topic Re: ISE switch port dot1x policy map in Network Access Control

ISE switch port dot1x policy map

Madura Malwatte — Mon, 15 Apr 2019 11:28:06 GMT

Would appreciate it if someone could verify the switchport configuration I have for low impact mode. My switch is running denali release. Do you see any issues with the below policy-map and classes? Also what about service-template AUTH_SUCCESS, its empty?

service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
voice vlan
!
service-template CRITICAL_AUTH_ACCESS
vlan 100
!
service-template AUTH_SUCCESS
description Successful authentication
!
class-map type control subscriber match-all AAA_SVR_DOWN_AUTHD_HOST
match result-type aaa-timeout
match authorization-status authorized
!
class-map type control subscriber match-all AAA_SVR_DOWN_UNAUTHD_HOST
match result-type aaa-timeout
match authorization-status unauthorized
!
class-map type control subscriber match-all DOT1X_FAILED
match method dot1x
match result-type method dot1x authoritative
!
class-map type control subscriber match-all DOT1X_NO_RESP
match method dot1x
match result-type method dot1x agent-not-found
!
class-map type control subscriber match-any IN_CRITICAL_AUTH
match activated-service-template CRITICAL_AUTH_ACCESS
match activated-service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
!
class-map type control subscriber match-all MAB_FAILED
match method mab
match result-type method mab authoritative
!
class-map type control subscriber match-none NOT_IN_CRITICAL_AUTH
match activated-service-template CRITICAL_AUTH_ACCESS
match activated-service-template DEFAULT_CRITICAL_VOICE_TEMPLATE

!
!
policy-map type control subscriber DOT1X
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x retries 2 retry-time 0 priority 10
20 authenticate using mab priority 20
event authentication-failure match-first
5 class DOT1X_FAILED do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
10 activate service-template CRITICAL_AUTH_ACCESS
20 activate service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
30 authorize
40 pause reauthentication
20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure
10 pause reauthentication
20 authorize
30 class DOT1X_NO_RESP do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
40 class MAB_FAILED do-until-failure
10 terminate mab
20 authentication-restart 60
60 class always do-until-failure
10 terminate dot1x
20 terminate mab
30 authentication-restart 60
event agent-found match-all
10 class always do-until-failure
10 terminate mab
20 authenticate using dot1x retries 2 retry-time 0 priority 10
event aaa-available match-all
10 class IN_CRITICAL_AUTH do-until-failure
10 clear-session
20 class NOT_IN_CRITICAL_AUTH do-until-failure
10 resume reauthentication
event authentication-success match-all
10 class always do-until-failure
10 activate service-template AUTH_SUCCESS
event violation match-all
10 class always do-until-failure
10 restrict

on the interface:

dot1x timeout tx-period 10
dot1x max-reauth-req 3

I tried to get as much as I could from the Wired Access Prescriptive Deployment Guide and the older one which I can't see to find online any longer. However there are some class config such as:

class-map type control subscriber match-all DOT1X

class-map type control subscriber match-all DOT1X_MEDIUM_PRIO

class-map type control subscriber match-all MAB

class-map type control subscriber match-all DOT1X_TIMEOUT

which are not used in the policy-map (refer to section Configuring and Understanding the IBNS 2.0 Policy in the above link). Are these required?

Re: ISE switch port dot1x policy map

Nadav — Mon, 15 Apr 2019 12:08:35 GMT

Hi,

You need to have the following global configurations:

dot1x system-auth-control
dot1x critical eapol

aaa group server radius ISE
 server name ISE01
 server name ISE02
 ip radius source-interface Vlan254
!
aaa authentication dot1x default group ISE
aaa authorization network default group ISE 
aaa accounting Identity default start-stop group ISE
aaa accounting update newinfo periodic 2880

Change the source-interface VLAN as necessary. You can also change the group name if you like.

As for the interface configurations, you'll need these in addition to what you've shared:

authentication periodic
authentication timer reauthenticate server / authentication timer reauthenticate <seconds>
access-session port-control auto

Any class-maps not used by IBNS are unnecessary. Sometimes there are some class-maps that can't be deleted, if that's the case then they are harmless.

Re: ISE switch port dot1x policy map

Madura Malwatte — Mon, 15 Apr 2019 14:12:05 GMT

Hi Nadav,

Thanks for the response. I have the rest of the config which should be fine. I was in particular interested in the class-maps and policy-map config.

What about service-template AUTH_SUCCESS, does something need to be configured in it?

Re: ISE switch port dot1x policy map

Nadav — Wed, 17 Apr 2019 07:07:29 GMT

Well, if you only leave it as a description it won't do anything. Unless you plan on using it for easier readability in debugging.

Re: ISE switch port dot1x policy map

Madura Malwatte — Wed, 17 Apr 2019 08:13:23 GMT

Ok, what needs to go in there? Hence this thread as to what I am missing.
Is there a config example for auth success? I couldnt find anything.

Re: ISE switch port dot1x policy map

Nadav — Wed, 17 Apr 2019 13:34:51 GMT

I'm not sure why you put it in there to begin with, if you're interested in working according to the prescriptive deployment guide you linked then you should be consistent.

There is an example of a policy-map there for port authentication, it didn't use any such service template.

The policy-map ended with:

event inactivity-timeout match-all
   10 class always do-until-failure
     10 clear-session
 event authentication-success match-all
 event violation match-all
   10 class always do-until-failure
     10 activate service-template 
          DEFAULT_LINKSEC_POLICY_SHOULD_SECURE

You can change the policy-map to suit your needs. No need to add class-maps and service templates you have no intention on using.

