topic Re: CPL Template MAB/Dot1x Simultaneously in Network Access Control

CPL Template MAB/Dot1x Simultaneously

paul — Mon, 19 Nov 2018 20:17:07 GMT

One of the advantages of using the CPL (IBNS 2.0) style template is you have the option to run MAB and Dot1x simultaneously. This means closed mode is not as detrimental to MAB devices or you can do VLAN moves in open mode without the worry of devices getting an IP on the original VLAN.

I have had Cisco Advanced Services tell some of my customers "We don't recommend doing MAB and Dot1x at the same time because we have seen issue." I like generic descriptions like that. When I had the customer press AS for what issues, the only thing they came back with is that is adds extra load to ISE. Yes there is extra load because all Dot1x sessions will have a MAB authentication, but I have deployments doing 100k+ active authentications doing all CPL switch templates with no issues.

I am just checking to see if others are running MAB and Dot1x simultaneously and what their experience has been. Our standard is to run them simultaneously at our customers and we haven't had a reason to change it.

Re: CPL Template MAB/Dot1x Simultaneously

hslai — Sun, 16 Dec 2018 04:53:27 GMT

ISE is expecting the auth is either MAB or DOT1X at a time but not currently supporting concurrent MAB + DOT1X.

Re: CPL Template MAB/Dot1x Simultaneously

paul — Tue, 18 Dec 2018 13:38:13 GMT

Hsing,

ISE shouldn't care either way or honestly have knowledge of what is happening on the switch side. ISE is processing authentications. It is up to the switch config to determine how to treat both authentications. If you look at one of the first CPL publications out there:

https://cisco-marketing.hosted.jivesoftware.com/servlet/JiveServlet/previewBody/68174-102-1-125094/How-To_13_Universal_3850_Wired_CPL_Config.pdf

Hosuk is doing MAB and Dot1x simultaneously. We have many customers doing this without issue.

Re: CPL Template MAB/Dot1x Simultaneously

paul — Tue, 18 Dec 2018 13:44:14 GMT

Also in the same document Hosuk lays out the justification quite well:

"There are many benefits to the new syntax, but most notably is the fact that 802.1x and MAB can run simultaneously without having to sequence the two distinctive authentication process whereby 802.1X authentication has to be failed for MAB to start and secondly use of service templates to control preconfigured ACL on the interface in the event of RADIUS not being available. With the legacy platforms, sequencing of 802.1X and MAB resulted in certain MAB endpoints not being able to get IP address in timely manner. By processing 802.1X and MAB simultaneously, the endpoint can get DHCP assigned IP address in timely manner."

This feature is one of the main driving features of CPL in our minds. Yes it adds more load in ISE, but honestly MAB authentications shouldn't be placing much load on ISE in the first place.

Re: CPL Template MAB/Dot1x Simultaneously

hslai — Tue, 18 Dec 2018 17:04:59 GMT

The devil is in the detail. ISE used to try doing like that and caused issues internally. I quoted this enhancement CSCuy05270 in the other thread.

Re: CPL Template MAB/Dot1x Simultaneously

paul — Tue, 18 Dec 2018 17:15:13 GMT

Hsing,

We have probably between 500k and 1 million ports running CPL with MAB and Dot1x simultaneously. I haven't seen the issue you described in this enhancement. MAB happens first because it takes longer for the switch to start the Dot1x process with the client.

Re: CPL Template MAB/Dot1x Simultaneously

bern81 — Tue, 19 Mar 2019 12:17:45 GMT

Hi Paul,

Sorry for replying to this old topic but i find it interesting since i am currently labing IBNS v2.0 to see if we implement it in our production environment. Specifically for this Concurrent Auth. advantage to prevent DHCP and PXE timeout and possible use of IPv6 in the near future.

I see that you provide positive feedback so far for 3CPL.

Could you please share a best practice SW configuration for this including AAA down scenario?

So far i noticed that even if i see the port authentication with the sh access-session cmd it takes around 20 sec to be able to ping the endpoint.

also noticed that in case Dot1x fails let's say because the endpoint is still not provisioned via PXE the first time, we still have to wait for the (dot1x timeout tx-period x (max-reauth-req) + 1) countdown to consider dot1x failed!

Please advise

Many thanks in advance

Re: CPL Template MAB/Dot1x Simultaneously

paul — Tue, 19 Mar 2019 12:29:56 GMT

IBNS 2.0 document doesn't do simultaneous MAB/Dot1x. This is our top section of the policy:

event session-started match-all
10 class always do-all
10 authenticate using dot1x priority 10
20 authenticate using mab priority 20

The rest is similar to IBNS 2.0.

Re: CPL Template MAB/Dot1x Simultaneously

Andrii Oliinyk — Sat, 04 May 2019 16:28:27 GMT

Hello Paul

could u pls share ISE version & HW/SW on the switches?

meanwhile answering to your original Q (i know it's not quite timely :0) we have problem on the switch side (worth to note we r using ISE 1.4 though):

https://community.cisco.com/t5/policy-and-access/ibns-2-0-fuji-16-9-3-mab-is-being-removed-from-inf-template-amp/m-p/3848916#M73050

Re: CPL Template MAB/Dot1x Simultaneously

hslai — Sun, 12 May 2019 03:46:59 GMT

Let me repeat again. This is NOT currently supported by any shipping ISE releases.

