topic Re: Client getting network access before Authentication in Network Access Control

Client getting network access before Authentication

nithinrs78901 — Sun, 25 Nov 2018 16:49:24 GMT

Hi Guys

Please help me to overcome one general issue from ISE Side. when we put ‘authentication open’ command in port configuration, all the endpoints are getting full access in the network in a certain period.

But we remove this command from port ,then Cisco IPphonesare not getting IP. We confirmed IP phones are getting authenticated and authorized in ISE.

Re: Client getting network access before Authentication

pan — Sun, 25 Nov 2018 17:01:12 GMT

Authentication open command will allow unrestricted Layer 2 access to the network even before any authentication has succeeded.

If ISE is authenticating and authorizing properly, then you need to check on the switch. Check the output of "show authentication session interface <>"

Have you configured dynamic authorization on switch?

Re: Client getting network access before Authentication

nithinrs78901 — Mon, 26 Nov 2018 12:41:01 GMT

Hi Pan,

thanks for your reply.Yes we had configured dynamic authorization on switch.

Plaese Find the sessin details from the siwth and port configuration

ACCESS-SW-01#sh authentication sessions interface GigabitEthernet2/0/43
            Interface: GigabitEthernet2/0/43
          MAC Address: 0021.55d4.xxxx
           IP Address: 192.18.69.39
            User-Name: 00-21-55-D4-xx-xx
               Status: Authz Success
               Domain: VOICE
      Security Policy: Should Secure
      Security Status: Unsecure
       Oper host mode: multi-auth
     Oper control dir: both
        Authorized By: Authentication Server
              ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-57452910
      Session timeout: N/A
         Idle timeout: N/A
    Common Session ID: AC12FA6500005BD3671A05BC
      Acct Session ID: 0x000063B8
               Handle: 0xED0005DE

Runnable methods list:
       Method   State
       dot1x    Failed over
       mab      Authc Success

interface GigabitEthernet2/0/43
description *****Connected to Users*****
switchport access vlan 107
switchport mode access
switchport voice vlan 269
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action authorize
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
storm-control broadcast level 10.00
storm-control multicast level 20.00
storm-control action shutdown
storm-control action trap
spanning-tree portfast
end

Looking forward for your response

Re: Client getting network access before Authentication

pan — Mon, 26 Nov 2018 12:52:41 GMT

Change the order authentication order dot1x mab to authentication order mab dot1x do shut no shut

Then search for the mac address of the ip phone in live logs and check if there is anything failing there?

Share the output of "sh authentication sessions interface GigabitEthernet2/0/43" again.

What have you configured in "ip access-group ACL-ALLOW in" remove is and check.

Re: Client getting network access before Authentication

Martin Kling — Mon, 26 Nov 2018 13:13:29 GMT

You are using dot1x and then MAB with a tx period of 10 seconds. This will require 30 seconds before MAB occurs. How long is the DHCP time out on the phones? There are two alternatives to test/correct the issue; lower the tx-period or reverse dot1x/MAB sequence. To start I would lower the tx period to 6 seconds which is a setting that is working out in several different environments.

interface GigabitEthernet2/0/43

dot1x timeout tx-period 6

//Martin

Re: Client getting network access before Authentication

paul — Mon, 26 Nov 2018 13:10:50 GMT

I agree with Martin in trying to lower the tx-period first. In all my closed mode installs I have never had to reverse the order to "mab dot1x". There are ramifications to reversing the order. If you do order "mab dot1x" first you are requiring the OS to initiate Dot1x. Some OS versions (Macs are an example) are only responders to Dot1x.

Re: Client getting network access before Authentication

nithinrs78901 — Mon, 26 Nov 2018 16:58:17 GMT

Sure,I will do these changes and update you.

Re: Client getting network access before Authentication

nithinrs78901 — Mon, 03 Dec 2018 16:24:31 GMT

Hi Team,

I got a solution to overcome this issue.

I had removed 'authentication open' command from the port and added 'dot1x critical eapol' in global configuration.

with this changes , initial access was denyed and also IPPhones getting IP.

Thanks for your support