ISE : MAB, SoA ...
Hello,
I'd like to implement Cisco ISE on my network so that 802.1x authentication will be operationnal.
When I give a look to this document : http://www.cisco.com/en/US/docs/security/ise/1.0.4/compatibility/ise104_sdt.html#wp55038
There's a lot of Catalyst 2950 on my network and I see that some features aren't supported on these devices : MAB, dACL, SGA.
What are the consequences of these non-supported technologies ? I've found out for instance that MAB was used to authenticate devices which doesnt allow or support 802.1x, so will the printers of my network still work ?
And what about dACL and SGA ? Are these features really useful or isn't it that bad if I can't use them ?
Thanks.
If you want to manage your limited investment you can follow a phased implementation approach. Though it would be little laborious. You can swap 2950 switches with 2960 or 3750 wherever you have devices like printers. So you can connect your printers on either 2960 or 3750 switches only and PCs on 2950 switches. Then setup flexauth (MAB > dot1x) order and priority as required, on those switches where printers etc are connected. Jatin Katyal has righly suggested, I agree with him
With this approach, you can setup and enable all other features i.e. profiling, client provisioning, CoA for certain identity groups which are connected on supported switches (2960, 3750)
Note: Please make sure to review the IOS on your 2960 switches and compare the same in “ISE Network Component Compatibility Document”
Similar Messages
-
I'm working with the following lab:
ISE 1.1.3.124
3560 running c3560-ipservicesk9-mz.122-55.SE
Cisco AP (1131, 1231).
I'm attempting MAB. The AP is being profiled correctly and I'm seeing successful authen and authz. But the device (AP/whatever) cannot pickup a DHCP address. If I manually assign an IP, then no traffic flows through the switchport. DHCP works fine for ports with no security. The DACL is being applied and should permit the traffic - I've even tried a permit ip any any.
I've attached the switch config and some ISE screenshots / logs.
Some further details below.
Thanks to anyone if you can nudge me in the right direction.
## switch dot1x debug
%MAB-5-SUCCESS: Authentication successful for client (001b.2abc.5de0) on Interface Fa0/2 AuditSessionID C0A863FE000001392E8FE236
3560-1#
%EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 001b.2abc.5de0| AuditSessionID C0A863FE000001392E8FE236| AUTHTYPE DOT1X| EVENT APPLY
%EPM-6-AAA: POLICY xACSACLx-IP-LAB2-WLC-ONLY-5160b7f6| EVENT DOWNLOAD-REQUEST
%EPM-6-AAA: POLICY xACSACLx-IP-LAB2-WLC-ONLY-5160b7f6| EVENT DOWNLOAD-SUCCESS
%EPM-6-IPEVENT: IP 0.0.0.0| MAC 001b.2abc.5de0| AuditSessionID C0A863FE000001392E8FE236| AUTHTYPE DOT1X| EVENT IP-WAIT
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/2, changed state to up
3560-1#
%AUTHMGR-5-SUCCESS: Authorization succeeded for client (001b.2abc.5de0) on Interface Fa0/2 AuditSessionID C0A863FE000001392E8FE236
3560-1#sh authentication sessions int fa0/2
Interface: FastEthernet0/2
MAC Address: 001b.2abc.5de0
IP Address: Unknown
User-Name: 00-1B-2A-BC-5D-E0
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: single-host
Oper control dir: both
Authorized By: Authentication Server
Vlan Group: N/A
ACS ACL: xACSACLx-IP-LAB2-WLC-ONLY-5160b7f6
Session timeout: N/A
Idle timeout: N/A
Common Session ID: C0A863FE000001392E8FE236
Acct Session ID: 0x00000180
Handle: 0xFC000139
Runnable methods list:
Method State
dot1x Failed over
mab Authc Success
3560-1#sh authentication method mab
Interface MAC Address Method Domain Status Session ID
Fa0/2 001b.2abc.5de0 mab DATA Authz Success C0A863FE000001392E8FE236
3560-1#sh ip access-lists
Standard IP access list 10
10 permit 192.168.99.10 (9814 matches)
20 deny any log
Extended IP access list ACL_DEFAULT
10 permit udp any eq bootpc any eq bootps (71 matches)
20 permit udp any any eq domain
30 permit icmp any any
40 permit udp any any eq tftp
50 permit ip any host 192.168.99.10
60 deny ip any any log
Extended IP access list ACL_REDIRECT
10 deny udp any eq bootpc any eq bootps
20 deny udp any any eq domain
30 deny ip any host 192.168.99.10
40 permit tcp any any eq www
50 deny ip any any
Extended IP access list xACSACLx-IP-LAB2-WLC-ONLY-5160b7f6 (per-user)
10 permit udp any eq bootpc any eq bootps
20 permit udp any any eq domain
30 permit ip any host 192.168.99.224
40 deny ip any any logIt is nice to see that you find the resolution the command “ip dncp snooping trust” Validates DHCP messages received from untrusted sources and filters out invalid messages.
