Ip phone and pc VLAN security issue - ISE 1.0
Hello there.
We are about to implement IP phones to our current network and during testing I have found 2 issues.
1- ip phone connects to a protected port using ISE mab authentication for the data network.
The voice VLAN is set up static on the port. The pc VLAN is given by ISE profiling.
Then the issue is that once the pc connects to the VLAN it belongs to from the ip phone it leaves open that vlan on that port which means that if I connect another pc it will get the original VLAN the port had open up the connection with. This is a big security issue as computers that should not be allowed on specific VLAN can access them this way.
2- once the connection is up and running on the port for both the phone and the pc, there is re-authentication Happening every minute to ISE. The Authentication logs are getting so many messages for just one port. So once we convert from 2 ip phones to 500, that is definitely going to generate a lot of unnecessary traffic.
Let me know your thoughts...thanks
Port config info....below
interface GigabitEthernet0/2
description Extra port by Camilos Desk
switchport mode access
switchport voice vlan 220
srr-queue bandwidth share 1 30 35 5
priority-queue out
authentication event fail action next-method
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
mls qos trust cos
snmp trap mac-notification change added
auto qos trust
spanning-tree portfast
end
On # 1
You have the make sure that
"authentication host-mode multi-domain" command is under each port
This will allow one voice vlan and only one PC vlan at any given time. If you disconnect a PC and connect onother PC mac address to it, the phone will reinitialize to accept or reject the new mac based on its profile.
On #2
I have not found a solution. But what I have found after deployment is that it has happend only on 2 VOIP phones, out of 70 that we have as of now. So it might to be related to ISE.
On the other hand we are not using Cisco phones but mitel. So this might be a whole issueon itself.
Hope this helps.
Similar Messages
-
Since HTC is going to start unlocking thier phones and Verizon has no issue with that
Since HTC is going to start unlocking thier phones and Verizon has no issue with that
those who have unlocked their phones should have no issues with warranty unless they alter the OEM Rom or install a different rom
Most people want to root to get rid of all the bloatware
So we are back to why not let us remove what we want and put this to rest....
Behold, the Power of the Android Community: HTC to Unlock Future
Bootloaders
[Updated: Yes There Will Be] Verizon: There Won’t Be Any Unlocked Devices On Our Networkbudone wrote:
I think VZW has no issue (if that is actually true) is because if a phone pukes and it has been rooted, their hands are washed of providing a replacement.
You hit it right on the head, just because they do not lock down bootloaders still does not change that rooting and installing unarthorized firmware or OS violates TOS and voids warrenty which cleans Verizons hands to replace device if it gets damage while doing any of these things to device. -
Cisco ip phone and wired user authenticate form ISE
Hi dears,
I configurate wired users from Cisco ISE. The authentication protocol is Eap-fast, the external device is DC. The wired user authenticate from ISE normally. I use labminutes web sites for configuration video.
Now the customer also want the cisco phone is authenticate from ISE. the physical connection is that: the cable connect to phone from switch. and one cable is connec from phone to pc.(standard physiacl connection.)
I create new authentication policy and use mab, and new authorization police.
The problem is : the phone is authenticate is normally but the wired user want to authenticate but it can not authenticate.
Can someone provide me a best practice configuration on ise and switch for phone and wired user authentication. or please say the source of problem.
Thanks.interface GigabitEthernet1/0/48
switchport access vlan 10
switchport mode access
switchport voice vlan 14
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action authorize vlan 20
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
do you need ISE configuration?? -
How to configure SGE2000P with CISCO 7900 phones and data VLAN
Hello all
I am having problem setting up SGE2000P switches to work with my default data VLAN and additional voice VLAN. I am configuring it to pick IP address for phones from voice VLAN which is working fine but when I connect a PC on phone port it is also picking up an IP from Voice VLAN while default VLAN is data with different scope of IP.
Is there any good discussion or documents out there to help me resolve this issue before I pack these switches and purchase ESW 500 series. I have ESW 500 at another client and they are working fine out of the box but this guy is giving me hard time.
