topic Re: MAB based Voice Vlan authorization in case of ISE failure in Network Access Control

MAB based Voice Vlan authorization in case of ISE failure

Ditter — Fri, 28 Dec 2018 14:18:43 GMT

Hi to all,

i am concerned in case of ISE failure so i would like to make sure that IP phones (MAB based) will continue to operate.

So my config is as follows:

interface GigabitEthernet4/23
description VoIP-Tests
switchport access vlan 100
switchport mode access
switchport voice vlan 90
switchport port-security maximum 5
switchport port-security
switchport port-security violation restrict
switchport port-security aging type inactivity
switchport port-security aging static
logging event link-status
authentication event server dead action authorize
authentication event server dead action authorize voice
authentication host-mode multi-auth
authentication order mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 5
spanning-tree portfast
spanning-tree bpduguard enable
end

Although the Phone works OK while ISE is present when i remove ISE from the switch config , the phone does not get registered.

Am i missing any additional commands under interface config?

I also had the command "authentication server fail action next-method" under interface config but it did not make any difference so i removed it.

What follow are some debugs:

Dec 28 16:01:48: mab-ev(Gi4/23): Reauthenticating client 0x5600004D (0072.7826.3a1f)
Dec 28 16:01:48: mab-sm(Gi4/23): Received event 'MAB_REAUTHENTICATE' on handle 0x5600004D
Dec 28 16:01:48:     mab : during state mab_terminate, got event 2(mabReauthenticate)
Dec 28 16:01:48: @@@ mab : mab_terminate -> mab_authorizing
Dec 28 16:01:48: mab-ev(Gi4/23): Sending create new context event to EAP from MAB for 0x5600004D (0072.7826.3a1f)
Dec 28 16:01:48: mab-ev(Gi4/23): Starting MAC-AUTH-BYPASS for 0x5600004D (0072.7826.3a1f)
Dec 28 16:01:48: mab-ev(Gi4/23): MAB received an Access-Reject for 0x5600004D (0072.7826.3a1f)
Dec 28 16:01:48: %MAB-5-FAIL: Authentication failed for client (0072.7826.3a1f) on Interface Gi4/23 AuditSessionID 00000000000003845C018D25
Dec 28 16:01:48: mab-ev(Gi4/23): MAB received an Access-Reject for 0x5600004D (0072.7826.3a1f)
Dec 28 16:01:48: %MAB-5-FAIL: Authentication failed for client (0072.7826.3a1f) on Interface Gi4/23 AuditSessionID 00000000000003845C018D25
Dec 28 16:01:48: mab-ev(Gi4/23): Final EAP Fail pkt received by MAB
Dec 28 16:01:48: mab-sm(Gi4/23): Received event 'MAB_RESULT' on handle 0x5600004D
Dec 28 16:01:48:     mab : during state mab_authorizing, got event 5(mabResult)
Dec 28 16:01:48: @@@ mab : mab_authorizing -> mab_terminate
Dec 28 16:01:48: mab-ev(Gi4/23): Deleted credentials profile for 0x5600004D (dot1x_mac_auth_007278263a1f)
Dec 28 16:01:48: mab-ev(Gi4/23): Sending event (2) to AuthMGR for 0072.7826.3a1f
Dec 28 16:01:48: mab-sm(Gi4/23): Received event 'MAB_RESULT' on handle 0x5600004D
Dec 28 16:01:48:     mab : during state mab_terminate, got event 5(mabResult) (ignored)
Dec 28 16:01:48: %AUTHMGR-7-RESULT: Authentication result 'server dead' from 'mab' for client (0072.7826.3a1f) on Interface Gi4/23 AuditSessionID 00000000000003845C018D25
Dec 28 16:01:48: %AUTHMGR-5-FAIL: Authorization failed for client (0072.7826.3a1f) on Interface Gi4/23 AuditSessionID 00000000000003845C018D25
Dec 28 16:02:00: AAA/BIND(00019775): Bind i/f
