ISE: dACL to switch

Hi,
I am trying to figure out the syntax for dACL to a switch running 12.2(55)SE7.
In the switch we have used the following static ACL:
ip access-list extended TEST
10 permit tcp 10.88.0.24 0.7.255.7 10.0.0.2 0.3.255.0 range 1025 2000
It is to limit so only some source IP can access some destination IP on those ports. Now we want to use it dynamicly so that the ACL gets donloaded to the switch when a certain device connects the port.
I added it to ISE like this:
permit tcp 10.88.0.24 0.7.255.7 10.0.0.2 0.3.255.0 range 1025 2000
But that doesn't work. However, when I change the source to any then it works:
permit tcp any 10.0.0.2 0.3.255.0 range 1025 2000
By not working I mean that I see the dACL being downloaded, then the port state is Authz fail and after 1 min the device reauthenticates.
Why does it work with source any?
Regards,
Philip

Hello,
check if the IOS version and hardware platform (switch) you're using is mentioned in TrustSec document (page 6):
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_2.0/trustsec_2.0_dig.pdf
The minimum IOS version to use with ISE should be 12.2(55), but generally it's better to use 15.x.
Also, check if you have configured everything that is recommended for switch devices in TrustSec (page 59), including "ip device tracking".
There's also a very nice document for troubleshooting:
"Cisco TrustSec How-To Guide: Failed Authentications and Authorizations"
http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_81_troubleshooting_failed_authc.pdf
If it doesn't work, can you post the output of the following commands after authorization:
show authentication session interface
sh ip access-lists interface
show running-config interface
show access-list
sh ip access-lists

Similar Messages

ISE 1.1 - switch ignores "Session-Timeout"