-
ISE MAB Host Lookup - PAP or EAP-MD5
In the docs, it says that MAB uses PAP/ASCII or EAP-MD5 to pass the MAC as username / password.
In the attached setup, MAB is talking place successfully for an iPhone, without having PAP or EAP-MD5 enabled as Allowed Protocols.
Is the "Host Lookup" under allowed protocols, provides for the MAC address to be passed in PAP / EAP-MD5 even if these two protocols are not enabled below under the Authentication Protocols section of the configuration?
How could we dictate to our switch to start using EAP-MD5 to pass the MAC? If you look at the attached authentication details output, it lists in the AV Pair a EAP-Key. Is that it?
Thank you.
Cath.Hello Cath-
Question #1: Yes, I think you are correct. I believe that the "Host Lookup" is type of "protocol" used to process the MAB. If you look at the top of the authenticaiton session what do you under "Authentication Protocol?" My guess is that you see "Lookup" (see attached screen shot)
Question #2: You can force the switch to use EAP-MD5 by appending "EAP" to the "MAB" command under the individual ports:
interface fa0/1
mab eap
Things to conisider:
1) If you make that change the default/built-in condition in ISE "Wired-MAB" will have to be changed since the
service-type radius attribute will change from "Call Check" to "Framed." Thus, your MAB devices can easily skip the MAB authenticaiton rule and be denied on the network
2) Because the MAC address is sent in the clear text "Attribute 31" (Calling-Station-Id), MAB EAP does not offer any additional security by encrypting the MAC address in the password
3) Because the service type for MAB EAP is the same as an IEEE 802.1X request, the RADIUS server will not be able to easily differentiate MAB EAP requests from IEEE 802.1X requests
Here is a good document that you can reference as well:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-663759.html
Hope this helps...
Thank you for rating! -
ISE MAB is not Triggered for Linux Host
Hello,
We have configured MAB for hostst that do not support 802.1x, and in general working for most of the devices. For Some linux machines however, MAB is never triggered, i.e "debug mab all" and "debug radius" commands do not produce any output for the port. "show authentication session interface" command shows the 802.1x fail over to MAB, and after it MAB process starts to run but stays in running state without finishing.
If we put another MAB host as Windows 7 or XP or Printer, it works properly passsing tthe MAB Authentication and assigned Vlan. If we put the port as to the normal "switchport mode access" and "switchport access vlan x", the device shows up in the MAC address table of the switch, and starts to work.
As additional steps we have configured "authentication mode open" and "dot1x control-direction in" inorder to trigger or start the MAB Process allowing the packets out, but the "show interface " command the input packets counter remains 0, although output packet counters seem to increase continously to 1000 and above.
The IP Addresses are static, and it is a requirement, so dhcp may trigger MAB but this is not a choice currently.
