ISE : DOT1X - MAB
Hi all,
I'm trying to understand the posibilities of the ISE. I would like to configure host authentication without the client having to enter credentials for a second time after logging on to his pc.
Is this possible with DOT1X?
As far as I understand you have to enter your credentials twice. 1 time for windows logon and a second time in the supplicant (eg. Cisco Anyconnect) which sends the EAPOL start frame to the authenticator (switch).
MAB could works without user interference, but is bypassable when you spoof a mac address.
Is there another possibility to set this up?
Maybe I'm asking obvious questions, but I'm a ISE newbie.
Thanks,
Joris
Both the Windows supplicant and the Cisco supplicant sends the credentials automatically so there is no need to type the password twice.
Similar Messages
-
I am trying to set my ISE to attempt dot1x before mab. If I set up the switchport to try mab first, then ISE does its job and assigns the proper vlan. However, when I set the port up to do dot1x first, the port reverts to the default vlan 1. I am able to manually assign the proper vlan on the port and ISE does not interfere, but that kind of defeats the purpose. The port is on a 4506 and below is the port config. Any direction would be greatly appreciated.
interface GigabitEthernet5/7
description 1-151
switchport mode access
switchport block unicast
switchport voice vlan 68
ip arp inspection limit rate 60
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action authorize vlan 40
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity 3600
authentication violation restrict
mab
snmp trap mac-notification change added
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable
endRecently i have implemented in one of our customer, find the below switch configuration.
aaa new-model
aaa authentication dot1x default group radius local
aaa authorization network default group radius local
aaa authorization auth-proxy default group radius
aaa accounting delay-start all
aaa accounting auth-proxy default start-stop group radius
aaa accounting dot1x default start-stop group radius
aaa accounting network default start-stop group radius
aaa server radius dynamic-author
client <ISE IP ADDRESS> server-key 7 10471A1C25141B1F0F
aaa session-id common
ip device tracking probe use-svi
ip device tracking
ip admission name Testing_ISE proxy http inactivity-time 10 list ISE_ALLOWED
epm logging
dot1x system-auth-control
spanning-tree mode rapid-pvst
spanning-tree loopguard default
spanning-tree portfast bpduguard default
spanning-tree extend system-id
spanning-tree uplinkfast
spanning-tree backbonefast
spanning-tree vlan 1-1005 priority 8192
port-channel load-balance src-dst-ip
vlan internal allocation policy ascending
interface ran GigabitEthernet X/X
description "Connected to test PC for ISE testing"
switchport access vlan x
switchport mode access
switchport voice vlan x
authentication event fail action next-method
authentication event server dead action authorize vlan 107
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity 180
authentication violation protect
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
ip http server
ip http secure-server
ip access-list extended ISE_REDIR
deny udp any any eq bootpc
deny udp any any eq bootps
deny udp any any eq domain
deny ip any host <ISE IP ADDRESS> log
permit tcp any any eq www
permit tcp any any eq 443
deny ip any any log
ip access-list extended ISE_ALLOWED
permit ip any host <ISE IP ADDRESS>
logging esm config
snmp-server community string RO
snmp-server community public RO
snmp-server community ise RO
snmp-server trap-source Vlan250
snmp-server enable traps mac-notification change move threshold
snmp-server host <ISE IP ADDRESS> version 2c ise mac-notification
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3
radius-server host <ISE IP ADDRESS> auth-port 1812 acct-port 1813 key 7
141E010E2C07233F27
radius-server vsa send accounting
radius-server vsa send authentication
Create a Authentication policy in ISE and allow ISE_REDIR ACL. -
Dear Experts,
From ISE 2.x I am able to ping the proxy server but once windows user authenticated and logs in, he cannot go to the internet and gets proxy error.
Let me know some points and vectors to look into !!!
waiting.The only time ISE would perform traffic redirection is when you doing things like CWA (Central Web Authentication), Posture Assessment, etc. If you are just doing basic dot1x/mab authentication then ISE just decides who gets on the network and what type of access that person/devices gets.