Re: ISE switch port dot1x policy map

Madura Malwatte — Wed, 17 Apr 2019 14:55:49 GMT

The prescriptive guide has that service template under event authentication-success, its called "DEFAULT_LINKSEC_POLICY_SHOULD_SECURE", but there is no details on this service-template. And I could not find any reference on cisco or other documentation what is meant to be configured in this service-template. The comment next to it in the prescriptive just says "with successful authentication, activate service-template with full access". I have a pre-auth acl on my dot1x interfaces and access depends on what type of device has authenticated, where a dACL is pushed down or vlan change is done. Hence why its confusing what the authentication-success and its service-template (DEFAULT_LINKSEC_POLICY_SHOULD_SECURE) is meant to do??

The service-template on my config is just called a different name (AUTH_SUCCESS) instead of DEFAULT_LINKSEC_POLICY_SHOULD_SECURE.

Re: ISE switch port dot1x policy map

mnagired — Thu, 18 Apr 2019 23:04:01 GMT

1st, If you using ISE as your AAA server, Concurrent Authentication doesn’t work so having these two auth statement under event session-started doesn’t help..

event session-started match-all

10 class always do-until-failure

10 authenticate using dot1x retries 2 retry-time 0 priority 10

20 authenticate using mab priority 20

2. 10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure..

For Low-Impact mode, you have a pre-auth ACL on interface, so just activating service template for Voice and Data Vlan doesn’t help, you need to have an service template to push “permit ip any any “ ..

3. Refer to the below configuration..

ip access-list extended IPV4_CRITICAL_AUTH_ACL

permit ip any any

service-template DefaultCriticalAccess_SRV_TEMPLATE

access-group IPV4_CRITICAL_AUTH_ACL

service-template DefaultCriticalAuthVlan_SRV_TEMPLATE

Vlan 100

service-template DefaultCriticalVoice_SRV_TEMPLATE

voice vlan

class-map type control subscriber match-all AAA_SVR_DOWN_AUTHD_HOST

match authorization-status authorized

match result-type aaa-timeout

class-map type control subscriber match-all AAA_SVR_DOWN_UNAUTHD_HOST

match authorization-status unauthorized

match result-type aaa-timeout

class-map type control subscriber match-all AUTHC_SUCCESS-AUTHZ_FAIL

match authorization-status unauthorized

match result-type success

class-map type control subscriber match-all DOT1X

match method dot1x

class-map type control subscriber match-all DOT1X_FAILED

match method dot1x

match result-type method dot1x authoritative

class-map type control subscriber match-all DOT1X_NO_RESP

match method dot1x

match result-type method dot1x agent-not-found

class-map type control subscriber match-all DOT1X_TIMEOUT

match method dot1x

match result-type method dot1x method-timeout

match result-type method-timeout

class-map type control subscriber match-any IN_CRITICAL_AUTH

match activated-service-template DefaultCriticalVoice_SRV_TEMPLATE

class-map type control subscriber match-any IN_CRITICAL_AUTH_CLOSED_MODE

match activated-service-template DefaultCriticalAuthVlan_SRV_TEMPLATE

match activated-service-template DefaultCriticalVoice_SRV_TEMPLATE

class-map type control subscriber match-all MAB

match method mab

class-map type control subscriber match-all MAB_FAILED

match method mab

match result-type method mab authoritative

class-map type control subscriber match-none NOT_IN_CRITICAL_AUTH

match activated-service-template DefaultCriticalVoice_SRV_TEMPLATE

class-map type control subscriber match-none NOT_IN_CRITICAL_AUTH_CLOSED_MODE

match activated-service-template DefaultCriticalAuthVlan_SRV_TEMPL

policy-map type control subscriber LowImpact-dot1X_MAB

event session-started match-all

10 class always do-until-failure

10 authenticate using dot1x retries 2 retry-time 0 priority 10

event authentication-failure match-first

5 class DOT1X_FAILED do-until-failure

10 terminate dot1x

20 authenticate using mab priority 20

10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure

10 activate service-template DefaultCriticalAuthVlan_SRV_TEMPLATE

20 activate service-template DefaultCriticalVoice_SRV_TEMPLATE

25 activate service-template DefaultCriticalAccess_SRV_TEMPLATE

30 authorize

40 pause reauthentication

20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure

10 pause reauthentication

20 authorize

30 class DOT1X_NO_RESP do-until-failure

10 terminate dot1x

20 authenticate using mab priority 20

40 class MAB_FAILED do-until-failure

10 terminate mab

20 authentication-restart 60

60 class always do-until-failure

10 terminate dot1x

20 terminate mab

30 authentication-restart 60

event aaa-available match-all

10 class IN_CRITICAL_AUTH do-until-failure

10 clear-session

20 class NOT_IN_CRITICAL_AUTH do-until-failure

10 resume reauthentication

event agent-found match-all

10 class always do-until-failure

10 terminate mab

20 authenticate using dot1x retries 2 retry-time 0 priority 10

event inactivity-timeout match-all

10 class always do-until-failure

10 clear-session

event authentication-success match-all

event violation match-all

10 class always do-until-failure

10 restrict

event authorization-failure match-all

10 class AUTHC_SUCCESS-AUTHZ_FAIL do-until-failure

10 authentication-restart 60

I hope this helps..

Re: ISE switch port dot1x policy map

franklinb — Wed, 06 Nov 2019 03:16:58 GMT

@mnagired wrote:
1st, If you using ISE as your AAA server, Concurrent Authentication doesn’t work so having these two auth statement under event session-started doesn’t help..
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x retries 2 retry-time 0 priority 10
20 authenticate using mab priority 20

This is not correct. We are using ISE 2.4 with IBNS2 policy and have been using concurrent authentication for several years. Most desktop PC's will pass authentication for MAB immediately with dot1x taking a few seconds longer sometimes. Given dot1x has a higher priority it will override the MAB auth.