IP device tracking is enabled, but again this did not change anything
Any recommendations or workarounds for this Problem? Although seems an endpoint issue, that it never produces a single packet , there may be some
solutions to trigger MAB or learn the switch the Mac address of the Linux host, i.e. keepalive. We are also looking at the host side,
The port configuration is:
switchport access vlan 98
switchport mode access
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 97
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
Thanks in Advance,
Best Regards,Hi Ravi,
Since the linux is some kind of embedded linux, we could not get the tcp dump on the PC itself, but tried to see what is going on with a span of this port. What is interesting is that the machine does not produce even a single ethernet or IP packet and remains completely silent. (We thought dhcp would be solution but the configuration file only allows to statically assign IP address).
What we think is that somehow the machine starts to send packets after receiving a packet like Wake on LAN or arp. As you see on the port configuration the machine starts in Vlan 98, so in this Vlan it is not possible to get this packet from any other hosts on the same IP subnet since the IP of the host is Vlan 6. But in order to ISE to assign this Vlan 6 to the port with MAB, Mac Address of the host needs to be authenticated, which is not occuring because of the silence problem.
As a workaround to a similar problem, we changed the "switchport access vlan 98" to "switchport access vlan 6" and with this configuration the Mac address is learned and the host is authenticated by ISE and port is assigned to Vlan 6 dynamically which is observed on "show authentication session interface" command output. This is also not accepted because the access port configuration is required to be as standard as possible due to changing of the cabling frequently. So every MAB host should start with a PreAuthentication Vlan, and go to final Vlan after Authentication and authorizaiton with Posture checking or profiling.
As a second workaround these kind of machines are being worked on supporting dot1x, but this is a tedious process because often you need to escalate to the producer, and enhancement requests often prolong to be confirmed or denied.
Since we meet this problem also with some Printers, we think this is a problem of the TCP/IP Stack of the Operating System of the host. We are searching if there can be some mechanism to be able to make the host start conversation with a packet through a keepalive or some other protocol (or a script) that can be enabled.
Best Regards, -
ISE mab authentication with Avaya/Nortel switches
Currently using Cisco ISE 1.1 to authentication both dot1x and mab from Cisco switches. Both features are authenticating properly.
When we use a Nortel/Avaya switch for the authenticator, we are unable to authenticate using mac bypass (non-eap (or neap) in Avaya talk..). The correct authentication policy is found in the ISE, but the mac address is not found in the database. We know it is there because the same mac is authenticating with the Cisco switch. Dot1x authenticates properly from both the Cisco and Avaya authenticators.
Could this be an issues with the username/password format in the Radius packet from the Cisco?
Thanks in advance for any assistance.
-KurtAs requested...
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fet
chBugDetails&bugId=CSCuc22732
MAB works from a cisco switch because the cisco switch places the mac address in the calling-station-attribute and the user-name attribute. The Cisco ISE platform is looking at the calling-station attribute to find the user name.This is the problem.
The radius RFC says the user name must be in the user-name attribute. The calling-station-attribute is not a required field and is used for the phone number of a voip phone. Basically, the ISE platform is looking at the wrong field for the mac address. -
ISE MAB to external Radius then MAB internal for Guest User auth
Hello guys,
we have the following requirements for our ISE Guest Access Deployment:
We want to provide guest access but only to non Company Laptops. To check if the Laptop is company or a non company Laptop we have have all MAC Addresses in our ACS server. So in my understanding we have to to the following.
Check the MAC Address against the External Radius Server (ACS)
If Access-Accept returns -> Deny Access
If Access-Deny returns -> Check MAC Address against Internal Endpoint Store
If User not found -> Guestflow
Right now i don´t no how i can sould design it but i need two Authentication Policys first for the redirect to the External Radius and then another one for check against internal Identity Endpoint Store. Am i right ? I don´t know if that is possible.
Really thanks for your help!!
Greetings
PhilipLet me ask you a quick question: Are all domain machines Windows and joined to AD?
-
ISE MAB authentication license usage
Hello all. If I need ISE to authenticate wireless user MAC addresses (MAC Address bypass) in order to facilitate central web authentication - does every concurrent device MAC address that accesses my guest wireless SSID and gets forwarded to ISE for authentication use up a license?