hi all,
I'm playing around with ISE guest service and have some difficulty with Time Profiles.
After guest logs in, Radius attributes are sent to the switch (3750G) one of them is Session-Timeout which should be similar to 1h (DefaultOneHour)
According to ISE logs and switch debugs, ISE did it well and this attribute was sent but it seems that the switch simply ignores it.
May 24 07:03:11.658: %SEC-6-IPACCESSLOGP: list ACL-DEFAULT denied udp 10.1.100.194(1029) -> 10.1.100.2(389), 1 packet19:46:57: RADIUS: COA received from id 36 10.1.100.6:64700, CoA Request, len 18319:46:57: RADIUS/DECODE: parse unknown cisco vsa "reauthenticate-type" - IGNORE19:46:57: RADIUS/ENCODE(00000000):Orig. component type = Invalid19:46:57: RADIUS(00000000): sending19:46:57: RADIUS(00000000): Send CoA Ack Response to 10.1.100.6:64700 id 36, len 3819:46:57: RADIUS: authenticator 0B 30 6E 9B DF 97 0D A0 - D9 8B A5 5A 11 39 3E 4119:46:57: RADIUS: Message-Authenticato[80] 18 19:46:57: RADIUS:   11 42 82 E2 52 68 DF 28 CD 43 AE 88 0C 5D 91 10            [ BRh(C]]19:46:57: RADIUS/ENCODE(00000026):Orig. component type = Dot1X19:46:57: RADIUS(00000026): Config NAS IP: 0.0.0.019:46:57: RADIUS(00000026): Config NAS IPv6: ::19:46:57: RADIUS/ENCODE(00000026): acct_session_id: 2719:46:57: RADIUS(00000026): sending19:46:57: RADIUS/ENCODE: Best Local IP-Address 10.1.100.1 for Radius-Server 10.1.100.619:46:57: RADIUS(00000026): Send Access-Request to 10.1.100.6:1812 id 1645/25, len 26719:46:57: RADIUS: authenticator 6D 92 DC 77 87 47 DA 8E - 7D 6B DD DD 18 BE DC 3319:46:57: RADIUS: User-Name           [1]   14 "0016d329042f"19:46:57: RADIUS: User-Password       [2]   18 *19:46:57: RADIUS: Service-Type        [6]   6   Call Check                [10]19:46:57: RADIUS: Vendor, Cisco       [26] 31 19:46:57: RADIUS:   Cisco AVpair       [1]   25 "service-type=Call Check"19:46:57: RADIUS: Framed-IP-Address   [8]   6   10.1.100.194 19:46:57: RADIUS: Framed-MTU          [12] 6   1500 19:46:57: RADIUS: Called-Station-Id   [30] 19 "00-24-F9-2D-83-87"19:46:57: RADIUS: Calling-Station-Id [31] 19 "00-16-D3-29-04-2F"19:46:57: RADIUS: Message-Authenticato[80] 18 19:46:57: RADIUS:   AD EB 99 4A F2 B9 4E BB 2E B3 E2 04 BE 5B 0C 72             [ JN.[r]19:46:57: RADIUS: EAP-Key-Name        [102] 2   *19:46:57: RADIUS: Vendor, Cisco       [26] 49 19:46:57: RADIUS:   Cisco AVpair       [1]   43 "audit-session-id=0A01280100000016043E0D23"19:46:57: RADIUS: NAS-Port-Type       [61] 6   Ethernet                  [15]19:46:57: RADIUS: NAS-Port            [5]   6   50107 19:46:57: RADIUS: NAS-Port-Id         [87] 22 "GigabitEthernet1/0/7"19:46:57: RADIUS: Called-Station-Id   [30] 19 "00-24-F9-2D-83-87"19:46:57: RADIUS: NAS-IP-Address      [4]   6   10.1.100.1 19:46:57: RADIUS(00000026): Sending a IPv4 Radius Packet19:46:57: RADIUS(00000026): Started 5 sec timeout19:46:57: RADIUS: Received from id 1645/25 10.1.100.6:1812, Access-Accept, len 27219:46:57: RADIUS: authenticator F1 5F 57 72 FD 80 95 20 - 46 47 B5 CE DF 63 6E 1A19:46:57: RADIUS: User-Name           [1]   19 "[email protected]"19:46:57: RADIUS: State               [24] 40 19:46:57: RADIUS:   52 65 61 75 74 68 53 65 73 73 69 6F 6E 3A 30 41 [ReauthSession:0A]19:46:57: RADIUS:   30 31 32 38 30 31 30 30 30 30 30 30 31 36 30 34 [0128010000001604]19:46:57: RADIUS:   33 45 30 44 32 33            [ 3E0D23]19:46:57: RADIUS: Class               [25] 49 19:46:57: RADIUS:   43 41 43 53 3A 30 41 30 31 32 38 30 31 30 30 30 [CACS:0A012801000]19:46:57: RADIUS:   30 30 30 31 36 30 34 33 45 30 44 32 33 3A 69 73 [00016043E0D23:is]19:46:57: RADIUS:   65 2F 31 32 34 30 33 36 37 39 31 2F 32 39 37   [ e/124036791/297]19:46:57: RADIUS: Session-Timeout     [27] 6   2940 19:46:57: RADIUS: Termination-Action [29] 6   0 19:46:57: RADIUS: Message-Authenticato[80] 18 19:46:57: RADIUS:   26 46 2C B6 75 95 AF 37 E6 3B B1 CB F2 70 E0 8D           [ &F,u7;p]19:46:57: RADIUS: Vendor, Cisco       [26] 72 19:46:57: RADIUS:   Cisco AVpair       [1]   66 "ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-Contractors-ACL-4fbcd736"19:46:57: RADIUS: Vendor, Cisco       [26] 42 19:46:57: RADIUS:   Cisco AVpair       [1]   36 "profile-name=Microsoft-Workstation"19:46:57: RADIUS(00000026): Received from id 1645/2519:46:57: RADIUS/DECODE: parse unknown cisco vsa "profile-name" - IGNOREMay 24 07:03:19.132: %MAB-5-SUCCESS: Authentication successful for client (0016.d329.042f) on Interface Gi1/0/7 AuditSessionID 0A01280100000016043E0D23May 24 07:03:19.132: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (0016.d329.042f) on Interface Gi1/0/7 AuditSessionID 0A01280100000016043E0D23May 24 07:03:19.140: %EPM-6-POLICY_REQ: IP 10.1.100.194| MAC 0016.d329.042f| AuditSessionID 0A01280100000016043E0D23| AUTHTYPE DOT1X| EVENT APPLYMay 24 07:03:19.165: %EPM-6-AAA: POLICY xACSACLx-IP-Contractors-ACL-4fbcd736| EVENT DOWNLOAD-REQUEST19:46:57: RADIUS/ENCODE(00000000):Orig. component type = Invalid19:46:57: RADIUS(00000000): Config NAS IP: 0.0.0.019:46:57: RADIUS(00000000): sending19:46:57: RADIUS/ENCODE: Best Local IP-Address 10.1.100.1 for Radius-Server 10.1.100.619:46:57: RADIUS(00000000): Send Access-Request to 10.1.100.6:1812 id 1645/26, len 14419:46:57: RADIUS: authenticator 1A 52 18 C5 25 A7 5C DC - 29 C9 5C 7C C5 B3 FC 5819:46:57: RADIUS: NAS-IP-Address      [4]   6   10.1.100.1 19:46:57: RADIUS: User-Name           [1]   38 "#ACSACL#-IP-Contractors-ACL-4fbcd736"19:46:57: RADIUS: Vendor, Cisco       [26] 32 19:46:57: RADIUS:   Cisco AVpair       [1]   26 "aaa:service=ip_admission"19:46:57: RADIUS: Vendor, Cisco       [26] 30 19:46:57: RADIUS:   Cisco AVpair       [1]   24 "aaa:event=acl-download"19:46:57: RADIUS: Message-Authenticato[80] 18 19:46:57: RADIUS:   2B 6B 13 37 0D 25 11 E9 6A 56 35 D8 91 9F EF F0           [ +k7?jV5]19:46:57: RADIUS(00000000): Sending a IPv4 Radius Packet19:46:57: RADIUS(00000000): Started 5 sec timeoutMay 24 07:03:19.191: %SEC-6-IPACCESSLOGP: list ACL-DEFAULT denied tcp 10.1.100.194(2125) -> 10.1.100.6(8443), 1 packet19:46:57: RADIUS: Received from id 1645/26 10.1.100.6:1812, Access-Accept, len 35919:46:57: RADIUS: authenticator 31 B0 73 93 CA 0E 5C 7C - 11 29 AA 57 6C A1 53 D819:46:57: RADIUS: User-Name           [1]   38 "#ACSACL#-IP-Contractors-ACL-4fbcd736"19:46:57: RADIUS: State               [24] 40 19:46:57: RADIUS:   52 65 61 75 74 68 53 65 73 73 69 6F 6E 3A 30 61 [ReauthSession:0a]19:46:57: RADIUS:   30 31 36 34 30 36 30 30 30 30 30 30 35 44 34 46 [0164060000005D4F]19:46:57: RADIUS:   42 44 44 44 33 37            [ BDDD37]19:46:57: RADIUS: Class               [25] 49 19:46:57: RADIUS:   43 41 43 53 3A 30 61 30 31 36 34 30 36 30 30 30 [CACS:0a016406000]19:46:57: RADIUS:   30 30 30 35 44 34 46 42 44 44 44 33 37 3A 69 73 [0005D4FBDDD37:is]19:46:57: RADIUS:   65 2F 31 32 34 30 33 36 37 39 31 2F 32 39 38   [ e/124036791/298]19:46:57: RADIUS: Termination-Action [29] 6   1 19:46:57: RADIUS: Message-Authenticato[80] 18 19:46:57: RADIUS:   80 EF 5B 80 76 F1 C9 37 0B 25 34 37 10 57 CC 44          [ [v7?47WD]19:46:57: RADIUS: Vendor, Cisco       [26] 47 19:46:57: RADIUS:   Cisco AVpair       [1]   41 "ip:inacl#1=permit udp any any eq domain"19:46:57: RADIUS: Vendor, Cisco SW3750-1# [26] 48 19:46:57: RADIUS:   Cisco AVpair       [1]   42 "ip:inacl#2=permit ip any host 10.1.100.6"19:46:57: RADIUS: Vendor, Cisco       [26] 57 19:46:57: RADIUS:   Cisco AVpair       [1]   51 "ip:inacl#3=deny ip any 10.0.0.0 0.255.255.255 log"19:46:57: RADIUS: Vendor, Cisco       [26] 36 19:46:57: RADIUS:   Cisco AVpair       [1]   30 "ip:inacl#4=permit ip any any"19:46:57: RADIUS(00000000): Received from id 1645/26May 24 07:03:19.216: %EPM-6-AAA: POLICY xACSACLx-IP-Contractors-ACSW3750-1#SW3750-1#SW3750-1#L-4fbcd736| EVENT DOWNLOAD-SUCCESSMay 24 07:03:19.216: %EPM-6-POLICY_APP_SUCCESS: IP 10.1.100.194| MAC 0016.d329.042f| AuditSessionID 0A01280100000016043E0D23| AUTHTYPE DOT1X| POLICY_TYPE Named ACL| POLICY_NAME xACSACLx-IP-Contractors-ACL-4fbcd736| RESULT SUCCESSMay 24 07:03:20.147: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0016.d329.042f) on Interface Gi1/0/7 AuditSessionID 0A01280100000016043E0D2319:46:58: RADIUS/ENCODE(00000026):Orig. component type = Dot1X19:46:58: RADIUS(00000026SW3750-1#SW3750-1#SW3750-1#SW3750-1#): Config NAS IP: 0.0.0.019:46:58: RADIUS(00000026): Config NAS IPv6: ::19:46:58: RADIUS/ENCODE: Best Local IP-Address 10.1.100.1 for Radius-Server 10.1.100.619:46:58: RADIUS(00000026): Sending a IPv4 Radius Packet19:46:58: RADIUS(00000026): Started 5 sec timeout19:46:58: RADIUS: Received from id 1646/35 10.1.100.6:1813, Accounting-response, len 38SW3750-1#
SW3750-1#sh authe sess int g 1/0/7 Interface: GigabitEthernet1/0/7 MAC Address: 0016.d329.042f IP Address: 10.1.100.194 User-Name: [email protected] Status: Authz Success Domain: DATA Security Policy: Should Secure Security Status: Unsecure Oper host mode: multi-auth Oper control dir: both Authorized By: Authentication Server Vlan Group: N/A ACS ACL: xACSACLx-IP-Contractors-ACL-4fbcd736 Session timeout: N/A Idle timeout: N/A Common Session ID: 0A01280100000016043E0D23 Acct Session ID: 0x0000001B Handle: 0x2F000017Runnable methods list: Method   State mab      Authc Success dot1x    Not runSW3750-1#
Has anyone encountered similar thing?
I tried 12.2(58) and now Im testing
Cisco IOS Software, C3750 Software (C3750-IPSERVICESK9-M), Version 15.0(1)SE2, RELEASE SOFTWARE (fc3)
but in both cases it is similar.
regards
Przemek

