• Skip to main content
  • Skip to secondary menu
  • Skip to primary sidebar
  • Skip to footer
  • Home
  • Disclaimer & Policy

Elan Shudnow's Blog

MVP Logo
  • Azure
  • Exchange
  • Lync

Configuring Lync DHCP using Cisco DHCP Servers (VLAN and PIN Auth)

May 2, 2011 by Elan Shudnow 20 Comments

I recently had a project where all DHCP Servers were Cisco switches.  During the configuration, we noticed that a certain DHCP Configuration worked on certain Cisco switches but not the rest but a configuration was found that worked on all switches.  More on the specifics in the VLAN section below.  In this article, I will show you how to figure out how to configure the 120 and 43 options on a Cisco switch as well as how to configure the VLAN ID using the two different methods mentioned above. Thanks to Dave Howe from Microsoft for helping out with the PIN Authentication Settings for Cisco DHCP.

PIN Authentication Settings

STEP 1

Run DHCPUtil.exe to find out hex data values for DHCP Options 120 and 43

C:\Program Files\Microsoft Lync Server 2010\> DHCPUtil.exe -sipserver  pool01.contoso.com

Sip Server FQDN:  pool01.contoso.com

Certificate Provisioning Service URL:  https://pool01.contoso.com:443/CertProv/CertProvisioningService.svc

Option 120: 00076578616D706C6503636F6D00

Vendor Class Identifier: MS-UC-Client

Option 43 (for vendor=MS-UC-Client):

Sub-Option 1 <UC Identifier>: 4D532D55432D436C69656E74

Sub-Option 2 <URL Scheme>: 6874747073

Sub-Option 3 <Web Server FQDN>: 6578616D706C652E636F6D

Sub-Option 4 <Port>: 343433

Sub-Option 5 <Relative Path for Cert Prov>: 2F4365727450726F762F4365727450726F7669736

96F6E696E67536572766963652E737663

STEP 2

Build DHCP Option 120 hex value for Cisco DHCP using DHCPUtil.exe output info

Option 120 = hex 00076578616D706C6503636F6D00

STEP 3

Build DHCP Option 43 hex value for Cisco DHCP using DHCPUtil.exe output info

Note:  Format of DHCP Option 43 hex value:

Sub-Option 1Sub-Option 2Sub-Option 3Sub-Option 4Sub-Option 5
01LengthData02LengthData03LengthData04LengthData05LengthData
  1. Compile Sub-Option 1 from DHCPUtil.exe output:
  2. Length of data is hex value for (number of characters of Data) divided by 2 ( # of chars / 2 )

  3. Compile Sub-Option 2 from DHCPUtil.exe output:
  4. Sub-Option2
    02Length of dataData
    02056874747073
  5. Compile Sub-Option 3 from DHCPUtil.exe output:
  6. Sub-Option3
    03Length of dataData
    030B6578616D706C652E636F6D
  7. Compile Sub-Option 4 from DHCPUtil.exe output:
  8. Sub-Option4
    04Length of dataData
    0403343433
  9. Compile Sub-Option 5 from DHCPUtil.exe output:
  10. Sub-Option5
    05LengthData
    05252F4365727450726F762F4365727450726F766973696F6E696E67536572766963652E737663 

     

STEP 4

Combine the five Sub-Option values to build the DHCP Option 43 hex value for Cisco DHCP:

Compiled DHCP Option 43:

Sub-Option1Sub-Option2Sub-Option3Sub-Option4Sub-Option5
01LengthData02LengthData03LengthData04LengthData05LengthData
010C4D532D55432D436C69656E7402056874747073030B6578616D706C652E636F6D040334343305252F4365727450726F762F4365727450726F766973696F6E696E67536572766963652E737663

VLAN ID Settings with PIN Authentication Settings

There are a few ways to make this work:

  • Link Layer Discovery Protocol (LLDP)
  • Two different ways to make it work on DHCP.  DHCP is what this article will cover.