Any suggestions help will be appreciated
MoHI Muhammed,
I suggest you contact the Small Business Support Center for some help:
http://www.cisco.com/en/US/support/tsd_cisco_small_business_support_center_contacts.html
Regards,
Cindy Toy
Cisco Small Business Community Manager
for Cisco Small Business Products
www.cisco.com/go/smallbizsupport
twitter: CiscoSBsupport -
Touch screen on Iphone slowly, over a few days stopped responding. Went to Genius Bar and was given a new 3GS because they didn't know how to fix the issue. Cool. Went home synced with Macbook Pro (new-12/2010), two days later same issue. This time when I went to Genius Bar they restored the phone to factory settings and instructed me to load as a new phone in Itunes instead of restoring information of the previous phone, which is an option good for when your replacing phone not fixing one Anywho, did everything they told me to do. SAME ISSUE A FEW DAYS LATER. This time I was told the software issue is with my Macbook and I thought this made sense, so I took it in along with the phone. That was yesterday. Phone working intermittently since leaving Apple. I was given instructions that if their "daily" fix didn't work to erase hard-drive and reinstall software that came with the macbook and start fresh. This would definately fix the issue. Extreme yes, but I need use of my phone, especially since we got rid of the house phone and all use cell phones. So last night I did the required erase of hard-drive and re-loaded all software that came with it and Microsoft Office for Mac. Plugged in the phone to set up in itunes and thought that was it. My phone is still not working. Can't answer when I try, can't make calls, etc. What the heck do I do? I'm starting to feel like a major lamo having to keep going back to Genius Bar, but I know enough to know these issues should have been resolved with the steps I've taken. I even went as far as to restore through my husbands computer and same thing. Could there be a problem with Itunes? Could the magnetic stripe in my debit card be hurting the device somehow, although that's a long shot since I have had the same or similar case since getting the phone. Frustrated beyond belief. Apple support not open at this hour so I'm trying my luck here.....
Thanks for any input.restore iPhone as new and start again
-
Web Inspector broken by iOS7 on both phone and iOS simulator - MAJOR issue
Since updating to iOS7 on my phone and updating Xcode web inspector has become useless. The button that allows you to click on assets select and the tree that lets you navigate page assets are completely unresponsive - Is anyone else seeing this issue - the web inspector is not only useless it's effectively halted development - i'm trying to understand how something so significant has got through Apple's ever diminishing quality control....
Just posted a workaround I found for all but Style inspector here:
https://discussions.apple.com/message/23137095#23137095
I agree, MAJOR issue. -
Cisco 877W Dual SSID/VLAN Security Issue
Hi All
I have an issue with my 877W that is as fascinating as it is frustrating. I have two SSIDs/VLANs, one for trusted LAN users (PRIVATE), and one for guests (GUEST). The PRIVATE network is secured from the GUEST nework by zone based firewall. Everything works fine, guest devices cannot access private devices, except for one thing - the BVI interface on the PRIVATE network is always accessible to guest devices, and all services open to attack eg telnet/ssh/http/dns etc. I've tried everything to secure this interface from the guest network, including putting deny any any on physical, BVI and VLAN interfaces
Am I missing something obvious, or some fundamental architecture of the 877 that would stop this interface being secured? Any help aprreciated!