Hi Sebastian,
thx a lot those 2 commands solved the issue, my mistake. Now I can see remaining time for the session
SW3750-1#sh auth sess int g1/0/7 Interface: GigabitEthernet1/0/7 MAC Address: 0016.d329.042f IP Address: 10.1.100.194 User-Name: [email protected] Status: Authz Success Domain: DATA Security Policy: Should Secure Security Status: Unsecure Oper host mode: multi-auth Oper control dir: both Authorized By: Authentication Server Vlan Group: N/A ACS ACL: xACSACLx-IP-Contractors-ACL-4fbcd736 Session timeout: 28800s (server), Remaining: 28780s Timeout action: Terminate Idle timeout: N/A Common Session ID: 0A012801000000221DE0F555 Acct Session ID: 0x0000002B Handle: 0x99000023Runnable methods list: Method   State mab      Authc Success dot1x    Not run
regards
Przemek

ISE DACL Enforcement

On version ISE 1.2.0.899 is there a way to log the drops that the endusers DACl enforces?

Hello,
check if the IOS version and hardware platform (switch) you're using is mentioned in TrustSec document (page 6):
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_2.0/trustsec_2.0_dig.pdf
The minimum IOS version to use with ISE should be 12.2(55), but generally it's better to use 15.x.
Also, check if you have configured everything that is recommended for switch devices in TrustSec (page 59), including "ip device tracking".
There's also a very nice document for troubleshooting:
"Cisco TrustSec How-To Guide: Failed Authentications and Authorizations"
http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_81_troubleshooting_failed_authc.pdf
If it doesn't work, can you post the output of the following commands after authorization:
show authentication session interface
sh ip access-lists interface
show running-config interface
show access-list
sh ip access-lists

DACL to switch

Hi I have dot1x authorization policy on my ISE server, whith result few statements in DACL
Device Authorize successfull, DACL is pushing to switch
Current configuration : 484 bytes
interface FastEthernet0/4
switchport access vlan 84
switchport mode access
switchport voice vlan 70
ip access-group default_acl in
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 3
dot1x max-reauth-req 3
storm-control broadcast level 5.00
storm-control action shutdown
spanning-tree portfast
spanning-tree bpduguard enable
end
sh access-lists
Extended IP access list Auth-Default-ACL
    10 permit udp any range bootps 65347 any range bootpc 65348 (2 matches)
    20 permit udp any any range bootps 65347 (15 matches)
    30 deny ip any any (90 matches)
Extended IP access list default_acl
    10 permit ip any any (602 matches)
Extended IP access list xACSACLx-IP-standart_vpn-5106859d (per-user)
    10 permit tcp any 0.0.0.0 255.255.255.0 eq 3389
    20 permit ip any host 10.1.1.20
    30 permit udp any host 10.8.13.11 eq domain
    40 permit udp any host 10.8.13.12 eq domain
    50 deny ip any any
#sh authentication sessions interface f0/4
            Interface: FastEthernet0/4
          MAC Address: 0023.8b84.fa32
           IP Address: 10.110.11.254
            User-Name: krasnoperov_as
               Status: Authz Success
               Domain: DATA
       Oper host mode: multi-auth
     Oper control dir: both
        Authorized By: Authentication Server
           Vlan Group: N/A
              ACS ACL: xACSACLx-IP-standart_vpn-5106859d
      Session timeout: N/A
         Idle timeout: N/A
    Common Session ID: 0A6E0A0400000079A121E4DE
      Acct Session ID: 0x00000EE3
               Handle: 0x2C000079
Runnable methods list:
       Method   State
       dot1x    Authc Success
       mab      Not run
BUT it's not applayed to my session, default_acl on port is still applayed, from this PC I have any any access, like in default ACL defined.
Why it's happens?
thanks