Now let’s say we have two VLAN IDs: 208 (Data) and 209 (Voice) on the same ports.  The idea here is swap the phone from the Data VLAN to the Voice VLAN. As stated earlier, we found two methods in configuring the VLAN ID Settings.  The first I will show is how it worked on a switch that supported LLDP – Catalyst 4507R – SUP-IV IOS version (cat4500-ENTSERVICESK9-M), Version 12.2(54)SGI.  The second is how it worked on the switch that was not LLDP Capable – Catalyst 6513 SUP720 (S72033_rp-PK9SV-M), Version 12.2(18)SXD7 – or higher.  Thanks to my client for enduring the painful process of figuring out the below and providing me with information and explanations on what he did to get the Cisco DHCP configured for VLAN ID as well as the switch information provided which you can see in the first two comments in this article.

LLDP Switch Data Scope (Comments in Red)

ip dhcp pool Data14_Lync (VLAN 208)

option 10 hex 00d0 (Decimal 209)

option 60 ascii “CPE-OCPHONE”

LLDP Switch Voice Scope (Comments in Red)

ip dhcp pool Voice14_Lync (VLAN 209)

option 10 hex 00d0 (Decimal 209)

option 60 ascii “CPE-OCPHONE”

option 43 hex 010C4D532D55432D436C69656E7402056874747073030B6578616D706C652E636F6D040334343305252F4365727450726F762F4365727450726F766973696F6E696E67536572766963652E737663

option 120 hex 00076578616D706C6503636F6D00

Non-LLDP Switch Data Scope (Comments in Red)

When we noticed the LLDP Switch Scope configuration wouldn’t work on a non-LLDP Switch, we tried running this on Windows DHCP.  My client sniffed the traffic and found that Windows DHCP had some 43 option information passed back to the client for the VLAN ID information.  So what we did in option 43 is specify an option 10 sub-option.  The oa is the sub option. The 02 is the length of the data field divided by 2.  The 00d1 is the hex value of the data vlan.

ip dhcp pool Data14_Lync

option 43 hex 0a0200d1

Non-LLDP Switch Voice Scope

ip dhcp pool Voice14_Lync

option 120 hex 00076578616D706C6503636F6D00

option 43 010C4D532D55432D436C69656E7402056874747073030B6578616D706C652E636F6D040334343305252F4365727450726F762F4365727450726F766973696F6E696E67536572766963652E737663

Share this:

  • Twitter
  • LinkedIn
  • Reddit

Filed Under: Lync Tagged With: Lync

Reader Interactions

Comments

  1. Mike says

    April 16, 2014 at 4:01 pm

    Can option 43 be configured using something other than HEX? Cisco is now limiting DHCP hex to 180 characters. Anything with a server FQDN over about 24-25 characters is going to exceed that 180 hex limit.

    Unfortunately, I have a client with a FQDN that is much longer than 24-25 characters, causing the web services part (sub-option 5) to be truncated and the phones never get the certificate.

    All tests worked great in the testing environment using SIP.TESTNETWORK.LOCAL, but their actual server and domain name are longer.

    Can a DNS alias be used? ASCII?

    Does the server name have to be the FQDN, or can it be an IP address? Can the IP address be converted to hex?

    Reply
  2. Guy Bachar says

    January 23, 2014 at 5:07 pm

    It seems that the DHCPUTIL in Lync 2013 gives you with the Full Option 43 value automatically without the need to make all calculations mentioned.

    that saves a lot of headache.