I have many users with smart phones and tablets that have the guest wireless SSID profile already saved and automatically connect to the guest SSID when in range. Most of these users do not go on to log in via central web authentication, but their MAC addresses get forwarded to ISE for authentication. Does ISE use up a license per MAC address?
Thanks,Hello-
Please take a look at the following link:
http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/installation_guide/ise_ig/ise_app_d_man_license.html
So, in your situation, a license will be consumed even though the user never authenticates. This is because a license is consumed as soon as a session hits a rule in your AAA ISE policies. However, you can from the document that as soon as the session times out the endpoint would free the license. If for some reason an "accounting-stop" message is not received then after 5 days of inactivity the system will automatically free the license.
Hope this helps!
Thank you for rating helpful posts! -
Ip phone and pc VLAN security issue - ISE 1.0
Hello there.
We are about to implement IP phones to our current network and during testing I have found 2 issues.
1- ip phone connects to a protected port using ISE mab authentication for the data network.
The voice VLAN is set up static on the port. The pc VLAN is given by ISE profiling.
Then the issue is that once the pc connects to the VLAN it belongs to from the ip phone it leaves open that vlan on that port which means that if I connect another pc it will get the original VLAN the port had open up the connection with. This is a big security issue as computers that should not be allowed on specific VLAN can access them this way.
2- once the connection is up and running on the port for both the phone and the pc, there is re-authentication Happening every minute to ISE. The Authentication logs are getting so many messages for just one port. So once we convert from 2 ip phones to 500, that is definitely going to generate a lot of unnecessary traffic.
Let me know your thoughts...thanks
Port config info....below
interface GigabitEthernet0/2
description Extra port by Camilos Desk
switchport mode access
switchport voice vlan 220
srr-queue bandwidth share 1 30 35 5
priority-queue out
authentication event fail action next-method
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
mls qos trust cos
snmp trap mac-notification change added
auto qos trust
spanning-tree portfast
endOn # 1
You have the make sure that
"authentication host-mode multi-domain" command is under each port
This will allow one voice vlan and only one PC vlan at any given time. If you disconnect a PC and connect onother PC mac address to it, the phone will reinitialize to accept or reject the new mac based on its profile.
On #2
I have not found a solution. But what I have found after deployment is that it has happend only on 2 VOIP phones, out of 70 that we have as of now. So it might to be related to ISE.
On the other hand we are not using Cisco phones but mitel. So this might be a whole issueon itself.
Hope this helps. -
ISE 1.2, Supplicant configured for 802.1x but need to MAB
I posted this yesterday but deleted the thread thinking I had fixed the issue - alas I was wrong. In summary I have a scenario where I am doing wired 802.1x and also wired MAB/CWA. The issue is that a certain number of external/BYOD hosts have supplicants configured for 802.1x at their "home" organisations which for obvious reasons can't authenticate on this network. The idea is that MAB and CWA become a fallback but these hosts in question don't efficiently fail to MAB.
If the host has validate server certificates enabled (and doesn't have our root selected) then 802.1x fails and goes to MAB as per the tx timers etc. Hosts that don't validate certificates essentially fail authentication, abandon the EAP session and start new... this process seems to continue for a very long time.
Does anyone have any similoar experiences and if so can you provide some info? I am looking into tweaking 802.1x port timers to make this fail quicker/better but am not confident this will fix the issue.
Thanks in advanceMaybe the held-period and quite-period parameters would help. I would not change the TX period to anything shorter than 10 seconds. Every cisco doc that I have ever seen has said this same recomendation and I can tell you from experience you will have devices at times that will authenticate via MAB when you dont want them to if you decrease lower than 10 seconds.
Read this doc for best pratices including the timers listed below.