Hi, ACL which I wat to applay from ISE server is this:
permit ip any host 10.1.1.20
permit udp any host 10.8.13.11 eq 53
permit udp any host 10.8.13.12 eq 53
deny ip any any
this line was
10 permit tcp any 0.0.0.0 255.255.255.0 eq 3389
for ASA acl, it's incorrect, I delete it.
ARHIV-ROOM36#sh ip access-lists
Standard IP access list 21
    10 permit 10.8.39.33 (7648 matches)
    20 permit 10.5.45.95 (4298 matches)
    30 permit 10.5.45.164
    40 permit 10.1.1.206
    50 permit 10.1.1.248
    60 deny   any (4 matches)
Standard IP access list 23
    10 permit 10.0.0.0, wildcard bits 0.255.255.255 (34 matches)
Extended IP access list 101
    10 permit ip any any
Extended IP access list 117
    10 permit ip any any
Extended IP access list Auth-Default-ACL
    10 permit udp any range bootps 65347 any range bootpc 65348 (15 matches)
    20 permit udp any any range bootps 65347 (6 matches)
    30 deny ip any any (10 matches)
Extended IP access list default_acl
    10 permit ip any any (98 matches)
Extended IP access list xACSACLx-IP-standart_vpn-5107cb73 (per-user)
    10 permit ip any host 10.1.1.20
    20 permit udp any host 10.8.13.11 eq domain
    30 permit udp any host 10.8.13.12 eq domain
    40 deny ip any any
ARHIV-ROOM36#sh authentication sessions interface f0/4
            Interface: FastEthernet0/4
          MAC Address: 0023.8b84.fa32
           IP Address: 10.110.11.254
            User-Name: krasnoperov_as
               Status: Authz Success
               Domain: DATA
       Oper host mode: multi-domain
     Oper control dir: both
        Authorized By: Authentication Server
          Vlan Policy: N/A
              ACS ACL: xACSACLx-IP-standart_vpn-5107cb73
      Session timeout: N/A
         Idle timeout: N/A
    Common Session ID: 0A6E0A040000003E015EC308
      Acct Session ID: 0x0000004E
               Handle: 0x6700003F
Runnable methods list:
       Method   State
       dot1x    Authc Success
       mab      Not run
ARHIV-ROOM36#sh ip access-lists interface fastEthernet 0/4
ARHIV-ROOM36#
What kind of debug I should enable, because if I debug all - my switch is going down

Open mode (monitor mode) with ise and catalyst switches

Hi There,
Anyone know if the following observation is correct ?
From the TrustSec 2.1 "Monitor Mode" guide i get the idea that Open mode, is not really as zero impact in a data gathering part of an ISE deployment is a was expecting. The guide describes using Profiling to authorize Cisco IP phones for the Voice VLAN.
- Does this mean that regular methods like using CDP won't work to for this once i enable dot1x on an access switch port interface ?
- And that i will need to figure out which ports should be set for multi-domain (phone+pc), and which should be set for multi-auth(possibly multiple devices on one port) during the open mode period ?
Regards
Jan

Hello Jan-
Below is my input to your questions:
From the TrustSec 2.1 "Monitor Mode" guide i get the idea that Open mode, is not really as zero impact in a data gathering part of an ISE deployment is a was expecting.
Yes, a device is still allowed on the network even if it fails all authentication methods (MAB, 802.1x, etc). Basically you use monitor mode to perform discovery and see what would have been blocked had ISE been deployed in production.
The guide describes using Profiling to authorize Cisco IP phones for the Voice VLAN.
Yes, you can use profiling to do this. Keep in mind that you will need advanced licensing for this. Otherwise, you can either use MAB with static MACs imported/entered in the local database or EAP-TLS with phone certificates
- Does this mean that regular methods like using CDP won't work to for this once i enable dot1x on an access switch port interface ?
CDP will still work, in fact some of the profiling happens thanks to CDP, however, the device will simply not going to be allowed to get on the network and the Voice VLAN unless it passes authentication/authorization.
- And that i will need to figure out which ports should be set for multi-domain (phone+pc), and which should be set for multi-auth(possibly multiple devices on one port) during the open mode period ?
This really depends on how secure you want your network to be
Hope this helps!
Thank you for rating!

ISE dACL for FlexConnect AP

hello all,
I found a similar thread, but it didn't exactly answer my question:
https://supportforums.cisco.com/discussion/12114056/flex-connect-user-acl-aps-locally-switched
Should I configure a regular ACL, or Airespace ACL on ISE, to support FlexConnect mode AP's?
On the FlexConnect AP's (WLC), do I configure a regular ACL, or FlexConnect ACL?
The FlexConnect AP's are running a few SSID's, some are centrally switched, and some are locally switched.
Thanks,
Kevin

It depends which version of WLC, v 7.4.110 has a bug (Unfortunately, I don't remember the bug Id). You need to create a regular and FlexConnect using the same name. With recent version (I'm using 7.6.130), you don't need the regular ACL, just a FlexConnect ACL. So, to answer your question, with FlexConnect, you must use FlexConnect ACL.
Good links:
http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter_010001110.html
http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116143-config-cise-posture-00.html

Cisco ISE configs for switch

I suppose Cisco ISE sends a URL redirect to the switch and the switch presents it to the client in case of guest Access getting a URL redirect with User Acceptance Page (Wired Guests and not wireless).
My question here is, Do we need to configure http and https server on the switches (both supplicant and authenticator)?
I am sure it will need but just wanted a confirmation..
I have checked the configuration for supplicant and Authenticator switches for ISE and it has no where mentioned that part of the config.
http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_troubleshooting.html (a problem of URL redirection and possible cause is mentioned) ------- makes me sure that the config is needed.
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960-x_cg_chapter_010000.html
(config of supplicant and authenticator switch)---- nowhere mentioned of the http/https config for both switches.