    Reply
  3. fgg says

    August 16, 2012 at 12:55 am

    I suspect that's because we don't have the vendor class defined in dhcpd.conf but I'm unsure how that should be formatted. If 143 & 120 are turned on the phones complain about invalid certificate path. If I comment them out and turn on the Lync DHCP then the phones sign in correctly. However that's not a long term solution given we need to be able to provision phones on different subnets.
    spss syntax help

    Reply
  4. ffg says

    August 16, 2012 at 12:54 am

    I suspect that's because we don't have the vendor class defined in dhcpd.conf but I'm unsure how that should be formatted. If 143 & 120 are turned on the phones complain about invalid certificate path. If I comment them out and turn on the Lync DHCP then the phones sign in correctly. However that's not a long term solution given we need to be able to provision phones on different subnets.
    <a rel="new tab" href="http://www.spsshelp.org/services/">spss syntax helpp

    Reply
  5. spss syntax help says

    August 16, 2012 at 12:53 am

    I suspect that's because we don't have the vendor class defined in dhcpd.conf but I'm unsure how that should be formatted. If 143 & 120 are turned on the phones complain about invalid certificate path. If I comment them out and turn on the Lync DHCP then the phones sign in correctly. However that's not a long term solution given we need to be able to provision phones on different subnets.

    Reply
  6. IT support says

    August 13, 2012 at 11:37 pm

    I definitely agree

    Reply
  7. Neil says

    June 2, 2011 at 8:59 am

    This is so close to what I'm trying to do with a Linux DHCP server. I've been able to build our Option 43 string based on the fantastic instructions above, but the phones seem to ignore them.

    I suspect that's because we don't have the vendor class defined in dhcpd.conf but I'm unsure how that should be formatted. If 143 & 120 are turned on the phones complain about invalid certificate path. If I comment them out and turn on the Lync DHCP then the phones sign in correctly. However that's not a long term solution given we need to be able to provision phones on different subnets.

    I've gone back and checked my 43 string and am sure it's right based on the above and what we got from dhcputil.

    Appreciate any pointers on this…

    Neil.

    Reply
    • Elan Shudnow says

      June 9, 2011 at 10:18 pm

      It wouldn't be because of the vendor class. You can see in my Non-LLDP example, we're not specifying the vendor class and the phones registered fine. Building DHCP Options for non-Windows is a bit of a pain in the ass. I don't really have a good answer for you. It took us 3 weeks just to figure out how to get the above to work properly with VLAN mixed in which was the biggest problem. What do you see if you run dhcputil -emulateclient and when you try Test-CSPhoneBootstrap with -verbose?

      Also keep in mind you can set up DHCP Relays from the different subnets to the subnet that has Lync DHCP to get your phones the options they need.

      Reply
      • Neil says

        June 13, 2011 at 4:17 am

        So Test-CSPhoneBootstrap was very useful. When it is running with the Lync DHCP enabled, and Options 43 & 120 disabled on the Linux DHCP server you can see Option43 & Option120 in the output and they show the correct data.

        If you then turn off the Lync DHCP, and enable the options under Linux DHCP instead then when Test-CSPhoneBootStrap reports the DHCP Options they are still encoded.

        I'm pretty sure my 43 & 120 strings are right since I've rebuilt them twice and they were the same. It does look to be a Linux DHCP issue, but I'm not sure what.

        Neil.

        Reply
        • Neil says

          June 13, 2011 at 8:07 am

          Well I got it sorted after posting the above. Put Wireshark between the phone and the servers. To cut a long story short further changes are required to the Option 43 after you've calculated it based on the above. Our Option 43 starts;

          010C4D532D55…

          In dhcpd.conf you need:

          option vendor-encapsulated-options 01:0c:4d:53:2d:55…

          Each byte must be split by a colon and don't wrap in quotes either. Same thing must be done to the Option 120.

          Hope this helps somebody…

          Neil.

          Reply
          • Elan Shudnow says

            June 16, 2011 at 5:05 pm

            Thanks for posting what worked for you.

  8. Jay Crump says

    May 12, 2011 at 5:27 am

    Can a Lync phone register with a Lync pool via the internet? I have a working pool with edge and proxied simple URLs in place. Lync soft client has no issues – just curious if I could register a cx600 via edge instead of internal only.