I hope this link works. http://d2zmdbbm9feqrf.cloudfront.net/2014/eur/pdf/BRKSEC-3698.pdf
If not goto www.ciscolive365.com (signup if you havn't already) and search for
"BRKSEC-3698 - Advanced ISE and Secure Access Deployment (2014 Milan) - 2 Hours"
Change the dot1x hold, quiet, and ratelimit-period to 300.
held-period seconds
Configures the time, in seconds for which a supplicant will stay in the HELD state (that is, the length of time it will wait before trying to send the credentials again after a failed attempt). The range is from 1 to 65535. The default is 60.
quiet-period seconds
Configures the time, in seconds, that the authenticator (server) remains quiet (in the HELD state)
following a failed authentication exchange before trying to reauthenticate the client. For all platforms except the Cisco 7600 series Switch, the range is from 1 to 65535. The default is 120.
ratelimit-period seconds
Throttles the EAP-START packets that are sent from misbehaving client PCs (for example, PCs that send EAP-START packets that result in the wasting of switch processing power). The authenticator ignores EAPOL-Start packets from clients that have successfully authenticated For the rate-limit period duration. The range is from 1 to 65535. By default, rate limiting is disabled. -
ISE 1.2 - MAB Guest and MAB Supplicant Provisioning
In short trying to provide a configuration whereby a Guest utilises MAB and a set of sponsor created credentials to gain access to Internet via the portal. In addition to this I am also trying to provide MAB for "Corporate BYOD" utilising AD credentials resulting in supplicant provisioning. I am aware of other ways of doing this in terms of utilising PEAP and a NSP redirect but in this instancemy only real option is MAB. Could anyone provide me with an example of how they have approached this situation.
I tried to to do CWA redirect for both use cases but provided a separate "2nd auth" for each of them. My BYOD 2nd auth was the actual NSP redirect - which worked except the MAC address could not be populated into the field (See flow below for BYOD redirect).
MAB > CWA Redirect (AD credentials) > "2nd Auth" = NSP RedirectPlease disregard I have it fixed. Long story short I was over engineering it. I was unaware that ISE was able to differentiate between Guest users and other users with regards to the "Enable Self Provisioning flow".
Thanks -
ISE 1.2 device registration with MAB only, no client provisioning
Hello,
Is it possible for AD users (no guest users) to walk through the Device Registration Self Registration without Client Provisioning ?
I do not want to push certificates or native supplicant profiles to client devices.
I would just want AD users to register their MAC address, if MAC is not known. Add the MAC to some sort of group.
Then if MAC is known (in this group), skip registration and allow full access to the VLAN.
Right now, i am stuck on the registration portal that says "The system adminstrator has either nog configured or enabled a policy for your device". ?? It is true that my Client Provisioning screen is empty.
Am i really obliged to use native supplicant provisioning to register my device ?
GNHi
Device Registration web auth is a process where you can configure user without client provisioning.
In this scenario, the guest user connects to the network with a wireless connection that sends an initial MAB request to the Cisco ISE node. If the user’s MAC address is not in the endpoint identity store or is not marked with an AUP accepted attribute set to true, ISE responds with a URL redirection authorization profile. The URL redirection presents the user with an AUP acceptance page when the user attempts to go to any URL.
1. A guest user connects to the network using a wireless connection and has a MAC address that is not in the endpoint identity store or is not marked with an AUP accepted attribute set to true, and receives a URL redirection authorization profile. The URL redirection presents the user with a AUP acceptance page when the guest user attempts to go to any URL.
2. If the guest user accepts the AUP, their MAC address is registered as a new endpoint in the endpoint identity store (assuming the endpoint does not already exist). The new endpoint is marked with an AUP accepted attribute set to true, to track the user’s acceptance of the AUP. An administrator can then assign an endpoint identity group to the endpoint, making a selection from the Guest Management Multi-Portal Configurations page.
3. If the guest’s endpoint already exists in the endpoint identity store, the AUP accepted attribute is set to true on the existing endpoint. The endpoint’s identity group is then automatically changed to the value selected in the Guest Management Multi-Portal Configurations page.