Yes, its needed. The http/s server within the swtich is used to grab the http user traffic and redirect the traffic to the CWA portal, or a device registration portal, or even to the Mobile Device Management (MDM) onboarding portal. .
ip http server
ip http secure-server
The info below I grabbed from Cisco ISE for BYOD and secure unified access book.
"Many organization want to ensure that this redirection process using the switch's internal HTTP server is decoupled from the management of the switch itself, in order to limit the chances of an end user interacting with the management intervace and control plane of a switch. this may be accomplished by running the following two commands from global configuration mode:
ip http active-session-modules none
ip http secure-active-session-modules none"

ISE question about switches

I am implementing ISE and have run into several locations that have used consumer brand 4 ports switches to connect multiple workstations on one cable. I realize there is a list of supported Cisco switches for ISE, but I was wondering if anyone has used a lower end Cisco or other vendor switch (i.e. Cisco SG200-08 or SF300-08) to do basic authentication against ISE as it relates to enabling the port once the 802.1x authenitcation is passed?
Realize this is a bit vague, just looking for anyone with practical experience with this.
Thanks

I have not configured dot1x for the mentioned switches, if the switches do support dot1x you should be able to do basic authentication. If there are multiple endpoints on the same port, you should use the Multi-Auth host mode on switchport. Also you will have to choose an authentication method that is supported by the endpoints.
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps11229/data_sheet_c78-634369.html
• Network security: Cisco 200 Series switches provide basic security and network management features you need to maintain a level of security for your business, keep unauthorized users off the network, and protect your business data. The switches provide integrated network security to reduce the risk of a security breach, with IEEE 802.1X port security to control access to your network.
and
802.1X: RADIUS authentication and accounting, MD5 hash
There wont be CoA and authorization, you may apply manual ACL on switchport for the controlled access.
the answer to your post, yes you should be able to do basic dot1x authentication.
HTH

ISE 1.2: Airspace ACL vs DACL

Can someone please shed some light here:
I have a 5508 WLC & ISE 1.2. I configured Guest Access through the use of a Sponsor Portal, and got it working.
I now want to restrict my Guest users to access the internet only and not the rest of my network.
Do I do that using a Airspace ACL & an Access List on my WLC or a DACL on my ISE box.
I'm not sure how to block the users from accessing my internal network, since I have tried both, but neither work.
Any advice please.

In ISE, dACLs are only applicable to switches. They are ineffective with wireless connections.
An Airespace ACL is the way to go and it looks like you got it working.
The ACL should be:
permit Inbound for any to the ISE IPs and permit outbound from ISE to any.
deny any to 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 inbound (or just to your internal IP space)
permit any to any in any direction

ISE to dynamiclly push Private Vlans on Access switch deployments

Hi all,
is there a way to push PVLAN configuration via ISE to Access switches.
Currently I'm thinking about an authoration profile with an attribute setting PVLAN.
Has anyone an idea how to push Private VLan configs dynamiclly to Access Ports on Switches.
Thanks for your comments

Try looking into using switch macros, you should be able to create a custom macro that changes the config of the port in question to make it part of a pvlan community/isolated port or whatever you need and then trigger this macro from ISE with your authorization result. It's used for the feature cisco call NEAT, try searching for that and you should find some examples.

Cisco ISE - Reauthentication of client if server becomes alive again

Dears,
I have this case where Cisco ISE server is used to authenticate & authorize clients on the network.
I configured the switch port to authorize the client in case the ISE server is dead (or not reachable).
The thing is that I want to reauthenticate the client once the ISE server becomes alive again but I am not able to.. ("Additional Information is needed to connect to this network" bullet is not appearing and the client PC remains authenticated and assigned to the VLAN.
Below is the switch port configuration:
interface FastEthernet0/5
switchport access vlan 240
switchport mode access
switchport voice vlan 156
authentication event server dead action authorize vlan 240
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority mab
authentication port-control auto
mab
dot1x pae authenticator
spanning-tree portfast
Anyone can help?
Regards,

Please check whether the switch is dropping the connection or the server.
Symptoms or Issue
802.1X and MAB authentication and authorization are successful, but the switch is dropping active sessions and the epm session summary command does not display any active sessions.
Conditions
This applies to user sessions that have logged in successfully and are then being terminated by the switch.
Possible Causes
•The preauthentication ACL (and the subsequent DACL enforcement from Cisco ISE) on the NAD may not be configured correctly for that session.
•The preauthentication ACL is configured and the DACL is downloaded from Cisco ISE, but the switch brings the session down.
•Cisco ISE may be enforcing a preposture VLAN assignment rather than the (correct) postposture VLAN, which can also bring down the session.
Resolution
•Ensure the Cisco IOS release on the switch is equal to or more recent than Cisco IOS Release 12.2.(53)SE.
•Check to see whether or not the DACL name in Cisco ISE contains a blank space (possibly around or near a hyphen "-"). There should be no space in the DACL name. Then ensure that the DACL syntax is correct and that it contains no extra spaces.
•Ensure that the following configuration exists on the switch to interpret the DACL properly (if not enabled, the switch may terminate the session):
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server vsa send accounting
radius-server vsa send authentication

ISE Authorization PermitAccess - EPM-HOLE-ACL

Hello,
I have a 6509 switch that is running 12.2(33) SXI9 code that has a unique issue. When the client connects they are authenticated and match an authorization profile that gives the default PermitAccess. Unfortunately at this point the client can only access what it is allowed in the ACL-DEFAULT.
When I look at the logs I see:
Mar 27 18:14:02 EDT: %EPM-6-POLICY_APP_SUCCESS: IP aa.cc.dd.ee | MAC 001a.1111.2222 | AuditSessionID AC10FB8A0000007101BDF21B| AUTHTYPE DOT1X| POLICY_TYPE Named ACL| POLICY_NAME EPM-HOLE-ACL| RESULT SUCCESS
What is this Named ACL EPM-HOLE-ACL? This ACL is not defined in ISE or the switch.

