catalyst switch and 802. 1 x. I use multi-auth, with a PC and phone Cisco patched in. The two devices to authenticate correctly, but only the PC is allowed depending on the switch logs.
Switch terminal logs:
Apr 7 09:27:37.836 EDT: %AUTHMGR-5-START: Starting 'mab' for client (001b.d585.205e) on Interface Fa0/1 AuditSessionID 0A0A050E000003B93EBE2E09Apr 7 09:27:37.945 EDT: %MAB-5-SUCCESS: Authentication successful for client (001b.d585.205e) on Interface Fa0/1 AuditSessionID 0A0A050E000003B93EBE2E09Apr 7 09:27:37.945 EDT: %AUTHMGR-5-VLANASSIGN: VLAN 100 assigned to Interface Fa0/1 AuditSessionID UnassignedApr 7 09:27:37.970 EDT: %AUTHMGR-5-FAIL: Authorization failed for client (001b.d585.205e) on Interface Fa0/1 AuditSessionID 0A0A050E000003B93EBE2E09Apr 7 09:27:39.295 EDT: %AUTHMGR-5-START: Starting 'dot1x' for client (0015.c547.7069) on Interface Fa0/1 AuditSessionID 0A0A050E000003BA3EBE5082Apr 7 09:27:43.775 EDT: %DOT1X-5-SUCCESS: Authentication successful for client (0015.c547.7069) on Interface Fa0/1 AuditSessionID Apr 7 09:27:43.783 EDT: %AUTHMGR-5-VLANASSIGN: VLAN 212 assigned to Interface Fa0/1 AuditSessionID 0A0A050E000003BA3EBE5082Apr 7 09:27:45.570 EDT: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0015.c547.7069) on Interface Fa0/1 AuditSessionID 0A0A050E000003BA3EBE5082
Config switch:
aaa authentication dot1x default group RADIUS-DOT1Xaaa authorization network default group radius ip radius source-interface Loopback0 radius-server vsa send accountingradius-server vsa send authenticationdot1x system-auth-controldot1x guest-vlan supplicant
Configuration interface:
interface FastEthernet0/1 switchport mode access srr-queue bandwidth share 10 10 60 20 priority-queue out authentication event fail action next-method authentication event server dead action authorize voice authentication event no-response action authorize vlan 999 authentication host-mode multi-auth authentication order dot1x mab authentication port-control auto authentication periodic authentication violation protect mab mls qos trust cos auto qos voip trust dot1x pae authenticator no mdix auto spanning-tree portfast
NPS Windows Server policy:
and
Hello Jim,
Try to use the domain host instead of multi-auth mode multiplayer.
Kind regards
Poonam Garg
-
802. 1 x authentication and phones
I have just begun to roll authentication of 802. 1 x and found that although I got the authentication for the PC the data VLAN to work, phones on the VOICE VLAN are not unless I put 'host-mode authentication' to 'stream '.
We did turn not authenticated for 7 years with phones and both work of the PC.
What I want to do (i.e. what management told me to move), is to have phones connect not authenticated (CDP agreeing to handle correct assignment of VLANS) but require PC to authenticate.
I guess the simple question is; is it still possible? If this is the case, any advice is greatly appreciated. (config switch is below).
Thank you
Arch
!
version 12.2
no service button
horodateurs service debug datetime localtime show-timezone msec
Log service timestamps datetime localtime show-timezone msec
encryption password service
!
switch to hostname
!
boot-start-marker
boot-end-marker
!
emergency logging console
emergency logging monitor
enable secret 5 *.
!
AAA new-model
!
!
Group AAA dot1x default authentication RADIUS
!
!
!
AAA - the id of the joint session
clock timezone cst - 6
clock to summer time recurring cdt
1 supply ws-c3750g-24ps switch
mtu 1500 routing system
VTP transparent mode
no ip domain-lookup
!
!
interface ip igmp snooping mrouter vlan 41 item in gi1/0/27
interface ip igmp snooping mrouter vlan 41 item in gi1/0/28
!
QoS omitted MLS
!pvst spanning-tree mode
spanning tree extend id-system
!
internal allocation policy of VLAN ascendant
!
VLAN 13
name data - VLAN
!
VLAN 857
name - VLAN VoIP
!
VLAN 1611
name comments - VLAN
LLDP run
!
!
class-map correspondence AutoQoS-VoIP-RTP-Trust
match ip dscp ef
class-map correspondence AutoQoS-VoIP-control-Trust
match ip dscp cs3 af31
!
!
Policy-map AutoQoS-Police-CiscoPhone
class AutoQoS-VoIP-RTP-Trust
DSCP ef Set
320000 8000 exceed-action of the police controlled-dscp-transmit
class AutoQoS-VoIP-control-Trust
DSCP Set cs3
32000 8000 exceed-action of the police controlled-dscp-transmit
!
!
!
GigabitEthernet1/0/1 interface
switchport access vlan 13
switchport mode access
switchport voice vlan 857
security breach port switchport protect
bandwidth share SRR-queue 10 10 60 20
form of bandwidth SRR-queue 10 0 0 0
queue-series 2
priority queue
authentication-sense in
no response from the authentication event action allow vlan 1611
stream of host-authentication mode
Auto control of the port of authentication
protect the violation of authentication
MLS qos trust device cisco-phone
MLS qos trust cos
Auto qos voip cisco-phone
dot1x EAP authenticator
spanning tree portfast
service-policy input AutoQoS-Police-CiscoPhone
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 13,857,1611
switchport mode trunk
bandwidth share SRR-queue 10 10 60 20
form of bandwidth SRR-queue 10 0 0 0
queue-series 2
MLS qos trust cos
Auto qos voip trust
!