With that being said, what happens if you remove dot1x authentication from the port? Can the client reach ISE then? (you can quickly remove dot1x by issuing no authentication port-control auto)
Other things to try:
1. Remove the dACL
2. In the authorization rule, return the default "permit access"
3. Remove the ACL on the FW
4. Anything else that might be affecting the connection
With the process of elimination you should be able to find the root cause of the issue
Thank you for rating helpful posts! -
Dot1x/mab multiple clients
Hi,
we would to authenticate (with dot1x/mab) more than one mac address on a port. When a user connect his workstation the switch must put the workstation in a vlan and when the user start a vmware in bridge mode the swtich must be put the vmware in a vlan trunk. Can anyone help me, are Cisco Switches able to do this?
Thanks, DominikHi Dominik
You can't run dot1x on a trunk, generally speaking. There's only one scenario where you can run dot1x in a special trunking setup, that is using multi-domain authentication (MDA) using VoIP phones. There are some restrictions to that which you can find out reading through the Config Guide. -
Cisco ISE: Dot1x failing and MAB succeeded (Intermittent) /or Posture Delay
Hi,
We are running the cisco ise 1.1.3 and configured for the Dot1x and MAB authentications. PC's are getting access through MAB while Dot1x failing again and again. But, sometime, same PC is getting authenticating via Dot1x. Connectivity is intermittent. Also, sometimes, stucks longer in Posture
We have three different switches at the moment with the latest IOS version.
1) WS-C4507R-E = 15.1(2)SG,
2) WS-C3560-48PS = 12.2(55)SE7
3) WS-C3750X-24P = 15.0(2)SE1
Could you anyone pitch the idea? or advise about the latest IOS for the switches.
Let me know, if you need more information.
Thanks,
Regards,
MubahserIt seems your PCs are failing dot1x and also failing MAB authentication, the switch by default will start the process again and will again fail dot1x and MAB authentication, and so on.
It will be helpful to see the logs from both the switch and the radius servers (i take it is ACS or ISE). Also the configuration of the radius server. -
ISE - dot1x EAP TLS for Cisco IP Phones
Hi Gents,
I have a question about the CA configs for ISE or ACS.
As I understand, LSC certificate is issued by the CUCM by its Certificate Authority Proxy Function. If an IP Phone needs to be authenticated by its LSC (Locally Significant Certificate), which of the following CA we need to trust:
1. Cisco CA Certificate
2. CUCM Locally signed Certificate or CUCM Identity Certificate
And if these certificates are imported into ISE/ACS, will the ISE/ACS will be able to authenticate the IP Phone if the dot1x EAP-TLS authentication is enabled for IP Phones?
Is there any other configs needed?
I would highly appreicate if someone can clearify me this process.
Regards,I got the answer, for the first part of the EAP TLS authentication: Phone authentication
In an IEEE 802.1X authentication, the AAA server is responsible for validating the certificate provided by the phone. To do this, the AAA server must have a copy of the root CA certificate that signed the phone's certificate. The root certificates for both LSCs and MICs can be exported from the CUCM Operating System Administration interface and imported into your AAA server
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-605524.html#wp9000412
As this is EAP TLS, Server (ISE/ACS) is also required to authenticate itself to the phone.
What is needed for this? -
I have configured MAB (MAC Authentication Bypass) with MDA (Multi Domain Access). All devices are successfully authenticating with their respective VLAN. MAB devices got authenticating as Voice.
I am using ACS (Radius) for authentication and DHCP relay.
Problem is voice device is not getting IP from DHCP server. There is no error reporting on switch and radius. Without Dot1x everything is working.
switchport access vlan 105
switchport mode access
switchport voice vlan 108
switchport port-security maximum 2
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
dot1x mac-auth-bypass eap
dot1x pae authenticator
dot1x port-control auto
dot1x host-mode multi-domain
dot1x max-req 1
dot1x guest-vlan 105
spanning-tree portfast
spanning-tree bpduguard enable
ip verify sourcewe are using 3 Layer model (Core, Distribution & Access) and all VLAN interfaces are on distribution.
I am passing av-pair value device-traffic-class=voice from ACS
We are using ACS 4.1 for windows and ACS is successfully authenticating both devices.
Even show Dot1x Interface shows proper authentication with proper domain -
Ciao,
I not found a field for insert a description's Mac Address. Is there a possibility in ISE to do this ?
Iarno PaglianiUnfortunately not That is something that I have suggested in the past. I would recommend that you check with your local Cisco account manager and make a suggestion as well. The more the better
Thank you for rating ! -
Cisco ISE - dot1x behavior after returning from sleep mode
Hi,
In ISE deployment, When machine return from sleep mode , it do re-authentication process.