Kyle,
I do not know what the EPM-HOLE-ACL but found it a little comical. However, this is true that you have to apply another dacl to override the acl default which is applied on the port. Keep in mind you will also run into this issue if you decide to (i am basing this off the 2k 3k behavior) set a guest vlan if the radius server is dead, because of this default ACL the users will not be able to get anywhere outside of that acl.
There is a feature enhancment in the works to provide an acl if radius server is dead or when authentication fails...etc. However I think this ties all back into to your question, that if there isnt a dacl assigned to override the port acl then this seems to be the behavior.
Tarik Admani
*Please rate helpful posts*

ISE Authorization Policy Issues

Hello Team,
I´m getting troubles during my implementation: The User PC never gets IP Address from Access VLAN after AuthZ Policy succeded.
I have two vlans in my implementation:
Vlan ID 802 for Authentication (Subnet 10.2.39.0)
Vlan ID 50 for Access Users (Subnet Y.Y.Y.Y)
When I start my User PC, I get IP for VLAN 802 (10.2.39.3) and After Posture process, ISE inform the switch to put the User PC port in VLAN 50.
Here I have my Switch Port Configuration:
interface GigabitEthernet0/38
switchport access vlan 802
switchport mode access
switchport nonegotiate
switchport voice vlan 120
ip access-group ACL-DEFAULT in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 50
authentication event server dead action authorize voice
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
end
And Here, I have outputs AuthZ Policy in Action:
Oct 7 09:22:01.574 ANG: %DOT1X-5-SUCCESS: Authentication successful for client (0022.1910.4130) on Interface Gi0/38 AuditSessionID 0A022047000000F6126E9B17
Oct 7 09:22:01.582 ANG: %AUTHMGR-5-VLANASSIGN: VLAN 50 assigned to Interface Gi0/38 AuditSessionID 0A022047000000F6126E9B17
Oct 7 09:22:01.591 ANG: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 0022.1910.4130| AuditSessionID 0A022047000000F6126E9B17| AUTHTYPE DOT1X| EVENT APPLY
Oct 7 09:22:01.591 ANG: %EPM-6-AAA: POLICY xACSACLx-IP-PERMIT_ALL_TRAFFIC-537cb1d6| EVENT DOWNLOAD-REQUEST
Oct 7 09:22:01.633 ANG: %EPM-6-AAA: POLICY xACSACLx-IP-PERMIT_ALL_TRAFFIC-537cb1d6| EVENT DOWNLOAD-SUCCESS
Oct 7 09:22:01.633 ANG: %EPM-6-IPEVENT: IP 0.0.0.0| MAC 0022.1910.4130| AuditSessionID 0A022047000000F6126E9B17| AUTHTYPE DOT1X| EVENT IP-WAIT
SWISNGAC8FL02#
Oct 7 09:22:02.069 ANG: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0022.1910.4130) on Interface Gi0/38 AuditSessionID 0A022047000000F6126E9B17
SWISNGAC8FL02#
Oct 7 09:22:02.731 ANG: %EPM-6-IPEVENT: IP 10.2.39.3| MAC 0022.1910.4130| AuditSessionID 0A022047000000F6126E9B17| AUTHTYPE DOT1X| EVENT IP-ASSIGNMENT
Oct 7 09:22:02.731 ANG: %EPM-6-POLICY_APP_SUCCESS: IP 10.2.39.3| MAC 0022.1910.4130| AuditSessionID 0A022047000000F6126E9B17| AUTHTYPE DOT1X| POLICY_TYPE Named ACL| POLICY_NAME xACSACLx-IP-PERMIT_ALL_TRAFFIC-537cb1d6| RESULT SUCCESS
After that, I have:
SWISNGAC8FL02#sh auth sess int g0/38
Interface: GigabitEthernet0/38
MAC Address: 0022.1910.4130
IP Address: 10.2.39.3
User-Name: SNL\enzo.belo
Status: Authz Success
Domain: VOICE
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: 50
ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-537cb1d6
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A022047000000F6126E9B17
Acct Session ID: 0x000001A7
Handle: 0x710000F7
Runnable methods list:
Method State
dot1x Authc Success
mab Not run
Apparently, everything is OK, but NOT. The User PC never gets IP Address from Access VLAN 50.
If I do SWISNGAC8FL02#sh mac address-table | inc 0022.1910.4130
50 0022.1910.4130 STATIC Gi0/38
802 0022.1910.4130 STATIC Gi0/38
And
SWISNGAC8FL02#sh epm session summary
EPM Session Information
Total sessions seen so far : 17
Total active sessions : 1
Interface IP Address MAC Address VLAN Audit Session Id:
GigabitEthernet0/38 10.2.39.3 0022.1910.4130 802 0A022047000000F6126E9B17
My Switch is a Cisco IOS Software, C3560E Software (C3560E-IPBASEK9-M), Version 15.0(2)SE6, RELEASE SOFTWARE (fc2)
I am using ISE Version 1.2.1.198 Patch Info 2
Could you help me in this Case ?
Best Regards,
Daniel Stefani

It seems like the PC is operating in the VOICE-domain according to the cmd auth sess int you showed. Do you think that has something to do with your problem? I've experienced some PC's having problem with that.
If you could, try getting the PC to operate in the DATA-domain by not sending the voice-attribute from ISE after the authorization.

Radius authentication with ISE - wrong IP address

Hello,
We are using ISE for radius authentication. I have setup a new Cisco switch stack at one of our locations and setup the network device in ISE. Unfortunately, when trying to authenticate, the ISE logs show a failure of "Could not locate Network Device or AAA Client" The reason for this failure is the log shows it's coming from the wrong IP address. The IP address of the switch is 10.xxx.aaa.241, but the logs show it is 10.xxx.aaa.243. I have removed and re-added the radius configs on both ISE and the switch, but it still comes in as .243. There is another switch stack at that location (same model, IOS etc), that works properly.
The radius config on the switch:
aaa new-model
aaa authentication login default local
aaa authentication login Comm group radius local
aaa authentication enable default enable
aaa authorization exec default group radius if-authenticated
ip radius source-interface Vlanyy
radius server 10.xxx.yyy.zzz
address ipv4 10.xxx.yyy.zzz auth-port 1812 acct-port 1813
key 7 abcdefg
The log from ISE:
Overview
Event 5405 RADIUS Request dropped
Username
Endpoint Id
Endpoint Profile
Authorization Profile
Authentication Details
Source Timestamp 2014-07-30 08:48:51.923
Received Timestamp 2014-07-30 08:48:51.923
Policy Server ise
Event 5405 RADIUS Request dropped
Failure Reason 11007 Could not locate Network Device or AAA Client
Resolution Verify whether the Network Device or AAA client is configured in: Administration > Network Resources > Network Devices
Root cause Could not find the network device or the AAA Client while accessing NAS by IP during authentication.
Username
User Type
Endpoint Id
Endpoint Profile
IP Address
Identity Store
Identity Group
Audit Session Id
Authentication Method
Authentication Protocol
Service Type
Network Device
Device Type
Location
NAS IP Address 10.xxx.aaa.243
NAS Port Id tty2
NAS Port Type Virtual
Authorization Profile
Posture Status
Security Group
Response Time
Other Attributes
ConfigVersionId 107
Device Port 1645
DestinationPort 1812
Protocol Radius
NAS-Port 2
AcsSessionID ise1/186896437/1172639
Device IP Address 10.xxx.aaa.243
CiscoAVPair
   Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
11007 Could not locate Network Device or AAA Client
5405
As a test, I setup a device using the .243 address. While ISE claims it authenticates, it really doesn't. I have to use my local account to access the device.
Any advice on how to resolve this issue would be appreciated. Please let me know if more information is needed.