RADIUS-server host 10.1.2.10 auth-port 1645 acct-port 1646
Server RADIUS 7 key *.
RADIUS vsa server send authentication
endHello
authentication with PC and phone needs "multi-domain of authentication host mode. You con use MAC address or 802. 1 X (username & password) for authentication of IP phone.
Profile authenticatipo must send "device-traffic-class = voice" to the switch. PC fits the DATA cross-domain and phone VOICE-field.
See attachment:
-
When ISE goes down, none of the computers can get to shared network or the Internet.
We only run Cisco ISE 1.4 with only computer authentication and recently had a power outage for about 6 hours. When the batteries of the UPS drained EHT servers are connected to the, none of the computers could connect what either. The NETWORK card on the computers had an error authentication failed. We "Rescue of unauthorized network access", selected on each computer. Is there a way to allow all computers access to the network and the internet as usual when the ISE servers are down?
The port configuration is less to:
switchport access vlan 77
switchport mode access
switchport voice vlan 777
IP access-group ACL by DEFAULT in
authentication event fail following action method
action of death event authentication server allow vlan 77
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
Server to authenticate again authentication timer
inactivity timer 180 authentication
restrict the authentication violation
MAB
no link-status of snmp trap
Auto qos voip cisco-phone
dot1x EAP authenticator
dot1x tx-time 10
QoS trust device cisco-phone
spanning tree portfast
spanning tree enable bpduguard
service-policy input AutoQos-VoIP-entry-Cos-policy
service-policy output AutoQos-VoIP-outputYou must use a script of EEM to change the ip access list that you assigned to the interface, to something with "permit ip any any" inside.
'action dead event server authentication allows vlan 77' won't work that in configurations in closed mode, do not use an acl of pre approval.
-
Mac-auth-bypass fails MAC: 0000.0000.0000
I have an old JetDirect which does not support 802.1 x. I enabled MAB on the port where it connects, but for some reason fails any MAB. I activated the debug dot1x and stick the output in a few here. I know that my config to dot1x is good... I have clients who authenticate via RADIUS to my ACS server. I also have a different port using MAB, not a JetDirect, however, the two ports are configured in the same way. Debugging, it seems that the switch can glean from the CMA of the JetDirect. Any ideas? It is a 3750 with 12.2 (44) SE2. I tried to close/no close the interface, reset the JetDirect, nothing seems to work. I see no request on my ACS server for the MAC address of the device.
Group AAA dot1x default authentication RADIUS
Group AAA authorization network default RADIUShost 192.168.x.x auth-port 1645 1646 RADIUS server acct-port
interface FastEthernet2/0/31
Description white A002
switchport access vlan 112
switchport mode access
switchport voice vlan 800
switchport port-security maximum 3
switchport port-security
aging of the switchport port security 2
security violation restrict port switchport
inactivity of aging switchport port-security type
bandwidth share SRR-queue 10 10 60 20
form of bandwidth SRR-queue 10 0 0 0
MLS qos trust device cisco-phone
MLS qos trust cos
Auto qos voip cisco-phone
dot1x mac-auth-bypass eap
dot1x EAP authenticatorself control-port dot1x
multi-domain host-mode dot1x
restrict the dot1x mode violation
dot1x tx-timeout 2
dot1x timeout supp-timeout 10
spanning tree portfast
spanning tree enable bpduguard012729: 5 May 14:51:31.672: dot1x-package: dot1x_txReq: EAPOL packet sent to the default authenticator
012730: 5 May 14:51:32.586: % LINEPROTO-5-UPDOWN: Line protocol Interface FastEthernet2/0/31, changed State to
012731: 5 May 14:51:33.727: dot1x-package: from a package of EAP EAP request for mac 0000.0000.0000
012732: 5 May 14:51:33.727: dot1x - sm:Posting EAP_REQ client = 4219220
012733: 5 May 14:51:33.727: dot1x_auth_bend fa2/0/31: during the auth_bend_request State, had 7 (eapReq) event
012734: 14:51:33.727 may 5: @ dot1x_auth_bend fa2/0/31: auth_bend_request-> auth_bend_request
012735: 14:51:33.727 may 5: request_action called dot1x-sm:Fa2/0/31:0000.0000.0000:auth_bend_request_
012736: 14:51:33.727 5: dot1x-sm:Fa2/0/31:0000.0000.0000:auth_bend_request_ enter called
012737: 5 May 14:51:33.727: dot1x-package: dot1x_mgr_send_eapol: code EAP: id 0 x 1: 0 x 2 length: 0 x 0005 type: 0 x 1 data:
012738: 5 May 14:51:33.727: dot1x - ev:FastEthernet2/0/31: package EAPOL to the address of the EAP group
012739: 5 May 14:51:33.727: dot1x - ev:dot1x_mgr_pre_process_eapol_pak: determination of role not required on FastEthernet2/0/31.