Dec 28 16:02:00: AAA/AUTHEN/LOGIN (00019775): Pick method list 'default'
Dec 28 16:02:06: AAA/AUTHOR (0x19775): Pick method list 'default'
Dec 28 16:02:06: AAA/AUTHOR/EXEC(00019775): processing AV cmd=
Dec 28 16:02:06: AAA/AUTHOR/EXEC(00019775): processing AV priv-lvl=15
Dec 28 16:02:06: AAA/AUTHOR/EXEC(00019775): Authorization successful
Dec 28 16:02:49: mab-ev(Gi4/23): Reauthenticating client 0x5600004D (0072.7826.3a1f)
Dec 28 16:02:49: mab-sm(Gi4/23): Received event 'MAB_REAUTHENTICATE' on handle 0x5600004D
Dec 28 16:02:49:     mab : during state mab_terminate, got event 2(mabReauthenticate)
Dec 28 16:02:49: @@@ mab : mab_terminate -> mab_authorizing
Dec 28 16:02:49: mab-ev(Gi4/23): Sending create new context event to EAP from MAB for 0x5600004D (0072.7826.3a1f)
Dec 28 16:02:49: mab-ev(Gi4/23): Starting MAC-AUTH-BYPASS for 0x5600004D (0072.7826.3a1f)
Dec 28 16:02:49: mab-ev(Gi4/23): MAB received an Access-Reject for 0x5600004D (0072.7826.3a1f)
Dec 28 16:02:49: %MAB-5-FAIL: Authentication failed for client (0072.7826.3a1f) on Interface Gi4/23 AuditSessionID 00000000000003845C018D25
Dec 28 16:02:49: mab-ev(Gi4/23): MAB received an Access-Reject for 0x5600004D (0072.7826.3a1f)
Dec 28 16:02:49: %MAB-5-FAIL: Authentication failed for client (0072.7826.3a1f) on Interface Gi4/23 AuditSessionID 00000000000003845C018D25
Dec 28 16:02:49: mab-ev(Gi4/23): Final EAP Fail pkt received by MAB
Dec 28 16:02:49: mab-sm(Gi4/23): Received event 'MAB_RESULT' on handle 0x5600004D
Dec 28 16:02:49:     mab : during state mab_authorizing, got event 5(mabResult)
Dec 28 16:02:49: @@@ mab : mab_authorizing -> mab_terminate
Dec 28 16:02:49: mab-ev(Gi4/23): Deleted credentials profile for 0x5600004D (dot1x_mac_auth_007278263a1f)
Dec 28 16:02:49: mab-ev(Gi4/23): Sending event (2) to AuthMGR for 0072.7826.3a1f
Dec 28 16:02:49: mab-sm(Gi4/23): Received event 'MAB_RESULT' on handle 0x5600004D
Dec 28 16:02:49:     mab : during state mab_terminate, got event 5(mabResult) (ignored)
Dec 28 16:02:49: %AUTHMGR-7-RESULT: Authentication result 'server dead' from 'mab' for client (0072.7826.3a1f) on Interface Gi4/23 AuditSessionID 00000000000003845C018D25
Dec 28 16:02:49: %AUTHMGR-5-FAIL: Authorization failed for client (0072.7826.3a1f) on Interface Gi4/23 AuditSessionID 00000000000003845C018D25
Dec 28 16:02:50: RADIUS/ENCODE(000193FB):Orig. component type = DOT1X
Dec 28 16:02:50: RADIUS(000193FB): Config NAS IP: 0.0.0.0
Dec 28 16:02:50: RADIUS(000193FB): sending
Dec 28 16:02:50: RADIUS/DECODE: parse response no app start; FAIL
Dec 28 16:02:50: RADIUS/DECODE: parse response; FAIL

Thank you,

Ditter.

Re: MAB based Voice Vlan authorization in case of ISE failure

Rob Ingram — Fri, 28 Dec 2018 14:49:17 GMT

Hi,
I've no idea what the outcome would be by removing the dot1x configuration on an interface in order to simulate ISE failure, it's probably not a actual valid test.

A better way to simulate ISE failure which I've used for NRFU testing previously, was to ensure that the switch reports that RADIUS servers are dead by adding a static null route to the RADIUS servers, meaning the switch won't route traffic to the ISE server. Wait for the output of "show aaa server" to report the RADIUS servers are dead and then plugin the phone. The phone should be authorized due to the command "authentication event server dead action authorize voice" you have configured.