Is it possible to restore the same session?
if not ,Is it possible to let the authentication to re-run but making NAC agent not run or run in background?similar discussions here
https://supportforums.cisco.com/discussion/11686306/reauthentication-problem-endpoints-using-cisco-ise-11 -
[Cisco ISE 1.2 with 3850 - Trunk AP] Problem with MAB
Hi everyone,
After reading some documentation about using MAB in a trunk port with the 3850 I would like to know if someone has implemented ISE policies with a 3850 interface in trunk mode. My problem is that when I try using MAB in a trunk port the mac address of the AP it´s no visible in the "show mac address interface" and because of that the AP is not authenticated in ISE. The thing is that if I use a 2960 everything goes smoothly with no problems!
Let me show you what I have,
interface GigabitEthernet1/0/3
description AP
switchport trunk native vlan 999
switchport mode trunk
trust device cisco-phone
authentication event fail action next-method
authentication host-mode multi-host
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x max-req 4
auto qos voip cisco-phone
service-policy input AutoQos-4.0-CiscoPhone-Input-Policy
service-policy output AutoQos-4.0-Output-Policy
############################################# switch model - 3850 ##################################################
SW1#sh mac address-table interface GigabitEthernet1/0/3
Mac Address Table
Vlan Mac Address Type Ports
SW1#sh dot1x interface Gi1/0/3
Dot1x Info for GigabitEthernet1/0/3
PAE = AUTHENTICATOR
QuietPeriod = 60
ServerTimeout = 0
SuppTimeout = 30
ReAuthMax = 2
MaxReq = 4
TxPeriod = 30
Switch Ports Model SW Version SW Image Mode
* 1 56 WS-C3850-48P 03.03.03SE cat3k_caa-universalk9 INSTALL
############################################# Different switch model - 2960 ##################################################
interface GigabitEthernet1/0/1
description AP
switchport trunk native vlan 999
switchport mode trunk
srr-queue bandwidth share 1 30 35 5
priority-queue out
authentication event fail action next-method
authentication host-mode multi-host
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
mls qos trust device cisco-phone
mls qos trust cos
dot1x pae authenticator
dot1x max-req 4
auto qos voip cisco-phone
service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
SW1#$cation sessions interface GigabitEthernet1/0/1
Interface: GigabitEthernet1/0/1
MAC Address: xxxx.xxxx.4a38
IP Address: 172.18.1.170
User-Name: xx-xx-xx-xx-4A-38
Status: Authz Success
Domain: DATA
Oper host mode: multi-host
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A18129D000060E39DAE8A8A
Acct Session ID: 0x0000725D
Handle: 0x0F00028C
Runnable methods list:
Method State
mab Authc Success
Switch Ports Model SW Version SW Image
1 28 WS-C2960X-24PS-L 15.0(2)EX5 C2960X-UNIVERSALK9-M
SW2#sh dot1x interface Gi1/0/1
Dot1x Info for GigabitEthernet1/0/1
PAE = AUTHENTICATOR
QuietPeriod = 60
ServerTimeout = 0
SuppTimeout = 30
ReAuthMax = 2
MaxReq = 4
TxPeriod = 30
Am I doing something wrong?
BR,I know what you mean and I agree with what you are saying :) Nonetheless, at the moment, the official stance from Cisco on this is that 802.1x is not supported on trunk ports. Now one can argue that MAB is different but I think we are just splitting hairs here :)
Like I said, I have gotten stuff to work before but always had some goofy things happening so in general I have stayed away from doing it.
Now in your situation, if your configuration is working fine on the 2960 but not on the 3850, then most likely the issue is with the XE code running on the 3850s. The XE code has been very problematic until recently so you are probably hitting some sort of a defect. As a result, I recommend that you upgrade the switch(es) to 3.3.5 or 3.6.1. Version 3.7.x is also out but it just came out 8 days ago so I would not recommend going to it.
Thank you for rating helpful posts! -
ISE Wired DOT1X authorization fails
I'm configuring wired dot1x, and it won't work. My end goal is to use machine/user authentication for this wired profile, but for now, because of issues I'm just attempting wired user authentication. Below is what I have
-authorization profile to allow a user based on the default (wired dot1x) and AD memberOF to get the person into the network
-the network card on the computer is setup to use "user authetication" inside of the NIC authentication tab....this is PEAP by the way.