012740: 5 May 14:51:33.727: dot1x-registry: registry: dot1x_ether_macaddr called
012741: 5 May 14:51:33.727: dot1x - ev:dot1x_mgr_send_eapol: on FastEthernet2/0/31 EAPOL packet is sent
012742: 14:51:33.727 may 5: dump of pak EAPOL Tx
012743: 14:51:33.727 may 5: Version EAPOL: 0 x 2 type: 0 x 0 length: 0 x 0005
012744: 5 May 14:51:33.727: code of the EAP: id 0 x 1: 0 x 2 length: 0 x 0005 type: 0x1
012745: 5 May 14:51:33.727: dot1x-package: dot1x_txReq: EAPOL packet sent to the default authenticator
012746: 5 May 14:51:35.791: dot1x-ev: received an EAP Timeout on FastEthernet2/0/31 for mac 0000.0000.0000
012747: 5 May 14:51:35.791: dot1x - sm:Posting EAP_TIMEOUT client = 4219220
012748: 14:51:35.791 5: dot1x_auth_bend fa2/0/31: during the auth_bend_request State, had 12 (eapTimeout) event
012749: 14:51:35.791 may 5: @ dot1x_auth_bend fa2/0/31: auth_bend_request-> auth_bend_timeout
012750: 14:51:35.791 may 5: called dot1x-sm:Fa2/0/31:0000.0000.0000:auth_bend_timeout_enter
012751: 14:51:35.791 may 5: called dot1x-sm:Fa2/0/31:0000.0000.0000:auth_bend_request_timeout_action
012752: 14:51:35.791 5: dot1x_auth_bend fa2/0/31: idle during the auth_bend_timeout State
012753: 5 May 14:51:35.791: @ dot1x_auth_bend fa2/0/31: auth_bend_timeout-> auth_bend_idle
012754: 5 May 14:51:35.791: dot1x-sm:Fa2/0/31:0000.0000.0000:auth_bend_idle_enter called
012755: 5 May 14:51:35.791: dot1x - sm:Posting AUTH_TIMEOUT client = 4219220
012756: 14:51:35.791 may 5: dot1x_auth fa2/0/31: during the auth_authenticating State, had 15 (authTimeout) event
012757: 14:51:35.791 may 5: @ dot1x_auth fa2/0/31: auth_authenticating-> auth_fallback
012758: 14:51:35.791 may 5: called dot1x-sm:Fa2/0/31:0000.0000.0000:auth_authenticating_exit
012759: 5 May 14:51:35.791: r called dot1x-sm:Fa2/0/31:0000.0000.0000:auth_fallback_ente
012760: 5 14:51:35.791: dot1x_auth_mab: mab_initialize of the initial State has enter
012761: 5 14:51:35.791: dot1x_auth_mab: during the mab_initialize State, had 2 (mabStart) event
012762: 14:51:35.791 may 5: @ dot1x_auth_mab: mab_initialize-> mab_acquiring
012763: 5 14:53:08.831: dot1x_auth_mab: during the mab_acquiring State, had 3 (mabResult) event (ignored)HQ_1stFlr_3750 #sh int dot1x fa2/0/31 det
Dot1x Info FastEthernet2/0/31
-----------------------------------
EAP AUTHENTICATOR =
PortControl = AUTO
ControlDirection = both
HostMode = MULTI_DOMAIN
Violation mode = RESTRICT
A re-authentication = off
QuietPeriod = 60
ServerTimeout = 30
SuppTimeout = 10
ReAuthPeriod = 3600 (configured locally)
ReAuthMax = 2
MaxReq = 2
TxPeriod = 2
RateLimitPeriod = 0
Mac-Auth-Bypass = active (EAP)
Timeout = NoneAuthenticator Dot1x customer list empty
Port status = not ALLOWED
The jetdirect card uses DHCP to get an IP address? If this isn't the case, then the Jetdirect will produce any traffic out to the auhenticate switch. To test this using the front panel of the printer to send a ping packet and see if it triggers the MAB.
-
ISE has not found any AAA Client or network devices
During authentication using 802.1 x and MAB, I get a failure of authentication with the error 11007 (impossible to locate AAA Client or network device). The cause that ISE spits me is "Cannot find the network device or the AAA Client while accessing NAS by IP for authentication." I got almost everything by the book but instead use a loopback interface, I used a vlan with a defined ip address. Could it be the cause of the problem?
Here is the config of the port that I have tested on:
interface GigabitEthernet1/0/9
switchport access vlan 9
switchport mode access
switchport voice vlan 8
IP access-group ACL-LEAVE in
SRR-queue bandwidth share 1 30 35 5
queue-series 2
priority queue
authentication event fail following action method
action of death event authentication server reset vlan 4
action of death event authentication server allow voice
the host-mode multi-auth authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
restrict the authentication violation
MAB
MLS qos trust device cisco-phone
MLS qos trust cos
dot1x EAP authenticator
dot1x tx-time 10
Auto qos voip cisco-phone
spanning tree portfast
service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
endRegardless of the IP address you entered in ISE when adding this switch must match the IP address of the interface configured under your command "ip source RADIUS interface. In your first post you said you use an IVR for this but in your message later, I see that your being RADIUS packets come from "TenGigabitEthernet1/0/1 interface" Doublecheck cela and make sure things.