HTH

Re: MAB based Voice Vlan authorization in case of ISE failure

Rob Ingram — Fri, 28 Dec 2018 14:50:04 GMT

Also it's not recommended (by Cisco) to use port-security on the same interface you've configured dot1x.

Re: MAB based Voice Vlan authorization in case of ISE failure

mnagired — Fri, 28 Dec 2018 17:26:21 GMT

Hi Ditter,

1.You have all the required configs for Critical authentication to work, i would recommend to add the below CLI as part of best practice configuration..

authentication control-direction in

authentication event server alive action reinitialize

2. Yes, can you confirm the way you failing reachability to ISE?? Your debug do show "Authentication result 'server dead'" which is a good sign but i would like to understand the way its done..

3. Yes, its not recommended to use port- security with dot1x as its not compatible ..

Re: MAB based Voice Vlan authorization in case of ISE failure

Ditter — Tue, 01 Jan 2019 17:11:23 GMT

Thanks RJI,

can you please elaborate why in your opinion , what is a reason why port-security would interfear with MAB?

In addition , if i remove port-security from the phone interface how can i limit the amount of MAC addresses to (for example) 5 or 10?

Re: MAB based Voice Vlan authorization in case of ISE failure

Ditter — Tue, 01 Jan 2019 17:30:11 GMT

Hi Mnagired,

1. Yes i added the two commands you mentioned but nothing changed.

2. The way i "simulated" the lack of connection to ISE was simply to do a

"no radius-server host <ip address> auth-port 1812 acct-port 1813 key abcdef

What worries me is that when i do "sh authentication sessions interface gigabitEthernet 4/23"

it mentions that the domain is DATA but is should be voice....

            Interface: GigabitEthernet4/23
          MAC Address: 0072.7826.3a1f
           IP Address: 10.10.224.27
               Status: Authz Failed
               Domain: DATA <------ Shouldn't this be voice ?
       Oper host mode: multi-auth
     Oper control dir: in
      Session timeout: N/A
         Idle timeout: N/A
    Common Session ID: 00000000000003845C018D25
      Acct Session ID: 0x00019772
               Handle: 0xB2000385

Runnable methods list:
       Method   State
       mab      Authc Failed

Critical Authorization is in effect for domain(s) VOICE

Finally when i re-enable the Radius server on the switch , immediatelly the phone comes on-line

sh authentication sessions interface gigabitEthernet 4/23
            Interface: GigabitEthernet4/23
          MAC Address: 0072.7826.3a1f
           IP Address: 10.10.224.27
            User-Name: 00-72-78-26-3A-1F
               Status: Authz Success
               Domain: VOICE   <---   And in the correct domain
       Oper host mode: multi-auth
     Oper control dir: in
        Authorized By: Authentication Server
      Session timeout: N/A
         Idle timeout: N/A
    Common Session ID: 000000000000038A71740833
      Acct Session ID: 0x0001990C
               Handle: 0x8C00038B

Runnable methods list:
       Method   State
       mab      Authc Success

Any ideas what could be wrong?

Thanks,

Ditter.

Re: MAB based Voice Vlan authorization in case of ISE failure

Rob Ingram — Tue, 01 Jan 2019 18:15:50 GMT

Hi Ditter,

It's not my opinion, but rather a Cisco recommendation not to use 802.1x and Port Security. More information here:- Deployment guide and forum post.

Do you really envisage having more than 2 devices (1 data (pc/laptop) and 1 voice) per interface? multi-domain would cover that scenario.

Re: MAB based Voice Vlan authorization in case of ISE failure

Ditter — Tue, 01 Jan 2019 19:58:18 GMT

Thanks RJI,

yes i need multi-auth instead of multi-domain as there are cases where the users install a small switch (or running hypervisors) in their PCs , so i need multi-auth to be present to switch ports.

Ditter.

Re: MAB based Voice Vlan authorization in case of ISE failure

thomas — Wed, 02 Jan 2019 17:39:15 GMT

Please review our ISE Secure Wired Access Prescriptive Deployment Guide for many of your questions.