Well from the debug I would say there may be an issue with the addressing of the radius server on the switch.
radius-server host 10.xxx.xxx.xxx key******** <--- Make sure this address and Key matches what you have in ISE PSN and that switch. Watch for spaces in your key at the begining or end of the string.
What interface should your switch be sending the radius request?
ip radius source-interface VlanXXX vrf default
Here is what my debug looks like when it is working correctly.
Aug 4 15:58:47 EST: RADIUS/ENCODE(00000265): ask "Password: "
Aug 4 15:58:47 EST: RADIUS/ENCODE(00000265):Orig. component type = EXEC
Aug 4 15:58:47 EST: RADIUS(00000265): Config NAS IP: 10.xxx.xxx.251
Aug 4 15:58:47 EST: RADIUS/ENCODE(00000265): acct_session_id: 613
Aug 4 15:58:47 EST: RADIUS(00000265): sending
Aug 4 15:58:47 EST: RADIUS(00000265): Send Access-Request to 10.xxx.xxx.35:1645 id 1645/110, len 104
Aug 4 15:58:47 EST: RADIUS: authenticator 97 FB CF 13 2E 6F 62 5D - 5B 10 1B BD BA EB C9 E3
Aug 4 15:58:47 EST: RADIUS: User-Name           [1]   9   "admin"
Aug 4 15:58:47 EST: RADIUS: Reply-Message       [18] 12
Aug 4 15:58:47 EST: RADIUS:   50 61 73 73 77 6F 72 64 3A 20        [ Password: ]
Aug 4 15:58:47 EST: RADIUS: User-Password       [2]   18 *
Aug 4 15:58:47 EST: RADIUS: NAS-Port            [5]   6   3
Aug 4 15:58:47 EST: RADIUS: NAS-Port-Id         [87] 6   "tty3"
Aug 4 15:58:47 EST: RADIUS: NAS-Port-Type       [61] 6   Virtual                   [5]
Aug 4 15:58:47 EST: RADIUS: Calling-Station-Id [31] 15 "10.xxx.xxx.100"
Aug 4 15:58:47 EST: RADIUS: Service-Type        [6]   6   Login                     [1]
Aug 4 15:58:47 EST: RADIUS: NAS-IP-Address      [4]   6   10.xxx.xxx.251
Aug 4 15:58:47 EST: RADIUS(00000265): Started 5 sec timeout
Aug 4 15:58:47 EST: RADIUS: Received from id 1645/110 10.xxx.xxx.35:1645, Access-Accept, len 127
Aug 4 15:58:47 EST: RADIUS: authenticator 1B 98 AB 4F B1 F4 81 41 - 3D E1 E9 DB 33 52 54 C1
Aug 4 15:58:47 EST: RADIUS: User-Name           [1]   9   "admin"
Aug 4 15:58:47 EST: RADIUS: State               [24] 40
Aug 4 15:58:47 EST: RADIUS:   52 65 61 75 74 68 53 65 73 73 69 6F 6E 3A 30 61 [ReauthSession:0a]
Aug 4 15:58:47 EST: RADIUS:   30 63 66 65 32 33 30 30 30 31 46 37 30 37 35 33 [0cfe230001F70753]
Aug 4 15:58:47 EST: RADIUS:   44 46 45 35 46 37            [ DFE5F7]
Aug 4 15:58:47 EST: RADIUS: Class               [25] 58
Aug 4 15:58:47 EST: RADIUS:   43 41 43 53 3A 30 61 30 63 66 65 32 33 30 30 30 [CACS:0a0cfe23000]
Aug 4 15:58:47 EST: RADIUS:   31 46 37 30 37 35 33 44 46 45 35 46 37 3A 50 52 [1F70753DFE5F7:PR]
Aug 4 15:58:47 EST: RADIUS:   59 49 53 45 30 30 32 2F 31 39 33 37 39 34 36 39 [YISE002/19379469]
Aug 4 15:58:47 EST: RADIUS:   38 2F 32 30 36 33 31 36          [ 8/206316]
Aug 4 15:58:47 EST: RADIUS(00000265): Received from id 1645/110
---------------------------------------------------------------------------------------------------------------This is after I added the incorrect Radius server address.
Aug 4 16:05:19 EST: RADIUS/ENCODE(00000268): ask "Password: "
Aug 4 16:05:19 EST: RADIUS/ENCODE(00000268):Orig. component type = EXEC
Aug 4 16:05:19 EST: RADIUS(00000268): Config NAS IP: 10.xxx.xxx.251
Aug 4 16:05:19 EST: RADIUS/ENCODE(00000268): acct_session_id: 616
Aug 4 16:05:19 EST: RADIUS(00000268): sending
Aug 4 16:05:19 EST: RADIUS(00000268): Send Access-Request to 10.xxx.xxx.55:1645 id 1645/112, len 104
Aug 4 16:05:19 EST: RADIUS: authenticator FC 94 BA 5D 75 1F 84 08 - E0 56 05 3A 7F BC FB BB
Aug 4 16:05:19 EST: RADIUS: User-Name           [1]   9   "admin"
Aug 4 16:05:19 EST: RADIUS: Reply-Message       [18] 12
Aug 4 16:05:19 EST: RADIUS:   50 61 73 73 77 6F 72 64 3A 20        [ Password: ]
Aug 4 16:05:19 EST: RADIUS: User-Password       [2]   18 *
Aug 4 16:05:19 EST: RADIUS: NAS-Port            [5]   6   7
Aug 4 16:05:19 EST: RADIUS: NAS-Port-Id         [87] 6   "tty7"
Aug 4 16:05:19 EST: RADIUS: NAS-Port-Type       [61] 6   Virtual                   [5]
Aug 4 16:05:19 EST: RADIUS: Calling-Station-Id [31] 15 "10.xxx.xxx.100"
Aug 4 16:05:19 EST: RADIUS: Service-Type        [6]   6   Login                     [1]
Aug 4 16:05:19 EST: RADIUS: NAS-IP-Address      [4]   6   10.xxx.xxx.251
Aug 4 16:05:19 EST: RADIUS(00000268): Started 5 sec timeout
Aug 4 16:05:23 EST: RADIUS(00000268): Request timed out
Aug 4 16:05:23 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
Aug 4 16:05:23 EST: RADIUS(00000268): Started 5 sec timeout
Aug 4 16:05:29 EST: RADIUS(00000268): Request timed out
Aug 4 16:05:29 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
Aug 4 16:05:29 EST: RADIUS(00000268): Started 5 sec timeout
Aug 4 16:05:33 EST: RADIUS(00000268): Request timed out
Aug 4 16:05:33 EST: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.xxx.xxx.55:1645,1646 is not responding.
Aug 4 16:05:33 EST: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.xxx.xxx.55:1645,1646 is being marked alive.
Aug 4 16:05:33 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
Aug 4 16:05:33 EST: RADIUS(00000268): Started 5 sec timeout
Aug 4 16:05:38 EST: RADIUS(00000268): Request timed out
Aug 4 16:05:38 EST: RADIUS: Fail-over to (10.xxx.xxx.55:1645,1646) for id 1645/112
Aug 4 16:05:38 EST: RADIUS(00000268): Started 5 sec timeout
Aug 4 16:05:43 EST: RADIUS(00000268): Request timed out
Aug 4 16:05:43 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
Aug 4 16:05:43 EST: RADIUS(00000268): Started 5 sec timeout
Aug 4 16:05:48 EST: RADIUS(00000268): Request timed out
Aug 4 16:05:48 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
Aug 4 16:05:48 EST: RADIUS(00000268): Started 5 sec timeout
Aug 4 16:05:53 EST: RADIUS(00000268): Request timed out
Aug 4 16:05:53 EST: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.xxx.xxx.55:1645,1646 is not responding.
Aug 4 16:05:53 EST: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.xxx.xxx.55:1645,1646 is being marked alive.
Aug 4 16:05:53 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
Aug 4 16:05:53 EST: RADIUS(00000268): Started 5 sec timeout
Aug 4 16:05:57 EST: RADIUS(00000268): Request timed out
Aug 4 16:05:57 EST: RADIUS: No response from (10.xxx.xxx.55:1645,1646) for id 1645/112
Aug 4 16:05:57 EST: RADIUS/DECODE: parse response no app start; FAIL
Aug 4 16:05:57 EST: RADIUS/DECODE: parse response; FAIL
This is a default template I use for all my devices routers or switches hope it helps. I have two PSN's that is why we have two radius-server host commands..
aaa authentication login vty group radius local enable
aaa authentication login con group radius local enable
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting system default start-stop group radius
ip radius source-interface VlanXXX vrf default
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 30 tries 3
radius-server host xxx.xxx.xxx.xxx auth-port 1645 acct-port 1646 key *********
radius-server host xxx.xxx.xxx.xxx auth-port 1645 acct-port 1646 key *********
radius-server vsa send accounting
radius-server vsa send authentication
You can use this in the switch to test radius
test aaa group radius server 10.xxx.xxx.xxx <username> <password>