If you have a Loopback interface configured it is strongly recommended that use you for the source of these services it (Radius, GANYMEDE +, SNMP, Syslog, etc.).
Thank you for evaluating useful messages!
-
rejected mac addresses are not placed in vlan comments
Hi all
I'm kind of new to the switches and learned a lot by reading the documentation sites. My job is to activate authentication aaa on our Cisco switches, we have a 3750stack, a few 3560 s and some 3550 s. I test on one of the 3560, a WS-C3560G-48PS 12.2 (53) SE1-IP-BASE running. Next week I'll update of firmware for 12.2 (55), but with this version, everything should already work.
Basically, the only thing I asked to do at the moment is Mac-Auth Bypass configuration. If the Mac address is accepted, RADIUS returns the VLAN, the device should be placed in, for the most part VLAN 4.
If the radius (freeradius v 2.1.10) server sends a rejection (see below), the port is not set to the vlan comments, because I expected.
19 12/21/10
4:23:19.000 PMDec 21 16:23:19 10.1.1.207 37473: 2204830: .Dec 21 16:20:31.950 CET: %AUTHMGR-5-FAIL: Authorization failed for client (f0de.f119.9870) on Interface Gi0/29 AuditSessionID 0A0101CF0000086CF832980B
- Host=10.1.1.207
- SourceType=syslog
- source=udp:514
- client_mac=((f0de.f119.9870))
- client_action=FAIL
- LINEPROTO_LINK=AUTHMGR-5
20 12/21/10
4:23:19.000 PMDec 21 16:23:19 10.1.1.207 37472: 2204808: .Dec 21 16:20:31.950 CET: %MAB-5-FAIL: Authentication failed for client (f0de.f119.9870) on Interface Gi0/29 AuditSessionID 0A0101CF0000086CF832980B
- Host=10.1.1.207 http://olsplunk:8000/en-US/app/search/flashtimeline?auto_pause=true&q=search%20host%3D%2210.1.1.207%22#
- SourceType=syslog
- source=udp:514
- client_mac=((f0de.f119.9870))
- client_action=NOT http://olsplunk:8000/en-US/app/search/flashtimeline?auto_pause=true&q=search%20host%3D%2210.1.1.207%22#
- LINEPROTO_LINK=MAB-5
21 12/21/10
4:23:18.000 PMDec 21 16:23:18 10.1.1.207 37471: 2204776: .Dec 21 16:20:30.935 CET: %AUTHMGR-5-START: Starting 'mab' for client (f0de.f119.9870) on Interface Gi0/29 AuditSessionID 0A0101CF0000086CF832980B
- Host=10.1.1.207
- SourceType=syslog
- source=udp:514 http://olsplunk:8000/en-US/app/search/flashtimeline?auto_pause=true&q=search%20host%3D%2210.1.1.207%22#
- client_mac=(f0de.f119.9870) http://olsplunk:8000/en-US/app/search/flashtimeline?auto_pause=true&q=search%20host%3D%2210.1.1.207%22#
- client_action=START
- LINEPROTO_LINK=AUTHMGR-5
Can someone tell me where I'm wrong?
Thank you
Chris
Relevant parts of the running-config:
AAA new-model
!
Group AAA dot1x default authentication RADIUS
Group AAA authorization network default RADIUS
AAA accounting delay start
start-stop radius group AAA accounting dot1x default
start-stop radius group AAA accounting network default
!
AAA - the id of the joint session!
control-dot1x system-auth
!
interface GigabitEthernet0/29
235 a description
switchport mode access
switchport voice vlan 2
load-interval 30
bandwidth share SRR-queue 10 10 60 20
queue-series 2
priority queue
authentication event failure action allow vlan 7
action of death event authentication server allow vlan 4
living action of the server reset the authentication event
multi-domain of host-mode authentication
Auto control of the port of authentication
MAB
MLS qos trust device cisco-phone
MLS qos trust cos
Auto qos voip cisco-phone
spanning tree portfast
service-policy input AutoQoS-Police-CiscoPhone
!
interface Vlan1
IP 10.1.1.207 255.255.255.0
!
interface Vlan2
IP 10.1.10.207 255.255.255.0
!
default IP gateway - 10.1.1.201
IP classless
!
activate the IP sla response alerts
RADIUS-server host 10.1.1.24 auth-port 1812 acct-port 1813
RADIUS timeout 10 Server
Server RADIUS # 7 button wouldn't you know
RADIUS vsa server send accounting
RADIUS vsa server send authentication
!