Do not use Port Security with 802.1X - these are 2 completely different processes for controlling the port. This is mentioned under Switch Configuration for Closed Mode > MAC Limits.

Critical Voice VLAN is mentioned in Switch Configuration for Closed Mode > Critical Authentication.

Re: MAB based Voice Vlan authorization in case of ISE failure

Ditter — Fri, 04 Jan 2019 13:23:59 GMT

Hi to all,

having looked in the document "ISE-secure-wired-access-prescriptive-deployment-guide" i did not find why MAB is not compatible with port security. If you recall in the config i sent you in relation to voice vlan problem after radius server was dead , i do not utilize 802.1x for the phones but MAB (not all my cisco phones support 802.1.x supplicants).

All of you, mentioned that 802.1x is not compatible with port-security and this is also mentioned in the above mentioned document but is also MAB incompatible with port-security? MAB is not 802.1x so i suppose that it can coexist in an interface config with port-security being present. Correct?

Thanks,

Ditter.

Re: MAB based Voice Vlan authorization in case of ISE failure

mnagired — Fri, 04 Jan 2019 17:03:32 GMT

Hello Ditter,

dot1x pae authenticator -- this commend enables dot1x on the port and by default port tries dot1x first before it falls back to MAB.. Again its a general recommendations..

WRT to simulating server failure, no radius-server host may not be the right way to do it. Can you simulate this on the layer above( may be disconnecting the uplink or disabling routing between your access switch and distribution).. This is how i had verified and it worked.

Regards

Mahesh N

Re: MAB based Voice Vlan authorization in case of ISE failure

Ditter — Wed, 09 Jan 2019 10:48:04 GMT

Hi Mnagired,

finally i have some good results and i would like to share it with all.

The steps i followed are :

1. Firstly i manipulated the routing (static entries to null0) in order to simulate radius-dead (instead of just negating the radius command in the switch itself). Result : Nothing Changed

2.I negated all port security commands in order to be consistent with Cisco Recommendations and the guide you shared. Result : Nothing Changed

Finally what made the difference was to remove the command : authentication event server dead action authorize

When i removed the above mentioned command the phone came up online.

sh authentication sessions interface gigabitEthernet 4/23
            Interface: GigabitEthernet4/23
          MAC Address: 0072.7826.3a1f
           IP Address: 10.10.224.27
               Status: Authz Failed
               Domain: DATA
       Oper host mode: multi-auth
     Oper control dir: in
      Session timeout: N/A
         Idle timeout: N/A
    Common Session ID: 00000000000003D29917AC99
      Acct Session ID: 0x00019C40
               Handle: 0xE00003D3

Runnable methods list:
       Method   State
       mab      Authc Failed

Critical Authorization is in effect for domain(s) VOICE <-------   Here shows that the phone is registered in the voice domain although the command shows the following:

sh authentication sessions

Interface MAC Address Method Domain Status Session ID
Gi4/23 0072.7826.3a1f mab DATA Authz Failed 00000000000003D29917AC99 <------ Here it shows that

the Phone MAC address is in the DATA domain but it is seems that it is a bogus output as the command sh authentication sessions interface gigabitEthernet 4/23 shows that the phone is critical authorized in the VOICE domain:

Critical Authorization is in effect for domain(s) VOICE

Any ideas about this inconsistency between these two show commands?

The working interface commands are the following:

interface GigabitEthernet4/23
description VoIP-Tests
switchport access vlan 100
switchport mode access
switchport voice vlan 90
switchport port-security maximum 5
switchport port-security
switchport port-security aging time 5
switchport port-security violation restrict
switchport port-security aging type inactivity
switchport port-security aging static
logging event link-status
authentication control-direction in
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 5
spanning-tree portfast
spanning-tree bpduguard enable
end

Thanks,

Ditter.

Re: MAB based Voice Vlan authorization in case of ISE failure

rmotzer — Fri, 22 Mar 2019 21:17:39 GMT

No one has commented on the output behavior, showing the wrong domain (eg: DATA Domain for phones)

Is seems even the complete opposite is bugged:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvh58593

When there is not even a phone/voice domain client...

@Ditter wrote:
Hi Mnagired,

the Phone MAC address is in the DATA domain but it is seems that it is a bogus output