Here is what I am seeing. I do a reboot of the machine, and the login for Windows comes up and I login. Once in Windows I look at the NIC and it says Authentication failed. ISE says that it PASSED and used my authorization profile to pass it and says that it sent my dacl. Doing a show authentication session int gi8/36 says "status authz FAILED".
I get the same thing if I use both machine and user. Machine boot->login->ISE says there was a successful authentication for the machine and sends a dacl->sh auth sess int gi8/36 says status authz failed on the switch, and the NIC shuts due to failed authentication which after that it's obviously not going to pass the user side of my policy. This is driving my nuts. If anyone could help it would be greatly appreciated. Below is config info. Thanks
Windows machines are Win7/64
switch is 6509e with 12.2(33)SXI 11 running on it.
Interface: GigabitEthernet8/36
MAC Address: 10ee.f10c.4820
IP Address: Unknown
User-Name: jcarrabine
Status: Authz Failed
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A800C010000018CF35CA5D8
Acct Session ID: 0x0000077B
Handle: 0x0000018C
Runnable methods list:
Method State
dot1x Authc Success
mab Not run
Dot1x Info for GigabitEthernet8/36
PAE = AUTHENTICATOR
PortControl = AUTO
ControlDirection = Both
HostMode = MULTI_AUTH
QuietPeriod = 60
ServerTimeout = 0
SuppTimeout = 30
ReAuthMax = 2
MaxReq = 2
TxPeriod = 10
interface GigabitEthernet8/36
description TEST PORT
switchport
switchport access vlan 52
switchport mode access
switchport voice vlan 143
authentication event fail action next-method
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication timer inactivity 10
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast edge
spanning-tree bpduguard enable
end
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
ip radius source-interface Loopback0
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server host 10.128.12.41 auth-port 1812 acct-port 1813 key 7 061106324961273C464640
radius-server host 10.126.12.41 auth-port 1812 acct-port 1813 key 7 120E0C0417242221697A76
radius-server vsa send accounting
radius-server vsa send authenticationI fixed this issue So to the trained eye this should be obvious. The authz ultimatly failed not because of my authorization policies, but because I have no default permit ip any any ACL on the port. This is a requirement for the IOS I'm running. The dACL's can not be applied to the switchport without it, and thus will throw the port into an authz fail without it.
-
ISE first authorization sucess and then fail (MAB)
Hi,
Using ISE 1.1.1 and Switch 3650 12.2(55)SE6.
I have a client (computer) that should be authenticated with MAB and then the switch port should be asigned a DACL and VLAN 90. I do get
"Authorization succeeded" but directly after it fails and I can't figure out why. ISE only shows the successful authentication under "Live Authenticaions".
As you can se from the log below 802.1x fails, as it should, and then MAB succeed, asigns the VLAN and then fails:
0002SWC002(config)#int fa0/13
0002SWC002(config-if)#shut
0002SWC002(config-if)#
Jan 7 13:26:59.640: %LINK-5-CHANGED: Interface FastEthernet0/13, changed state to administratively down
Jan 7 13:27:00.647: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/13, changed state to down
0002SWC002(config-if)#no shut
0002SWC002(config-if)#
Jan 7 13:27:19.689: %LINK-3-UPDOWN: Interface FastEthernet0/13, changed state to down
Jan 7 13:27:22.063: %LINK-3-UPDOWN: Interface FastEthernet0/13, changed state to up
Jan 7 13:27:22.776: %AUTHMGR-5-START: Starting 'dot1x' for client (f04d.a223.8f43) on Interface Fa0/13 AuditSessionID 0A0005FC00000
020D7C192D1
Jan 7 13:27:23.070: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/13, changed state to up
Jan 7 13:27:51.054: %DOT1X-5-FAIL: Authentication failed for client (f04d.a223.8f43) on Interface Fa0/13 AuditSessionID
Jan 7 13:27:51.054: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (f04d.a223.8f43) on Interface Fa