P.S config has been pared down to basics below
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname ROUTER
boot-start-marker
boot-end-marker
logging buffered 4096
enable secret 5 $1$BdpF$r/mAhQGYs8LBlqEpANmke0
no aaa new-model
dot11 syslog
dot11 ssid PRIVATE@123
vlan 100
authentication open
authentication key-management wpa
wpa-psk ascii 7 046B0A535A15441D2D0C11141A5A5F
dot11 ssid VISITOR@123
vlan 200
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 7 03374C0A08392040420C00
ip source-route
no ip dhcp conflict logging
ip dhcp excluded-address 172.16.1.1 172.16.1.10
ip dhcp excluded-address 192.168.0.1 192.168.0.10
ip dhcp pool GUEST
utilization mark low 70 log
network 172.16.1.0 255.255.255.0
dns-server 192.168.0.1 61.9.242.33 61.9.226.33
default-router 172.16.1.1
ip dhcp pool PRIVATE
utilization mark low 70 log
network 192.168.0.0 255.255.255.0
dns-server 192.168.0.1 61.9.242.33 61.9.226.33
default-router 192.168.0.1
ip cef
no ipv6 cef
multilink bundle-name authenticated
username cisco privilege 15 password 7 073F205F5D1E491713
policy-map type inspect PM-DENYGUEST
class class-default
drop
zone security GUEST
zone security PRIVATE
zone-pair security GUEST-TO-PRIVATE source GUEST destination PRIVATE
service-policy type inspect PM-DENYGUEST
bridge irb
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
interface FastEthernet0
no ip address
interface FastEthernet1
switchport access vlan 100
no ip address
interface FastEthernet2
switchport access vlan 100
no ip address
interface FastEthernet3
no ip address
interface Dot11Radio0
no ip address
encryption vlan 100 mode ciphers aes-ccm
encryption vlan 200 mode ciphers aes-ccm
broadcast-key vlan 100 change 30
broadcast-key vlan 200 change 30
ssid PRIVATE@123
ssid VISITOR@123
mbssid
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
interface Dot11Radio0.100
encapsulation dot1Q 100 native
zone-member security PRIVATE
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio0.200
encapsulation dot1Q 200
zone-member security GUEST
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 spanning-disabled
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
interface Vlan1
no ip address
interface Vlan100
no ip address
bridge-group 1
interface Vlan200
no ip address
bridge-group 2
interface Dialer0
ip address negotiated
ip access-group 101 out
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname [email protected]
ppp chap password 7 10580A4F1C4005005B
interface BVI1
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security PRIVATE
interface BVI2
ip address 172.16.1.1 255.255.0.0
ip nat inside
ip virtual-reassembly in
zone-member security GUEST
ip forward-protocol nd
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
logging trap debugging
logging 192.168.0.11
control-plane
bridge 1 protocol ieee
bridge 1 route ip
bridge 2 protocol ieee
bridge 2 route ip
line con 0
exec-timeout 5 0
no modem enable
transport output all
line aux 0
exec-timeout 0 1
no exec
transport output none
line vty 0 4
exec-timeout 5 0
login local
transport input telnet ssh
transport output none
endIgnore that. self zone got me. Argh! phew!
-
Safari and Firefox crashing - Security issue?
I was running Safari 2.X.X (I think it was 2.0.4 and Tiger 10.4.X) when Safari started crashing. The crashing was every 10 minutes or so, but eventually Safari crashed almost instantly when opening, even if all I did was open Safari from my Dock.
I tried using Firefox, but that too, started crashing almost instantly, after being opened.
I restarted my PowerBook (G4, 1.33) and the problem still remained. I then updated OS X Tiger to 10.4.11 which also upgraded Safari to 3.0.4. After the update, Safari crashed once or twice, but then has been stable for "a while now." However, Firefox still crashes like mad (Edit: Firefox has now remained open and not crashed for a few minutes now).
Is there anyway a virus/spyware/malware caused this crashing? A search of the Internet seemed to indicate things like corrupt preferences or issues with Input Managers. However, I'd like a little more reassuring, as well as suggestions to why Safari now seems to work ok, but Firefox still crashes.
Any suggestions or comments?I can't speak for Firefox (do you have the latest version?) but
If your Safari keeps crashing, or if you are updating Safari (or just have):
Input Managers and other plug-ins from third parties can do as much harm as good. They use a security loophole to reach right into your applications' code and change that code as the application starts up. If you have installed 10.4.11 and Safari is crashing, the very first thing to do is clear out your InputManagers folders (both in your own Library and in the top-level Library), log out and log back in, and try again.
So, disable all third party add-ons before updating Safari, as they may not have been updated yet for the new version. Add them back one by one. If something goes awry, remove it again and check on the software manufacturer's website for news of an update to match your version of Safari. Remember: Tiger up to 10.4.10 used Safari 2.0.4 or, if you downloaded it, Safari 3.0.3 beta. Safari 10.4.11 uses Safari 3.0.4 which is not a beta. If Safari 3.0.4 on 10.4.11 is not the fastest browser you have ever used, then something is wrong!
(Trying to revert to Safari 2 when running 10.4.11 can have repercussions, as Safari 3.0.4 uses a completely different webkit on which other applications like iChat, Mail, Dashboard widgets etc also rely.)