endInformation of VLAN:
Ports of status for the name of VLAN
---- -------------------------------- --------- ------------------------------
1 default active Gi0/6, Gi0/8, Gi0/14, Gi0/15
Gi0/18, Gi0/21, Gi0/29, Gi0/30
Gi0/34, Gi0/36, Gi0/37, Gi0/49
Gi0/50, Gi0/51
2 voice active Gi0/1, Gi0/2, Gi0/3, Gi0/4
Gi0/5, Gi0/6, Gi0/7, Gi0/8
Gi0/9, Gi0/10, Gi0/11, Gi0/12
Gi0/13, Gi0/14, Gi0/15, Gi0/16
Gi0/17, Gi0/18, Gi0/19, Gi0/20
Gi0/21, Gi0/22, Gi0/23, Gi0/24
Gi0/25, Gi0/26, Gi0/27, Gi0/28
Gi0/29, Gi0/30, Gi0/31, Gi0/32
Gi0/33, Gi0/34, Gi0/35, Gi0/36
Gi0/37, Gi0/38, Gi0/39, Gi0/40
Gi0/42, Gi0/43, Gi0/44, Gi0/45
Gi0/46, Gi0/47, Gi0/49
3 active video
4 active DHCP Gi0/1 and Gi0/2, Gi0/3, Gi0/4
Gi0/5, Gi0/7, Gi0/9, Gi0/10
Gi0/11, Gi0/12, Gi0/13, Gi0/16
Gi0/17, Gi0/19, Gi0/20, Gi0/22
Gi0/23, Gi0/24, Gi0/25, Gi0/26
Gi0/27, Gi0/28, Gi0/31, Gi0/32
Gi0/33, Gi0/35, Gi0/38, Gi0/39
Gi0/40, Gi0/41, Gi0/42, Gi0/43
Gi0/44, Gi0/45, Gi0/46, Gi0/48
5 active transfer
6 active Test ESX
7 COMMENTS-VLAN active
999 native active
1002 fddi-default law/unsup
default trcrf 1003 act/unsup
1004 default fddinet law/unsup
1005 trbrf default law/unsupNetwork type VLAN SAID MTU Parent RingNo BridgeNo Men BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 100001 1500 enet - 0 0
2 enet 100002 1500 - 0 0
3 100003 1500 enet - 0 0
4 100004 1500 enet - 0 0
5 enet 100005 1500 - 0 0
6 100006 1500 enet - 0 0
7 100007 1500 enet - 0 0
999 100999 1500 enet - 0 0
1002 101002 1500 fddi - 0 0
1003 trcrf 101003 4472 1005 3276 - srb 0 0
1004 etnbdf 101004 1500 - ieee - 0 0
1005 trbrf 101005 4472 - 15 ibm - 0 0VLAN AREHops STEHops backup RTC
---- ------- ------- ----------
1003 7 7 offVLAN SPAN remote
------------------------------------------------------------------------------Ports of secondary primary Type
------- --------- ----------------- ------------------------------------------Hello
Just to the user the correct names, what you want is a vlan auth failure (that you configured correctly). VLAN comments is for PCs that do not have capacity dot1x (do not respond to dot1x packages) but for the avoidance of the mac, the event of "no-response" will never happen.
Now that we have explained, your config seems therefore quite ok actually. I'd go with debugs to check what the problem is.
Debug RADIUS
debug all EMP
debugging authentication feature mab all
debugging authentication feature mda allNicolas
===
Remember responses of the rate that you find useful
-
Hi all
First of all, I have no experience with the configuration of Cisco switches (about half a year now) but I read loads and loads of documentation.
I am trying to configure several areas (MDA) authentication on our Cisco switches using mab and spin into something strange. Currently, single mab is asked by my employer.
Switch = 48-3560G IOS version 12.2 (55) SE1
RADIUS = Freeradius (version 2.1.10)
On port Gi0/29 a Cisco 7961 IP phone is connected and plugged into the phone that a laptop is connected
The switch configuration:
AAA new-model
!
Group AAA dot1x default authentication RADIUS
Group AAA authorization network default RADIUS
AAA accounting delay start
start-stop radius group AAA accounting dot1x default
start-stop radius group AAA accounting network default
!interface GigabitEthernet0/29
235 a description
switchport access vlan 4
switchport mode access
switchport voice vlan 2
load-interval 30
bandwidth share SRR-queue 10 10 60 20
queue-series 2
priority queue
action retry authentication event 0 failure allow vlan 7
action of death event authentication server allow vlan 4
living action of the server reset the authentication event
multi-domain of host-mode authentication
Auto control of the port of authentication
restrict the authentication violation
MAB
Auto qos voip cisco-phone
spanning tree portfast
service-policy input AutoQoS-Police-CiscoPhone
!dead-criteria 5 tent 5 times RADIUS server
RADIUS-server host 10.1.1.24 auth-port 1812 acct-port 1813
RADIUS server key 7 xxx
RADIUS vsa server send accounting
RADIUS vsa server send authenticationRadius response: (for the full reply see attached RADIUS - response.txt)
Sending acceptance of access to the port id 98 to 10.1.1.207 1645
Cisco-AVPair = "Tunnel-Type = VLAN.
Cisco-AVPair = "Tunnel-Medium-Type = 802.
Cisco-AVPair = "Tunnel-private-Group-ID = 7.