0/13 AuditSessionID 0A0005FC00000020D7C192D1
Jan 7 13:27:51.054: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (f04d.a223.8f43) on Interface Fa0/13 AuditSessionID 0
A0005FC00000020D7C192D1
Jan 7 13:27:51.054: %AUTHMGR-5-START: Starting 'mab' for client (f04d.a223.8f43) on Interface Fa0/13 AuditSessionID 0A0005FC0000002
0D7C192D1
Jan 7 13:27:51.088: %MAB-5-SUCCESS: Authentication successful for client (f04d.a223.8f43) on Interface Fa0/13 AuditSessionID 0A0005
FC00000020D7C192D1
Jan 7 13:27:51.088: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (f04d.a223.8f43) on Interface Fa0/13 AuditSessionID 0A0005FC00000020D7C192D1
Jan 7 13:27:51.088: %AUTHMGR-5-VLANASSIGN: VLAN 90 assigned to Interface Fa0/13 AuditSessionID 0A0005FC00000020D7C192D1
Jan 7 13:27:51.096: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC f04d.a223.8f43| AuditSessionID 0A0005FC00000020D7C192D1| AUTHTYPE DOT1X| EVENT APPLY
Jan 7 13:27:51.096: %EPM-6-IPEVENT: IP 0.0.0.0| MAC f04d.a223.8f43| AuditSessionID 0A0005FC00000020D7C192D1| AUTHTYPE DOT1X| EVENT
IP-WAIT
Jan 7 13:27:51.255: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (f04d.a223.8f43) on Interface Fa0/13 AuditSessionID 0A00
05FC00000020D7C192D1
Jan 7 13:27:52.027: %EPM-6-IPEVENT: IP 10.90.5.1| MAC f04d.a223.8f43| AuditSessionID 0A0005FC00000020D7C192D1| AUTHTYPE DOT1X| EVENT IP-ASSIGNMENTReplacing duplicate ACE entry for host 10.90.5.1
Jan 7 13:27:52.036: %AUTHMGR-5-FAIL: Authorization failed for client (f04d.a223.8f43) on Interface Fa0/13 AuditSessionID 0A0005FC00
000020D7C192D1
Jan 7 13:27:52.036: %EPM-6-POLICY_REQ: IP 10.90.5.1| MAC f04d.a223.8f43| AuditSessionID 0A0005FC00000020D7C192D1| AUTHTYPE DOT1X| EVENT REMOVE
After this the proces starts over again.
This is the switch port config:
interface FastEthernet0/13
description VoIP/Data
switchport mode access
switchport voice vlan 20
switchport port-security
switchport port-security violation restrict
ip access-group ACL-ALLOW in
srr-queue bandwidth share 1 70 25 5
srr-queue bandwidth shape 3 0 0 0
priority-queue out
authentication event fail action next-method
authentication event server dead action authorize voice
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
mab
snmp trap mac-notification change added
no snmp trap link-status
dot1x pae authenticator
dot1x timeout tx-period 10
storm-control broadcast level 2.00 1.00
storm-control multicast level 2.00 1.00
storm-control action shutdown
storm-control action trap
spanning-tree portfast
service-policy input ax-qos_butnet
ip dhcp snooping limit rate 5
end
Is there a problem with the client (computer) or in ISE/Switch?Hi Tarik,
First off; thank you for helping me troubleshoot this problem.
I think the "IP-" part of "IP-ACL-IWMAC" is beeing added automaticly (in the switch maby?). I see this behaviour on other dACL too. I did not change the name of the ACL.
You seem to have a valid theory about the icmp statement. I changed it to "permit icmp any any" and it seems to work. But I can't explain why this is happening.
When I look at the debugs I see this difference
With the original ACL I get this:
%EPM-6-POLICY_REQ: IP 0.0.0.0| MAC f04d.a223.8f43| AuditSessionID 0A0005FC00000053E70733F4| AUTHTYPE DOT1X| EVENT APPLYReplacing duplicate ACE entry for host 10.90.5.1
%EPM-6-IPEVENT: IP 10.90.5.1| MAC f04d.a223.8f43| AuditSessionID 0A0005FC00000053E70733F4| AUTHTYPE DOT1X| EVENT IP-RELEASE
%EPM-6-IPEVENT: IP 10.90.5.1| MAC f04d.a223.8f43| AuditSessionID 0A0005FC00000053E70733F4| AUTHTYPE DOT1X| EVENT IP-WAIT
%AUTHMGR-5-FAIL: Authorization failed for client (f04d.a223.8f43) on Interface Fa0/13 AuditSessionID 0A0005FC00000053E70733F4
When using "permit icmp any any" i get this:
%EPM-6-POLICY_REQ: IP 0.0.0.0| MAC f04d.a223.8f43| AuditSessionID 0A0005FC00000055E70B8E7D| AUTHTYPE DOT1X| EVENT APPLY
%EPM-6-AAA: POLICY xACSACLx-IP-ACL-IWMAC-50eea905| EVENT DOWNLOAD-REQUEST
I tried googeling but can't find what "Replacing duplicate ACE entry for host xxx" means.