AD Machine Authentication with Cisco ISE problem

Hi Experts,
I am new with ISE, I have configured ISE & Domain computers for PEAP authentication. initially machine gets authenticated and then starts going MAB.
Authentication policy:
Allowed protocol = PEAP & TLS
Authorization Policy:
Condition for computer to be checked in external identity store (AD) = Permit access
Condition for users to be checked in external identity store (AD) plus WasMachineAuthenticated = permit access
All of the above policies do match and download the ACL from ISE but computer starts to mab authentication again...
Switchport configuration:
===============================================
ip access-list extended ACL-DEFAULT
remark Allow DHCP
permit udp any eq bootpc any eq bootps
remark Allow DNS
permit udp any any eq domain
permit ip any host (AD)
permit icmp any any
permit ip any host (ISE-1)
permit ip any host (ISE-2)
permit udp any host (CUCM-1) eq tftp
permit udp any host (CUCM-2)eq tftp
deny ip any any
===============================================
switchport config
===============================================
Switchport Access vlan 10
switchport mode access
switchport voice vlan 20
ip access-group ACL-DEFAULT in
authentication open
authentication event fail action next-method
authentication event server dead action authorize vlan 1
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity 180
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 100
====================================================
One more problem about the "authentication open" and default ACL. Once the authentication succeeds and per user is ACL pushed though ISE to the switch. The default ACL still blocks communication on this switchprort.
Your help will highly appreciated.
Regards,

You need to watch the switch during an authentication, see if the machine is passing authentication and the user may be failing authentication causing the switch to fail to mab. If your switch configuration is on auth failure continue to next method, then this makes sense. The question is why is the user failing auth but the machine is passing, could be something in the policy. Make sure your AD setup has machine authentciation checked or it may not tie the machine and user auth together and the user may be failing because ISE can't make that relationship so the machinewasauth=true is not beeing matched. Easy way to check is remove that rule from your policy and see if the same thing happens.
I've also seen this happen when clients want to use EAP-TLS on the wired, machines passes auth, then the user logs into a machine for the first time. The user auth kicks off before the user gets a cert and fails auth with a null certificate, since this is a auth failure the switchport kicks over to MAB.
I don't think wasmachineauth=true is that great, I prefer to use EAP-FASTv2 using Cisco Anyconnect NAM with eap-chaining. This is great because you can do two part authentication. EAP-FAST outer with EAP-TLS inner for the machine auth, and MSCHAPv2 for the inner of the user auth. You get your EAP-TLS auth for the machine and don't have to worry about a user logging into a machine for the first time and switching to MAB because the user doesn't have a cert yet. I also do my rule to say if machine pass and user fail, then workstaion policy, if machine and user pass then corp policy.

ISE: dACL to switch

Similar Messages

Maybe you are looking for