Cisco-AVPair = "Tunnel-preference.That's why access accept with assignment data VLAN
Debugging on the switch :
001776: * Mar 1 09:27:35.606: mab-ev(Gi0/29): context MAB received create from AuthMgr
001777: * Mar 1 09:27:35.606: mab-ev(Gi0/29): MAB authorizing MACAddress
001778: * Mar 1 09:27:35.606: mab-ev(Gi0/29): client context created MAB 0x2200000F
001779: * 09:27:35.606 Mar 1: mab: State has original mab_initialize enter
001780: * Mar 1 09:27:35.606: mab-ev(Gi0/29): sent to create a new context of EAP of MAB to 0x2200000F (MACAddress) event
001781: * Mar 1 10:27:35.606 THIS: % AUTHMGR-5-START: start "mab" for the customer (MACAddress) on the Interface Gi0/29 AuditSessionID 0A0101CF0000007F0207A4AC
001782: * Mar 1 09:27:35.606: mab-sm(Gi0/29): the event received 'MAB_CONTINUE' on the 0x2200000F handle
001783: * 09:27:35.606 Mar 1: mab: during the mab_initialize State, had 1 (mabContinue) event
001784: * 09:27:35.606 Mar 1: @ mab: mab_initialize-> mab_authorizing
001785: * Mar 1 09:27:35.606: mab-ev(Gi0/29): MAC-AUTH-BYPASS boot for 0x2200000F (MACAddress)
001786: * Mar 1 09:27:35.614: mab-ev(Gi0/29): MAB received a Reject Access for 0x2200000F (MACAddress)
001787: * Mar 1 10:27:35.622 THIS: % MAB-5-FAIL: failure of authentication for the client (MACAddress) on the Interface Gi0/29 AuditSessionID 0A0101CF0000007F0207A4AC
001788: * Mar 1 09:27:35.622: mab-sm(Gi0/29): the event received 'MAB_RESULT' on the 0x2200000F handle
001789: * 09:27:35.622 Mar 1: mab: during the mab_authorizing State, had 5 (mabResult) event
001790: * 09:27:35.622 Mar 1: @ mab: mab_authorizing-> mab_terminate
001791: * Mar 1 09:27:35.622: mab-ev(Gi0/29): removed the credentials of 0x2200000F (dot1x_mac_auth_MACAddress) profile
001792: * Mar 1 09:27:35.622: mab-ev(Gi0/29): AuthMGR for MACAddress sending event (2)
001793: * Mar 1 10:27:35.622 THIS: % AUTHMGR-7-RESULT: result "dead server" authentication "mab" for the customer (MACAddress) on the Interface Gi0/29 AuditSessionID 0A0101CF0000007F0207A4AC
001794: * Mar 1 10:27:35.622 THIS: % AUTHMGR-5-VLANASSIGN: VLAN 4 assigned to Interface Gi0/29 AuditSessionID 0A0101CF0000007F0207A4AC
001795: * Mar 1 10:27:36.512 THIS: % AUTHMGR-5-SUCCESS: authorization succeeded for client (MACAddress) on the Interface Gi0/29 AuditSessionID 0A0101CF0000007F0207A4ACSo RADIUS returns an Access_Accept and the switch treats it as a rejection of access and little esteem RADIUS as dead.
Help would be appreciated!
Chris
Hi Chris,
In response to your last post, assignment of vlan dynamic could be achieved with the help of the IETF RADIUS attributes according to the link:
http://Tools.Cisco.com/Squish/d1791or using the pair of cisco-av according to the link:
http://Tools.Cisco.com/Squish/8Bd61As for free using the Radius and cisco-av pairs. Please can you activate debug on switch output and reproduce the problem with the attempt to authentiation of customer:
Debug RADIUS
Debug authentication of all the
debug functionality of authentication allAs a result the customer authentication event, also benefit from the following switch:
display the interface authentication sessionsI met problems with respect to the case of the pair of cisco-av. assignment of vlan for example work using the sensitive tiny "tunnel-private-group-id (# 81) = vlanid ' instead of ' tunnel-private-group-ID (# 81) = vlanid.
When testing with the 'tunnel-private-group-ID(#81) = vlanid', I get an error:
RADIUS/DECODE: parse cisco unknown vsa 'tunnel-private-group-ID' - FAIL
So the 2nd link, with the changes:
Cisco-avpair = "tunnel-type(#64) = VLAN (13).
Cisco-avpair = "tunnel-medium-type(#65) = 802 media (6).
Cisco-avpair = "tunnel-private-group-id(#81) = vlanid.If you still have a question, please include the output of debug/display above which will shed light on the problem.
Thank you
Alex -
MAB with Cisco Phone - authorization failed
Hello everyone,
I use MAB to authenticate customers and Cisco IP phones against a NPS Microsoft Radius server. Everything works perfectly, except for 1 phone Cisco. The phone is successfully authentication but authorization fails. The switch port has the following configuration.
switchport access vlan 500
switchport mode access
switchport nonegotiate
switchport voice vlan 92
no logging event link-status
srr-queue bandwidth share 1 30 35 5
priority-queue out
authentication control-direction in
authentication event server dead action authorize voice
authentication host-mode multi-domain
authentication port-control auto
authentication periodic
authentication timer reauthenticate 10800
authentication timer inactivity 1800
mab
no snmp trap link-status
mls qos trust device cisco-phone
mls qos trust cos
macro description mab
auto qos voip cisco-phone
storm-control broadcast level 5.00
storm-control action shutdown
spanning-tree portfast
spanning-tree bpduguard enable
service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
I get the following RADIUS logging of the client authentication process.
