topic Re: Authorization Pending in Network Access Control

Authorization Pending

s1nsp4wn — Fri, 18 Oct 2019 18:41:23 GMT

Hello

I'm running ISE 2.4 and I'm trying to get NAC via dot1x/radius working. I have a NX-OS 9K switch in my network devices with correct radius key. I also have a default policy set to accept dotx wired users and allow them to do anything. On the switch I have aaa setup to use ISE as a radius server and I've confirmed reachability. I've also enabled dot1x on a test port I have a laptop connected to. When I connect I get 'authorization pending' and see nothing else in show dot1x all or show radius. I see nothing in ISE's radius logs so I assume I'm not even talking to it. What else can I check? I followed directions below:

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/7-x/security/configuration/guide/b_Cisco_Nexus_9000_Series_NX-

OS_Security_Configuration_Guide_7x/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide_7x_chapter_0100.html

Switch configs:

feature dot1x
radius-server host 1.3.5.7 key 7 "x" authentication accounting timeout 5 retransmit 3
radius-server host 2.4.6.8 key 7 "x" authentication accounting timeout 5 retransmit 3
aaa group server radius MuhISE
server 1.3.5.7
server 2.4.6.8
source-interface mgmt0
!
dot1x radius-accounting
dot1x radius-accounting
dot1x system-auth-control
!
ip access-list ALLOW-ALL
10 permit ip any any
!
aaa authentication dot1x default group MuhISE
aaa accounting dot1x default group MuhISE
aaa authentication login error-enable
!
interface Ethernet1/1
ip access-group ALLOW-ALL in
switchport
dot1x pae authenticator
dot1x port-control auto
dot1x re-authentication
dot1x timeout tx-period 10
switchport access vlan 666
spanning-tree port type edge
spanning-tree bpduguard enable
mtu 9216
no shutdown

ISE Configs:

network devices - nexus switch above added using mgmt0 interface in vrf

policy (radius = 802.1x)

authentication (wired mab and default both look in all stores0

authorization (wired mab and default both allow all)

Re: Authorization Pending

Damien Miller — Fri, 18 Oct 2019 19:23:35 GMT

This is not something I have gone down the path of configuring, I have only leveraged ISE with TrustSec functionality on Nexus. Maybe others will have direct 802.1x/Nexus experience.

However, I wanted to add that you're entering very rare territory trying to use access layer 802.1x features on Nexus. I understand that there is a Nexus 802.1x configuration section within the command guide, but Nexus isn't even listed within the Cisco validated ISE compatibility matrix. This would leave me questioning how well things have been tested before even starting.
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/compatibility/b_ise_sdt_24.html

Re: Authorization Pending

s1nsp4wn — Fri, 18 Oct 2019 19:25:21 GMT

Hi Damien,

What would you suggest for a NAC solution using NX-OS 9Ks as access switches and ISE as a radius server?

Re: Authorization Pending

Jason Kunst — Mon, 21 Oct 2019 10:42:41 GMT

ISE is the NAC solution, nothing else to propose. these aren't access switches..