4. If the user does not accept the AUP or an error occurs in the creation of the endpoint, an error page appears.
5. After the endpoint is created or updated, a success page appears, followed by a CoA termination being sent to the NAD/WLC.
6. After the CoA, the NAD/WLC reauthenticates the user’s connection with a new MAB request. The new authentication finds the endpoint with its associated endpoint identity group, and returns the configured access to the NAD/WLC. -
[Cisco ISE 1.2 with 3850 - Trunk AP] Problem with MAB
Hi everyone,
After reading some documentation about using MAB in a trunk port with the 3850 I would like to know if someone has implemented ISE policies with a 3850 interface in trunk mode. My problem is that when I try using MAB in a trunk port the mac address of the AP it´s no visible in the "show mac address interface" and because of that the AP is not authenticated in ISE. The thing is that if I use a 2960 everything goes smoothly with no problems!
Let me show you what I have,
interface GigabitEthernet1/0/3
description AP
switchport trunk native vlan 999
switchport mode trunk
trust device cisco-phone
authentication event fail action next-method
authentication host-mode multi-host
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x max-req 4
auto qos voip cisco-phone
service-policy input AutoQos-4.0-CiscoPhone-Input-Policy
service-policy output AutoQos-4.0-Output-Policy
############################################# switch model - 3850 ##################################################
SW1#sh mac address-table interface GigabitEthernet1/0/3
Mac Address Table
Vlan Mac Address Type Ports
SW1#sh dot1x interface Gi1/0/3
Dot1x Info for GigabitEthernet1/0/3
PAE = AUTHENTICATOR
QuietPeriod = 60
ServerTimeout = 0
SuppTimeout = 30
ReAuthMax = 2
MaxReq = 4
TxPeriod = 30
Switch Ports Model SW Version SW Image Mode
* 1 56 WS-C3850-48P 03.03.03SE cat3k_caa-universalk9 INSTALL
############################################# Different switch model - 2960 ##################################################
interface GigabitEthernet1/0/1
description AP
switchport trunk native vlan 999
switchport mode trunk
srr-queue bandwidth share 1 30 35 5
priority-queue out
authentication event fail action next-method
authentication host-mode multi-host
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
mls qos trust device cisco-phone
mls qos trust cos
dot1x pae authenticator
dot1x max-req 4
auto qos voip cisco-phone
service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
SW1#$cation sessions interface GigabitEthernet1/0/1
Interface: GigabitEthernet1/0/1
MAC Address: xxxx.xxxx.4a38
IP Address: 172.18.1.170
User-Name: xx-xx-xx-xx-4A-38
Status: Authz Success
Domain: DATA
Oper host mode: multi-host
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A18129D000060E39DAE8A8A
Acct Session ID: 0x0000725D
Handle: 0x0F00028C
Runnable methods list:
Method State
mab Authc Success
Switch Ports Model SW Version SW Image
1 28 WS-C2960X-24PS-L 15.0(2)EX5 C2960X-UNIVERSALK9-M
SW2#sh dot1x interface Gi1/0/1
Dot1x Info for GigabitEthernet1/0/1
PAE = AUTHENTICATOR
QuietPeriod = 60
ServerTimeout = 0
SuppTimeout = 30
ReAuthMax = 2
MaxReq = 4
TxPeriod = 30
Am I doing something wrong?
BR,I know what you mean and I agree with what you are saying :) Nonetheless, at the moment, the official stance from Cisco on this is that 802.1x is not supported on trunk ports. Now one can argue that MAB is different but I think we are just splitting hairs here :)
Like I said, I have gotten stuff to work before but always had some goofy things happening so in general I have stayed away from doing it.
Now in your situation, if your configuration is working fine on the 2960 but not on the 3850, then most likely the issue is with the XE code running on the 3850s. The XE code has been very problematic until recently so you are probably hitting some sort of a defect. As a result, I recommend that you upgrade the switch(es) to 3.3.5 or 3.6.1. Version 3.7.x is also out but it just came out 8 days ago so I would not recommend going to it.