    Reply
    • Elan Shudnow says

      May 12, 2011 at 6:42 am

      You can. Check the following URL for more information: https://www.shudnow.io/2010/11/18/lync-2010-dhcp-…

      Reply
  9. @jdscher says

    May 5, 2011 at 6:08 pm

    Also be aware that LLDP-passed VLAN IDs of 512 and larger are currently not supported and DHCP must be used for those. This will be fixed in a future Cumulative Update for Lync Phone Edition.

    Nice write-up :) I will be pointing a few customers to this article soon I'm sure.

    Reply
  10. Mike Maz says

    May 4, 2011 at 10:35 am

    Noticed a typo on the 4500 IOS.
    It should be (cat4500-ENTSERVICESK9-M), Version 12.2(54)SGI

    Reply
    • Elan Shudnow says

      May 4, 2011 at 9:10 pm

      Thanks for providing the switch information Mike! Updated the article.

      Reply
  11. Mike Maz says

    May 4, 2011 at 10:25 am

    The Cisco DHCP server used in the examples resides on a Catalyst 6513 SUP720.
    The IOS this config will work on (S72033_rp-PK9SV-M), Version 12.2(18)SXD7 – or higher.

    The LLDP config is running on a Catalyst 4507R – SUP-IV
    IOS version (cat5400-ENTSERVICESK9-M), Version 12.2(54)SGI
    An LLDP power policy doesn't need to be defined, but might help if you are using multiple Lync phone vendors and require specific power parameters for each device. Just type "LLDP run" at the (config)# prompt.

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

  • GitHub
  • LinkedIn
  • RSS
  • Twitter
  • YouTube

More to See

Azure Runbooks Connecting to Exchange Online and Microsoft Graph

July 22, 2022 By Elan Shudnow

Using Python 3.8.0 Azure Runbooks with Python Packages

July 11, 2022 By Elan Shudnow

Preserving UNC Path after Azure Files Migration using DFS-N

April 10, 2022 By Elan Shudnow

Pin Azure VM Availability Sets into an Availability Zone

April 9, 2022 By Elan Shudnow

Tags

ACR Always Encrypted Ansible Automation Availability Sets Availability Zones Azure Azure Active Directory Azure Application Gateway Azure Files Azure Firewall Azure Key Vault Azure Load Balancer Azure Migrate Azure Monitor Azure Web App Backup Exec CDN Cluster DevOps DFS Docker DPM Event Grid Exchange Exchange 2010 Function App ISA iSCSI Log Analytics Logic App Lync Microsoft Graph OCS Office Personal PowerShell Proximity Placement Groups Runbook SCOM SQL Storage Accounts Virtual Machines Windows Server 2008 Windows Server 2008 R2

Footer

About Me

Microsoft Cloud Solution Architect focused on Azure IaaS, PaaS, DevOps, Ansible, Terraform, ARM and PowerShell.

Previously a 6x Microsoft MVP in Exchange Server and Lync Server.

My hobbies include watching sports (Baseball, Football and Hockey) as well as Aviation.

Recent

  • Pre-creating Azure AD App for Azure Migrate
  • Azure Runbooks Connecting to Exchange Online and Microsoft Graph
  • Using Python 3.8.0 Azure Runbooks with Python Packages
  • Preserving UNC Path after Azure Files Migration using DFS-N
  • Pin Azure VM Availability Sets into an Availability Zone

Search

Tags

ACR Always Encrypted Ansible Automation Availability Sets Availability Zones Azure Azure Active Directory Azure Application Gateway Azure Files Azure Firewall Azure Key Vault Azure Load Balancer Azure Migrate Azure Monitor Azure Web App Backup Exec CDN Cluster DevOps DFS Docker DPM Event Grid Exchange Exchange 2010 Function App ISA iSCSI Log Analytics Logic App Lync Microsoft Graph OCS Office Personal PowerShell Proximity Placement Groups Runbook SCOM SQL Storage Accounts Virtual Machines Windows Server 2008 Windows Server 2008 R2

Copyright © 2023 · Magazine Pro on Genesis Framework · WordPress · Log in