Most errors reported here after an update are due to an unrepaired or undetected inherent fault in the system, and/or a third party ad-on. Add-on that have been frequently mentioned here, among others, for causing such problems are Piclens, Saft, AcidSearch and Pithhelmet. If you have them, trash them and go the developer's sites to see if new versions are available for Safari 3.0.4.
You should also ensure, if you are running Tiger 10.4.11, that you have downloaded and installed the correct version for your Mac of Security Update 2008-001.
As Leopard also uses Safari 3.0.4, much of the above may well also apply to Leopard, but is not guaranteed. -
i had to get an internet conection from a friend to download akll my apps evrytime i sync with my pc wich already had itunes all apps except statup are gone only thing left was an i tunes song i brought from itunes each time i use my apple id pass word it tells me to retry i do this 4 to 5 times and some times have no success my latest issue was my sim locking buy itself then asking me to put in a sim without a lock , i only have 1 sim i brought 2 phones and have had no issues with the other phone and when i do have the original startup apps i can not move or arange them thru itunes apps and i cannot use sim from other iphone pls help evry1 i ask wouldnt have a clue because there having there own dificulties
If you also backed up to your computer - you can restore from that backup - to retrieve the files. As far as I know- that should have no bearing on deleting them from iCloud - they should still be in that backup.
If you used iOS file sharing with your computer - and saved the files to your computer - you can retrieve them from there.
if the only place that the files were saved to was iCloud, I know of no way to get them back. -
802.1x with Vlan assignment and IP phone and PC
I have a Catalyst 4510R and I want to im plement 802.1x with dynamic VLAN assignment via Radius server. I am going to plug to switch ports Cisco IP phones and PCs (PCs are plugged in the IP phone).
For this implementation I need to configure the switch port in mode trunk because I have voice vlan corresponding IP phone and data vlan corresponding to PC.
However I have read that I can not enable 802.1x on a trunk port.
How could I configure this?
I need that when the PC is authenticated correctly is assigned to his cooresponding data vlan and the IP phone is in the voice vlan.
ThanksYou should configure the port as an access port with an aux-vlan. Here's an example:
interface GigabitEthernet2/2
switchport access vlan 701
switchport mode access
switchport voice vlan 702
load-interval 30
qos trust device cisco-phone
qos trust cos
auto qos voip cisco-phone
dot1x pae authenticator
dot1x port-control auto
tx-queue 3
bandwidth percent 33
priority high
shape percent 33
spanning-tree portfast
spanning-tree bpduguard enable
service-policy output autoqos-voip-policy
Hope this helps, -
Having issues with IP Phones and the RV042 Router
Hello,
We have recently purchased Ring Central IP Phones and are having audio issues. We have a RV042 router with two WAN connections. We called Ring Central Tech support and were told that IP Phones will not work with the RV042 while loading balancing is enabled. Has anyone ever successfully setup IP Phones with a RV042 router while having loading balancing enabled? I configured the port range that the IP Phone use to be bound to WAN 1 but still having problems. Thanks in advance.
LorenI Have the 5s but my screen keeps freezing up and I have to force restart on my apps!
-
Hi,
This situation has been causing me much stress and frustration for about a week now and I really hope I can get help here.
I got my first iPhone 5 this past June and synced purchases from my mom's computer to my phone and was able to use my own Apple ID to purchase music to my phone just fine. Everything was fine with having purchases from my Apple ID and from my mom's Apple ID on my phone until I recently got my new HP 2000 laptop with Windows 8 and set up an iTunes library under my own Apple ID. Before setting up iTunes on my computer, I cleared out my music library (containing songs purchased from my Apple ID and my mom's) due to an issue with my playlists. I re-synced my phone with my music on my computer and ran into a problem: I had to delete apps and tones bought with my mom's Apple ID. Not caring or thinking I let it delete the few apps and tones I synced from my mom's library. I got all my songs back on my phone and fixed the playlist issue. Everything was good, but I have songs and other purchases on my mom's account that I want on my phone. I read that I can't sync with two libraries though, which is a bummer. So, I decided to just sign in to her account on my phone and re-download purchases right from there. Well, when I tried I got a warning that stated, "this device is already associated with another Apple ID" and it tells me if I want to transfer purchases from her account, I'll have to wait 90 days if I want to re-download purchases from other Apple ID's? What does that mean? Is there away around all this so I can get purchases from other accounts on my phone without running into that warning? Will I be able to get the purchases to my phone at all?