I have added debugs in attachment.
device1_orig_acl - the none working device with original ACL
device1_any_any - the none working device with permit icmp any any
working_device_orig_acl - the device that works with the original ACL
Do you have an answer to why this is happening?
Regards,
Philip -
MAB / IP Phone / ISE - Woks Fine for few minutes -
Hello, I have a trouble with MAB.
I have a SW 3560 configuring with MAB for Authentication, and I have a ISE.
I tried with Multi-Domain Authentication, and priority with dot1x mab.
At the finish, I have this configuration on the Port.
interface GigabitEthernet0/2
switchport access vlan 451
switchport mode access
ip access-group ACL-AD in
shutdown
authentication port-control auto
mab
spanning-tree portfast
spanning-tree bpduguard enable
end
This configuration works, but just for few minutes, I don't know why after this time the DACL is dropped.
As you can see, on this logs, after this events, the DACL is removed...
I attach, the entire configuration.
09/15/19:06 - MS-C3560-1#
09/15/19:06 - MS-C3560-1#
09/15/19:06 - Sep 16 00:06:47.660: AAA/AUTHOR: auth_need : user= 'axtel' ruser= 'MS-C3560-1'rem_addr= '172.18.2.1' priv= 15 list= '' AUTHOR-TYPE= 'commands'
09/15/19:06 - MS-C3560-1#
09/15/19:06 - MS-C3560-1#show authentication sessions interface gig0/2 details
09/15/19:06 - Interface: GigabitEthernet0/2
09/15/19:06 - MAC Address: 0c85.253e.9229
09/15/19:06 - IPv6 Address: Unknown
09/15/19:06 - IPv4 Address: 172.31.3.4
09/15/19:06 - User-Name: 0C-85-25-3E-92-29
09/15/19:06 - Status: Authorized
09/15/19:06 - Domain: DATA
09/15/19:06 - Oper host mode: single-host
09/15/19:06 - Oper control dir: both
09/15/19:06 - Session timeout: N/A
09/15/19:06 - Common Session ID: AC1869FC00000030265556C0
09/15/19:06 - Acct Session ID: 0x00000023
09/15/19:06 - Handle: 0xD1000016
09/15/19:06 - Current Policy: POLICY_Gi0/2
09/15/19:06 -
09/15/19:06 - Local Policies:
09/15/19:06 - Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
09/15/19:06 - Security Policy: Should Secure
09/15/19:06 - Security Status: Link Unsecure
09/15/19:06 -
09/15/19:06 - Server Policies:
09/15/19:06 - ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-517998c3
09/15/19:06 -
09/15/19:06 - Method status list:
09/15/19:06 - Method State
09/15/19:06 - mab Authc Success
09/15/19:06 -
09/15/19:06 - MS-C3560-1#
09/15/19:06 - MS-C3560-1#
09/15/19:06 - MS-C3560-1#
09/15/19:06 - Sep 16 00:06:51.913: AAA/AUTHOR: auth_need : user= 'axtel' ruser= 'MS-C3560-1'rem_addr= '172.18.2.1' priv= 15 list= '' AUTHOR-TYPE= 'commands'
09/15/19:06 - MS-C3560-1#
09/15/19:06 - Sep 16 00:07:05.823: AUTH-EVENT: [0c85.253e.9229, Gi0/2] Received internal event SINGLE_ID_UPDATE (handle 0xD1000016)
09/15/19:06 - Sep 16 00:07:05.823: AUTH-SYNC: [0c85.253e.9229, Gi0/2] Delay remove sync of addr for 0c85.253e.9229 / 0xD1000016
09/15/19:06 - MS-C3560-1#
09/15/19:06 - Sep 16 00:07:05.823: %EPM-6-IPEVENT: IP 0.0.0.0| MAC 0c85.253e.9229| AuditSessionID AC1869FC00000030265556C0| EVENT IP-RELEASE
09/15/19:07 - MS-C3560-1#show authentication sessions interface gig0/2 details
09/15/19:07 - Interface: GigabitEthernet0/2
09/15/19:07 - MAC Address: 0c85.253e.9229
09/15/19:07 - IPv6 Address: Unknown
09/15/19:07 - IPv4 Address: Unknown
09/15/19:07 - User-Name: 0C-85-25-3E-92-29
09/15/19:07 - Status: Authorized
09/15/19:07 - Domain: DATA
09/15/19:07 - Oper host mode: single-host
09/15/19:07 - Oper control dir: both
09/15/19:07 - Session timeout: N/A
09/15/19:07 - Common Session ID: AC1869FC00000030265556C0
09/15/19:07 - Acct Session ID: 0x00000023
09/15/19:07 - Handle: 0xD1000016
09/15/19:07 - Current Policy: POLICY_Gi0/2
