topic Re: 802.1x Authentication in Endpoint Security

802.1x Authentication

AbelBurgos5029 — Tue, 23 Jun 2020 14:50:23 GMT

Hello,

I configured a 802.1x deployment using a Cisco 9300 Switch Stack IOS 16.8.1a, Cisco ISE IOS 2.6.156 and Windows 10 workstations using windows supplicant software. The whole thing works... The supplicant is able to authenticate the user credentials, which is authenticated by the ISE against the Policy sets I created, downloading the Dacl to the switch port and granting access to the network. So the things I want to happen is happening....

Here is the problem:

In order for all this to happen, I have to bring the switch port down and up (shut, no shut)... If I dont reset the switchport, the supplicant would keep trying to authenticate until it times out. It is not until I manually reset the port that it finally authenticates.

Any ideas on what the problem might be?

Thanks in advance.

Re: 802.1x Authentication

balaji.bandi — Tue, 23 Jun 2020 14:57:02 GMT

Can you post the switch port configuraiton where you making shut and no shut ?

Re: 802.1x Authentication

AbelBurgos5029 — Tue, 23 Jun 2020 16:58:08 GMT

Hi,

I have the following config in the port:

#authentication open

#auth order dot1x

#auth priority dot1x

#dot1x pae authenticator

#Access-list PRE-AUTH in (allowing ICMP, DNS, etc)

#dot1x port-auth control auto

Re: 802.1x Authentication

Rob Ingram — Tue, 23 Jun 2020 17:43:16 GMT

Do you have aaa accounting configured?

Provide your full configuration

Re: 802.1x Authentication

AbelBurgos5029 — Tue, 23 Jun 2020 18:30:21 GMT

Here is my full aaa configuration:

aaa group server tacacs+ ISE

server name ______

aaa group server radius RADIUS-GROUP

server name ______

aaa authentication login default group tacacs+ local

aaa authentication login VTY group ISE local

aaa authentication login console local

aaa authentication dot1x default group RADIUS-GROUP

aaa authorization exec default group tacacs+ local

aaa authorizartion network default group RADIUS-GROUP

aaa accounting dot1x default start-stop group RADIUS-GROUP

aaa accounting exec default start-stop group tacacs+

aaa accounting command 1 default start-stop group tacacs+

aaa accounting command 15 default start-stop group tacacs+

aaa login success-track-conf-time-24

aaa session-id common

ip http authentication aaa

Please let me know if you see something wrong... Thanks

Re: 802.1x Authentication

Rob Ingram — Tue, 23 Jun 2020 18:44:10 GMT

Add the following:-

aaa accounting update newinfo
aaa accounting auth-proxy default start-stop group RADIUS-GROUP
aaa accounting dot1x default start-stop group RADIUS-GROUP

Check the output of the interface AFTER you have logged off the computer and ensure there is no session

show authentication session interface X

Re: 802.1x Authentication

AbelBurgos5029 — Tue, 23 Jun 2020 20:19:33 GMT

No luck with that. Any other ideas?

Thanks

Re: 802.1x Authentication

Rob Ingram — Tue, 23 Jun 2020 20:38:19 GMT

Post the output of the show command I provided of the interface when a computer has authenticated and after it has logged off.

Provide the full configuration of the interface

Turn on radius debug, logoff the computer and provide the output

Re: 802.1x Authentication

balaji.bandi — Tue, 23 Jun 2020 21:06:19 GMT

I would prefer to see full interface config

show run interface gi x/x