I apologize if this is confusing, I'd be more than happy to provide any further clarification to those willing to help me. All replies are very much appreciated. Thank you to those who can help in advance!Have you tried signing out and then back in?
-
Potential Security Hole with 802.1x and Voice VLANs?
I have been looking at 802.1x and Voice VLANs and I can see what I think is a bit of a security hole.
If a user has no authentication details to gain access via 802.1x - i.e. they have not been given a User ID or the PC doesn't have a certificate etc. If they attach a PC to a switchport that is configured with a Voice VLAN (or disconnect an IP Phone and plug the PC direct into the switchport) they can easily see via packet sniffing the CDP packets that will contain the Voice VLAN ID. They can then easily create a Tagged Virtual NIC (via the NIC utilities or driver etc) with the Voice VLAN 802.1q Tag. Assuming DHCP is enabled for the Voice VLAN they will get assigned an IP address and have access to the IP network. I appreciate the VLAN can be locked down at the Layer-3 level with ACL's so any 'non-voice related' traffic is blocked but in this scenario the user has sucessfully bypassed 802.1x authentication and gain access to the network?
Has anyone done any research into this potential security hole?
Thanks
AndyThanks for the reply. To be honest we would normally deploy some or all of the measures you list but these don't around the issue of being able to easily bypass having to authenticate via 802.1x.
As I said I think this is a hole but don't see any solutions at the moment except 802.1x on the IP Phone, although at the moment you can't do this with Voice VLANs?
Andy -
The Iphone 4 patch IOS 7.6 is suppose to be a security update but it freezes the phone and doesn't reset. Help I need my phone. What makes the phone go back to normal? There is nothing but a simulated plug in wire and an ITunes icon on a black screen.
Hi SDPISMENOW,
If you are having issues updating or restoring your iPhone after attempting the iOS 7.0.6 update, you may find the following article helpful:
Apple Support: If you can't update or restore your iOS device
http://support.apple.com/kb/ht1808
Regards,
- Brenden -
I updated automatically some security issues in my computer (I don't remember which) and now my gmail will start opening until it reaches 75% and it will not go on opening.
I can open it Internet explorer but not in Mozila fireworksClear the cache and the cookies from sites that cause problems.
"Clear the Cache":
*Tools > Options > Advanced > Network > Cached Web Content: "Clear Now"
"Remove Cookies" from sites causing problems:
*Tools > Options > Privacy > Cookies: "Show Cookies"
Start Firefox in <u>[[Safe Mode|Safe Mode]]</u> to check if one of the extensions or if hardware acceleration is causing the problem (switch to the DEFAULT theme: Firefox/Tools > Add-ons > Appearance/Themes).
*Don't make any changes on the Safe mode start window.
*https://support.mozilla.org/kb/Safe+Mode
*https://support.mozilla.org/kb/Troubleshooting+extensions+and+themes
Maybe you are looking for
-
How to run two DAQmx Read (Analog) at the same time?
I would like to measure a voltage and a current, but the two cannot be conbined in one task. Therefore, I had to use two DAQmx Read in the same program. But it did not run.
-
How to delete multiple folders in organizer 12
I have several duplicates of photos that I somehow created. I need to delete lots of duplicates. I see how to do it one folder at a time. However I have hundereds ! There must be a way to select more than one folder at a time for deletion. Anyone kno
-
GR value debit to other than Inventory GL
Dear All Normally GR value is debited to inventory GL. I want to debit some amount to specific GL (instead of debiting to inventory GL). For that I have - Created new condition type (M/06) in MM Created new transaction key Assigned GL to this transac
-
i have a WRT160N brodband router and ive tried everything to get it to work but nothing seems to. ive tried unplugging it and reseting it but nothing works!
-
I try to do software update but it freezes about a quarter way thrugh and i have to turn the computer off and back on