09/15/19:07 -
09/15/19:07 - Local Policies:
09/15/19:07 - Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
09/15/19:07 - Security Policy: Should Secure
09/15/19:07 - Security Status: Link Unsecure
09/15/19:07 -
09/15/19:07 - Server Policies:
09/15/19:07 -
09/15/19:07 - Method status list:
09/15/19:07 - Method State
09/15/19:07 - mab Authc Success
09/15/19:07 -
09/15/19:07 - MS-C3560-1#The vsa commands, is like turn on by default.
MS-C3560-1#sh run | inc vsa
MS-C3560-1#
MS-C3560-1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
MS-C3560-1(config)#radius-server vsa send ?
accounting Send in accounting requests
authentication Send in access requests
cisco-nas-port Send cisco-nas-port VSA(2)
<cr>
MS-C3560-1(config)#radius-server vsa send accounting
MS-C3560-1(config)#radius-server vsa send authentication
MS-C3560-1(config)#
MS-C3560-1(config)#
MS-C3560-1(config)#end
MS-C3560-1#sh run | inc vsa
MS-C3560-1#
For the ISE, I don't have any events for auth fail or something. -
ISE MAB is not Triggered for Linux Host
Hello,
We have configured MAB for hostst that do not support 802.1x, and in general working for most of the devices. For Some linux machines however, MAB is never triggered, i.e "debug mab all" and "debug radius" commands do not produce any output for the port. "show authentication session interface" command shows the 802.1x fail over to MAB, and after it MAB process starts to run but stays in running state without finishing.
If we put another MAB host as Windows 7 or XP or Printer, it works properly passsing tthe MAB Authentication and assigned Vlan. If we put the port as to the normal "switchport mode access" and "switchport access vlan x", the device shows up in the MAC address table of the switch, and starts to work.
As additional steps we have configured "authentication mode open" and "dot1x control-direction in" inorder to trigger or start the MAB Process allowing the packets out, but the "show interface " command the input packets counter remains 0, although output packet counters seem to increase continously to 1000 and above.
The IP Addresses are static, and it is a requirement, so dhcp may trigger MAB but this is not a choice currently.
IP device tracking is enabled, but again this did not change anything
Any recommendations or workarounds for this Problem? Although seems an endpoint issue, that it never produces a single packet , there may be some
solutions to trigger MAB or learn the switch the Mac address of the Linux host, i.e. keepalive. We are also looking at the host side,
The port configuration is:
switchport access vlan 98
switchport mode access
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 97
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
Thanks in Advance,
Best Regards,Hi Ravi,
Since the linux is some kind of embedded linux, we could not get the tcp dump on the PC itself, but tried to see what is going on with a span of this port. What is interesting is that the machine does not produce even a single ethernet or IP packet and remains completely silent. (We thought dhcp would be solution but the configuration file only allows to statically assign IP address).
What we think is that somehow the machine starts to send packets after receiving a packet like Wake on LAN or arp. As you see on the port configuration the machine starts in Vlan 98, so in this Vlan it is not possible to get this packet from any other hosts on the same IP subnet since the IP of the host is Vlan 6. But in order to ISE to assign this Vlan 6 to the port with MAB, Mac Address of the host needs to be authenticated, which is not occuring because of the silence problem.