May 7 15:24:53.349: RADIUS: 4D 8F 05 AB 00 00 01 37 00 01 02 00 0A 19 0A 84 00 00 00 00 00 00 00 00 00 00 00 00 01 CE 47 DF 2A A4 B3 70 00 00 00 00 00 00 5F 79 [ M7G*p_y]
May 7 15:24:53.349: RADIUS: Vendor, Cisco [26] 34
May 7 15:24:53.349: RADIUS: Cisco AVpair [1] 28 "device-traffic-class=voice"
May 7 15:24:53.358: RADIUS(00002749): Received from id 1645/128
May 7 15:24:53.366: %MAB-5-SUCCESS: Authentication successful for client (442b.03a2.f9e8) on Interface Gi1/0/39 AuditSessionID 0A194B0400002706ED82EB13
May 7 15:24:53.374: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (442b.03a2.f9e8) on Interface Gi1/0/39 AuditSessionID 0A194B0400002706ED82EB13
SER-02-SW01#clear authentication
May 7 15:24:53.383: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (442b.03a2.f9e8) on Interface Gi1/0/39 AuditSessionID 0A194B0400002706ED82EB13
I checked online and blogs and forums suggest to check the use of the downloadable access list, but they are not used in the switch. As mentioned, all Cisco IP phones works perfectly, except this one. I have already removed the Active Directory object and created a new object from scratch, but the same result. I also tried another port in the switch, yet an authorization failure.
Currently, I don't know where to look further, then maybe some of you can help me!
Thanks for the update of René. I have suggested for deactivation and reactivation of the dot1x in the world to see where it got stuck somewhere. However, it seems the thought is not okay. Would appreciate if you mark it resolved so that someone else can take advantages out of it.
Your welcome
Good day!
Jatin kone
-Does the rate of useful messages-
-
can't ssh, or navigate in remote devices phone MX300 or EX90
Hello
For devices EX90 use a second monitor, I can remote into the laptop.
interface GigabitEthernet4/0/24
EX90 description
switchport access vlan 20
switchport mode access
switchport voice vlan 799
bandwidth share SRR-queue 10 10 60 20
queue-series 2
priority queue
MLS qos trust cos
Auto qos voip trust
spanning tree portfast
end
For MX300 devices configuration interface is:
interface GigabitEthernet2/0/20
VIDEO MX300 description
switchport access vlan 99
switchport mode access
spanning tree portfast
end
Hello
The first things you should study Yes:
Can you ping the device?
The network configuration are correct?
The device is configured with a VLAN static?
Enable CDP is?
If you connect a PC directly on your device, you are able to access SSH or Web?
You can try the another network cable?
Concerning
Paulo Souza
My answer was helpful? Please note the useful answers and do not forget to mark questions resolved as "responded."
-
Setup of QoS for Whatsapp and VOIP application
Hello guys,.
I have a modem WAG320N. I have wasnted to configure the QoS priority for 2 applications 'Whatsapp' and a VOIP application that allows me to call from a computer to a mobile phone. I use torrent applications and that they take all the bandwidth. That's why I was looking for to configure QoS for these two applications.
I went to the page of QoS and they are wondering about the details of the application as the range of ports etc.. I don't know what value to be filled. I posted a screenshot below of his request. Can someone help me fill out these details for both applications.
Thanks in advance
Image: http://i40.tinypic.com/2qi02z5.jpg
You can add essentially Viber on QoS. Under the games and Applications, QoS, click on enable priority access Internet. On the category, find the Applications > add a new Application. You can enter the name of the Application. You can now add the port numbers. And since it is a specific port and no beach, do you this way;
5242 - 5242 TCP (for Protocol)
4244 4244 TCP
5243 5243 UDP
9785 9785 UDPI hope this helps.
-
I am trying to increase our quality of telephone problems. Things like backup tapes, download heavy etc. are originally phones get all cracked. I don't know where to start. Everyone says of VLANS, but I don't know if this is the best choice. I don't know anything about QoS in the SGE2000P switches. I keep reading, but he gets no more clear. I need a little help direction. I see things on the VLAN, basic QoS, QoS advanced and do not know which route to go.
I have 3 batteries of the total of 8 switches switches network segment all the same SGE2000P. The main chimney is connected to smaller piles by a fibre optic cable. Some computers are connected to the voip phones due to the absence of inside wiring of the building, but a lot of phones have a line dedicated to the switches.
Consider phones like three switches of ports (because that's what they are). A port is the phone, going to a single port and a port goes to a PC. A switch when you set a port as a trunk you can tag the traffic for VLANs, create separate virtual local networks on a single physical link. Similarly, on the side of the phone when you configure an IP to use phone a VLAN you say the switch to have a trunk port to your switch and the telephone to communicate on this VLAN tagged.
The VLAN native is the VLAN untagged. Computers don't understand VLAN and just send the traffic untagged so when you connect the PC to the back of the phone it will operate the same as it does now. the difference will be that the phone will be on a different subnet and VLAN.
Taking example of VLAN 100 for voice, you need to change the IP address of your IP PBX for something in a new subnet as 192.168.100.1/24 and create a port on a switch, a put in VLAN 100. Connect to your firewall for routing inter - vlan. Then find a way to get the phones IP address in the subnet and configs updated to use VLAN 100 and enter 192.168.100.1. If you configure inter - vlan routing properly advance, you should be able to have a reboot of the phone, coming up on the data VLAN, get a new configuration that specifies the use of VLAN 100, reset again and this time come on VLAN 100 with the new address and function properly.
-
Implementation of VLAN / QoS for VOIP on RV180
I posted earlier about setting up VLAN / QoS for VOIP on the SG200-18 (see: https://supportforums.cisco.com/discussion/12193666/setting-vlan-and-qos...).