Thank you for rating helpful posts! -
ISE 1.1/WLC 7.2 Wireless MAB and Profiling
I am trying to set up wireless MAB with CWA so that when devices connect to the open guest network they are profiled and if they match a device type (iphone, android) they are allowed access to the internet without AUP or Authentication and all other device type (including unknown) is redirected to the guest portal for authentication. My configuration works when devices are correctly profiled, the issue is that it appears that the RADIUS probes are the only profiling components working on the guest side. Devices are being correctly profiled on the corp network segment. The key profiling components I need to get a match on iphone is DHCP and HTTP user agent. Without those all iphones are categorized as an apple device and not iphone. I suspect this is because they are matching the MAC OUI from the RADIUS probe and MAC filtering with NAC RADIUS on the WLC. The ISE is on a seperate LAN from the guest and right now I am only allowing DNS and 8443 through the ASA. I also believe DHCP profiling is not working because the guest DHCP is running on the WLC internal DHCP and is not forwarding requests to the ISE for inspection because it will not relay the request to 2 servers, it just uses a secondary if the primary is unreachable.
Can someone point me in the right direction? I believe my Authentication, Authorization, and Identity Source Sequence, etc configuration is correct, but can post additional details if necessary. My main issue is the profiling probes and getting them working correctly on the guest LAN.What we did to get around this was to adjust the profiler policy for Apple-Device to take network scan action when MAC:OUI contains Apple. So basically the device connects to the wireless network, MAC filtering on the WLC identifies the OUI to belong to Apple and initiates an NMAP scan that properly identifies the OS of the iDevice. This allows iPhones to connect and other Apple devices like iPads to be redirected to the login portal.
We can also make similar adjustments to Android and other devices that require profiling to properly identify the device type. In this case, allowing SmartPhones to connect directly to the internet and all other devices to be redirected to the portal.
Hope that helps. -
Cisco ISE 1.3 MAB authentication.. switch drop packet
Hello All,
I have C3560 Software (C3560-IPSERVICESK9-M), Version 12.2(55)SE9, RELEASE SOFTWARE (fc1) switch..
and ISE 1.3 versoin..
MAB authentication is working perfectly at ISE end.. but while seeing the same at switch end.. I am seeing switch is droping packet on some ports..
while some ports are working perfectly..
Same switch configuration is working perfectly on another switch without any issue..
Switch configuration for your suggestion..!!
aaa new-model
aaa authentication fail-message ^C
**** Either ACS or ISE is DOWN / Use ur LOCAL CREDENTIALS / Thank You ****
^C
aaa authentication login CONSOLE local
aaa authentication login ACS group tacacs+ group radius local
aaa authentication dot1x default group radius
aaa authorization config-commands
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+ group radius
aaa server radius dynamic-author
client 172.16.95.x server-key 7 02050D480809
client 172.16.95.x server-key 7 14141B180F0B
aaa session-id common
clock timezone IST 5 30
system mtu routing 1500
ip routing
no ip domain-lookup
ip domain-name EVS.com
ip device tracking
epm logging
dot1x system-auth-control
interface FastEthernet0/1
switchport access vlan x
switchport mode access
switchport voice vlan x
authentication event fail action next-method
--More-- authentication host-mode multi-auth
authentication order mab dot1x
authentication priority mab dot1x
authentication port-control auto
authentication violation restrict
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
ip tacacs source-interface Vlan10
ip radius source-interface Vlan10 vrf default
logging trap critical
logging origin-id ip
logging 172.16.5.95
logging host 172.16.95.x transport udp port 20514
logging host 172.16.95.x transport udp port 20514
snmp-server group SNMP-Group v3 auth read EVS-view notify *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF7F access 15
snmp-server view EVS-view internet included
snmp-server community S1n2M3p4$ RO
snmp-server community cisco RO
snmp-server trap-source Vlan10
snmp-server source-interface informs Vlan10
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