As a workaround to a similar problem, we changed the "switchport access vlan 98" to "switchport access vlan 6" and with this configuration the Mac address is learned and the host is authenticated by ISE and port is assigned to Vlan 6 dynamically which is observed on "show authentication session interface" command output. This is also not accepted because the access port configuration is required to be as standard as possible due to changing of the cabling frequently. So every MAB host should start with a PreAuthentication Vlan, and go to final Vlan after Authentication and authorizaiton with Posture checking or profiling.
As a second workaround these kind of machines are being worked on supporting dot1x, but this is a tedious process because often you need to escalate to the producer, and enhancement requests often prolong to be confirmed or denied.
Since we meet this problem also with some Printers, we think this is a problem of the TCP/IP Stack of the Operating System of the host. We are searching if there can be some mechanism to be able to make the host start conversation with a packet through a keepalive or some other protocol (or a script) that can be enabled.
Best Regards, -
ISE with dot1x and Posture deployment in pararrel with certain users
Hi,
We want to deploy ISE in sequencial order, meaning that I will initially have all users authenticate/authorized with dot1x/MAB etc, then only on certain locations or users to have posture condition validation/verification while others not.
Can someone please advise whether this approach is possible, as far I understand, once you have posture policies in place as authorization rule it will hit all the users. This may be possible where you can match the switch or the location as a seperate condition, but if all users are spread/mixed we just need to find a simple way how to do it or whether it is not possible..?We have modified the attached policy on rule 04 and 05 (from top) and add a new condition Device locationEqual "Switch1".According to this rule any user connected to Switch1 only do the posture and same user PCconnect any other switch (other than switch1), it should do only the dot1x/MAB (rule 1-3). But in our case user PC connect any other switch than switch1, it hit the ISE default policy(not included in this attachement) and also it pop-ups the NAC agent and do the posturing. Questions-why the PC/user is not hitting rule 1-3 and goes to default rule-why the PC/user is doing posture where there's no posture rule hitting.
Hi,
First of all, I would assume you configured the PC for machine or user authentication.
So, when a user connects to the network using other switch but not switch1, it will get 2 hits:
1. Computer authentication - this PC is part of Domain Computers
2. Default rule - because you configured (domain) user authentication for dot1x requests that are received only from switch1!
You haven't specified a rule for domain users alone (with no location condition) and with no posture.
You have to add something like this:
1. dot1x + Domain PC
2. dot1x + Domain User + location + preposture
3. dot1x + Domain User + location + posture compliant
4. dot1x + Domain User (and no posture condition)
To answer your second question, event though you 've excepted a certain user from posture, if NAC Agent is installed, it will popup and it will say that you're compliant, so practically it isn't doing posture
(http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_pos_pol.html)
Generating a Posture Requirement The run-time services requests for the posture requirement for the endpoint by looking up at the role to which the user belongs to and the operating system on the client. If you do not have a policy associated with the role, then the run-time services communicate to the NAC Agent with an empty requirement. If you have a policy associated with the role, then the run-time services run through the posture policies through one or more requirements associated with the policies and for each requirement through one or more conditions.
If you want to rollout for posture, you could use exception rules (check the top section of authorization rules) or you could do only posture audit for your rules so that everyone can get network access event though they're not compliant.
Maybe you are looking for
-
When I take a picture in the dark and use the flash, the photo turns out pink.
Recently, when taking pictures using the flash, they turn out pink This happens whether there is light or not. Why?
-
Folks, a newbie question: Ok, so, I've not had any training, and no books, just the robohelp-html o/l help system. And I have some issues. Problem: trying to load 300 pages of old documentation into robohelp-html (webhelp format), to get it around, a
-
Where to download "netscape directory server 4.11 or later"
Hi, there, I just want to test some ldap functions on windows 2000. I find some guys said Netscape Directory Server 4.11 is a good choice. Where can I download a evaluation version? I can't find it on Netscape. Thanks.
-
How can I set up iMessage to ensure the text messages people are sending me arrive both on my computer AND on my iPhone as well?
-
Log for all the sql statement executed
Hi, I would like to know how to see the log for all the sql statement executed starting from connection to all the database related actions. Is it something that i need to set it up in the driver? I'm using Tomcat and JDBC driver. Please reply. Thank