I did go ahead and buy the RV180. I connected to SG200-18.
I wish to proceed with the implementation of VLAN / QoS on the RV180 so my phone (Grandstream VOIP wireless phone) VOIP is on its own VLAN separate from the rest of the network, so make sure that all QoS settings are optimized to give the first priority of VOIP network telephone.
Currently I still have the VOIP phone connected to SG200-18 as stated in the previous post.
Here are my questions:
1 should I leave the VOIP phone connected to the SG200-18 and config all the VLANS, VLANS and VLAN Switch voice settings down to the VOIP phone, or should I plugged the phone VOIP in the RV180? Which would give me better performance and easier to do?
2. How can I place the VOIP phone on its own VIRTUAL LAN, in addition to optimizing QoS settings so it gets a top priority for the network?
3. I currently have set VOIP telephone in order to reserve a DHCP address in the 192.168.x range. When you move to the VLAN, should I set the DHCP reservation and/or my firewall settings (I through the firewall as well)
4. I also get a beta-test VOIP Grandstream office phone. Time of its installation, what I have to plug directly into the RV180 or the SG200-18, and I have to put it on the same VLAN as the phone VOIP without wire Grandstream or VLAN different? It also supports PoE, but the RV180 or SG200-18 model I does not work. If I use an external power supply, connect each device will be OK or might that it became fried?
Thank you!
Hello
1 should I leave the VOIP phone connected to the SG200-18 and config all the VLANS, VLANS and VLAN Switch voice settings down to the VOIP phone, or should I plugged the phone VOIP in the RV180? Which would give me better performance and easier to do?
It will not be much difference between being on the switch or on the router, so it is for the most part to the simplicity of configuration performance. If you plug the phone directly on the router, you will really not disturb trunking VLAN or none of this switch.
This is really what is more convenient, but if you are able to plug into the RV directly I wouldn't worry QoS on the switch.
So let's talk about implementation of the RV180.
First go to network > LAN > belonging to a VLAN. Enable VLANs, and add a new VLAN for voice (most people use 100 for voice for a reason, but it does not matter). You will take care to set the port that the phone is plugged in not tagged to the new voice VLAN, and you can exclude the data VLAN of the port.
Then go to several VIRTUAL local network subnets and configure the address range for it configuration DHCP / new subnet (for example 192.168.100.0) If you do not want to use it (makes things a bit easier)
Finally, to enable QoS on the RV go to QoS > QoS WAN profiles. Activate the WAN QoS, make sure that it is set to the priority mode and add a new entry to the table. You can name it anything you want (I used VoiP), then set it high priority.
Then go down on the link profile page and add a new entry here. Select the profile you just created in the drop-down menu, set the service to one, select traffic selector VLAN and make sure the drop-down menu for VLAN is the VoIP VLAN.
At this point, we have a configuration where the voice traffic (or basically anything on the VLAN voice) will have priority when it comes out the WAN interface.
3. I currently have set VOIP telephone in order to reserve a DHCP address in the 192.168.x range. When you move to the VLAN, should I set the DHCP reservation and/or my firewall settings (I through the firewall as well)
The second VIRTUAL LAN should have a configuration of different subnet for him, because I spoke up. During this process you will place the DHCP server for the new VLAN as well. You can adjust your reservations for the phones, but it does not really matter what IP they get, since we are prioritizing voice any VLAN, so you don't have set up a reserve, unless you really want to.
4. the Grandstream phone.
I would put the Grandstream (and all the other VoIP phones that you could get) in the voice VLAN so that he would get the same priority treatment. At this point with multiple devices, you can indeed install a trunk to the switch (VLAN normal unidentified and voice VLAN Tag) and configure the ports to the voice VLAN for these phones. Who will ensure that the switch gives priority to the traffic of voice, even if it is probably not as important in their own country on the WAN.
Regarding the PoE device connected to a non PoE switch or a router, there will be no problems. I'm guessing that the phone also comes with an AC adapter. It will not feed this power in the thread just because it's PoE, it's pretty much a one-way circuit.
Hope that helps,
Christopher Ebert - Advanced Network Support Engineer
Cisco Small Business Support Center
* Please note the useful messages *.
Maybe you are looking for
-
so I share an iCloud who was running, I didn't know iCloud and my ex works stock, we see that my pictures, I have disabled the sharing thing and now I need to know if my photos are always on icloud or other iPads? If yes how can I remove them. Please
-
All my songs disappeared after the renewal of the subscription
Hi all. Only, I opened my music from Apple on Mac and I was told that my subscription has ended. This is a surprise, as I have it on auto-renewal, so when I went, I found that my card had expired. So I updated this information, re-subscribed and now
-
Satellite Pro A300 PSAJ1E: Touchpad not recognized using Win XP SP2
Hi all I just got a Satellite Pro A300 PSAJ1E, which is preloaded with Vista. It is also comes with a 'product' XP SP2 recovery CD I had to use because of some software work with Vista compatibility issues. Unfortunately, everything works well except
-
Artists duplicate being created on add file to library (for information)
Hi all When I add a new file or bunch of files in my library I ammeditely go to "Get Info" option to store the tags etc. I notice when you view in artists in my music, the system is duplication artists even though when I type in the artist field Albu
-
Windows Update error Code 646 on Office 2007 update KB976321
Got a 646 on KB976321 What now?