--More-- snmp-server enable traps tty
snmp-server enable traps cluster
snmp-server enable traps entity
snmp-server enable traps cpu threshold
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps flash insertion removal
snmp-server enable traps port-security
snmp-server enable traps envmon fan shutdown supply temperature status
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps bridge newroot topologychange
snmp-server enable traps stpx inconsistency root-inconsistency loop-inconsistency
snmp-server enable traps syslog
snmp-server enable traps mac-notification change move threshold
snmp-server enable traps vlan-membership
snmp-server host 172.16.95.x version 2c cisco
snmp-server host 172.16.95.x version 2c cisco
snmp-server host 172.16.5.x version 3 auth evsnetadmin
tacacs-server host 172.16.5.x key 7 0538571873651D1D4D26421A4F
tacacs-server directed-request
--More-- tacacs-server key 7 107D580E573E411F58277F2360
tacacs-server administration
radius-server attribute 6 on-for-login-auth
radius-server attribute 25 access-request include
radius-server host 172.16.95.y auth-port 1812 acct-port 1813 key 7 060506324F41
radius-server host 172.16.95.x auth-port 1812 acct-port 1813 key 7 110A1016141D
radius-server host 172.16.95.y auth-port 1645 acct-port 1646 key 7 110A1016141D
radius-server host 172.16.95.x auth-port 1645 acct-port 1646 key 7 070C285F4D06
radius-server timeout 2
radius-server key 7 060506324F41
radius-server vsa send accounting
radius-server vsa send authentication
line con 0
exec-timeout 5 0
privilege level 15
logging synchronous
login authentication CONSOLE
line vty 0 4
access-class telnet_access in
exec-timeout 0 0
logging synchronous
--More-- login authentication ACS
transport input ssh24423 ISE has not been able to confirm previous successful machine authentication
Judging by that line and what your policy says, it appears that your authentication was rejected as your machine was not authenticated prior to this connection.
first thing to check is whether MAR has been enabled on the identity source. second thing to check is whether your machine is set to send a certificate for authentication. there are other things you can look at but I'd do those two first.
log off and on or reboot and then see if you at least get a failed machine auth on the operations>authentication page and we can go from there. -
ISE/Wireless NAC...One SSID for MAB and Dot1X?
Hi,
I am running ISE 1.2 and WLC 7.5.102.
I would really like to have one SSID that can do a few different things in the following order...
1) A device could connect, hit the MAB rule, and be granted access without any type of authentication (Other than MAB) and be placed in VLAN x.
2) A device would be checked for the appropriate certificate. If this cert exists, the device is granted access.
3) If a device is not allowed in MAB, it will hit the next rule, which is the dot1x rule. The user will then be authenticated against the AD server.
4) Everything else hits default rule and is sent to web-auth portal.
I can't really think of a way to make this work with one SSID because from what I understand, you would need dot1x disabled on the SSID in order for MAB to work.
Any suggestions?
Thanks.two ssid's. no way around it
Maybe you are looking for
-
How to get Header in Downloaded .xls file using GUI_Download function
How to get Header in Downloaded .xls file using GUI_Download function ??? How to use the the Header parameter available in GUI_Download function .
-
How to use auto increment with "nchar" data type
Hello I have a table that I want the value in one column to be generated automatically with "T-XXX" pattern which "XXX" is a number. Can Microsoft SQL Server do that?
-
Edit custom task fields in Project Schedule
Is it possible to edit custom fields for a task in the project schedule in PWA? At this moment we are getting a message that we have to use Project Professional to make this change.
-
Can't get mail to go online with .Mac
For several months I am unable for several days at a time to retrieve mail from .Mac. Mail just won't take the account online. I get headers, but no mail. My other accounts work fine, as does web access. This was a problem with my G4 Powerbook, and n
-
Purchase Requestion for Third Party Sales Order
Hello Team I want the system to create Purchase Requisition automatically and some times Manually (Possible if both Option are available) for the Sales Order which belongs to Third Party. How to achieve this? Thanks Nick