Thus, if it ever causes any issue, you will have to reconfigure the switches to disable simultaneous MAB/DOT1X.

Re: CPL Template MAB/Dot1x Simultaneously

paul — Mon, 13 May 2019 12:28:00 GMT

Hsing,

We can take this offline as well. We have probably ½ million switch ports running with no issues with simultaneous MAB/Dot1x. If the BU is now going to say this is not supported, even though the original CPL documents put out by Cisco referenced this as one of the benefits of the CPL template, then the BU also needs to say "order mab dot1x" is no longer supported on the legacy template even though 1000s of customers probably have deployed that order since it has been a supported setup since ISE 1.0.

"order mab dot1x" behaves almost identical to simultaneous MAB/Dot1x doesn't it? As soon as the MAC address is learned by the switch the switch will run a MAB transaction. When the attaching device sends out an EAPOL Start a Dot1x transaction will be run as well and the switch will prefer the Dot1x transaction because of "priority dot1x mab". So in ISE you see a MAB transaction followed by a Dot1x transaction which is the same thing you see when doing simultaneous MAB/Dot1x. ISE and the switch have had no problems keeping that logic separate for years. Why is this an issue now?

Re: CPL Template MAB/Dot1x Simultaneously

howon — Tue, 14 May 2019 15:35:54 GMT

Paul, you raise a good point regarding the similarity between MAB > 802.1X ordering and concurrent authentication. I have not dug deep in to the details but I suspect this is related to the completion of the MAB authentication request that determines whether the network device is mis-behaving and ignoring one of the requests. In the case of MAB > 802.1X, switch doesn’t process EAPoL-start from the endpoint until the MAB is completed whereas with concurrent authentication, switch processes EAPoL start concurrently with the MAB request and ISE ends up receiving two authentication request in a short period. If ISE was able to respond to MAB request before EAP authentication request reaches ISE then you would not see any issues and I suspect that this is generally what happens as your customers are not having any issues. However, if ISE isn’t able to respond to MAB request before it gets EAP request, this is where the problem in CSCuy05270 comes into play.
As Cisco switches are setup to provide same session ID for both MAB and 802.1X request. When ISE receives multiple authentication request in a short period ISE is designed to drop one of the request as both contains same session ID. This was one of the protection that we put into ISE to limit the impact of mis-behaving network devices in the past. It allowed ISE to scale better even with issues that was present on some of the network devices.
Due to the potential issues, this is not a supported configuration but we do see that there is a good value to support this for our customers. We’ve already raised this with the PM team and hope to resolve this issue in the near future.

Re: CPL Template MAB/Dot1x Simultaneously

paul — Tue, 14 May 2019 15:46:10 GMT

The bug references suppression and multiple failed attempts. If your wired setup is built correctly (in my opinion) you should never be doing an Access-Reject in a wired MAB result. That is probably why we have never seen an issue with this. None of our installs since almost the start of ISE have ever done an Access-Reject on a MAB result. I can least multiple reasons why you shouldn't do a reject for a MAB result but that is for a different conversation.

Can we at least get the BU to state if you aren't doing MAB Access-Rejects then simultaneous MAB/Dot1x is supported? Like I said we have ½ million ports (probably more) doing this with our best practice config and no issues.

Re: CPL Template MAB/Dot1x Simultaneously

howon — Tue, 14 May 2019 16:38:02 GMT

The failed attempts in the bug is not due to access-reject in policy, rather it is due to ISE considering the subsequent request as continuation of initial authentication and ISE is sending back reject. This should not be the case as subsequent authentication is 802.1X and not part of initial authentication which is MAB request, and we will work on addressing this in the future. I understand that certain setup is working without issues, but we do see issues in the field thus the defect.

Re: CPL Template MAB/Dot1x Simultaneously

paul — Tue, 14 May 2019 17:19:10 GMT

Ahh that makes sense. Just to give you some numbers to think about. I took a look at my largest deployment running simultaneous MAB/Dot1x. We are at 133,000 active connections and over 800k endpoints in our database. Our policy sets are properly built out so that each use case has its own policy set (wired MAB, wired Dot1x, each SSID, each VPN group etc.). Wired MAB is properly placed near the top of the policy set order.

If I look at our MAB transactions they are finishing between 40-60 ms. The Dot1x authentication is happening 150-300 ms after the MAB transaction. My MAB transactions would have to slow down 3-5 times before I even start to approach my Dot1x authentication start times. In the customers you have seen this issue with have you validate they have properly build policy sets?

Re: CPL Template MAB/Dot1x Simultaneously

howon — Mon, 20 May 2019 13:55:40 GMT

Paul, thanks for the data points. Will let you know of any findings.

Re: CPL Template MAB/Dot1x Simultaneously

chris_day — Thu, 31 Oct 2019 21:01:56 GMT

I would add that Meraki has an option for hybrid auth and explains that this option sends both mab and dot1x at the same time. If the BU isn't supporting this, you need to talk to the Meraki team about removing the hybrid auth option. I have done a lot of testing an noticed the mab request always lands on ISE first as the switch is negotiating dot1x with the client, I have not been able to reproduce any issues on ISE when doing MAB/Dot1x at the same time. I have played with decreasing dot1x timer's to replicate this but be more in line with what Cisco supports. Setting dot1x timer tx-period 3 and the retry to 1 or even tx-period to 1 and retry to 1 allows the fail over to mab to work quickly. I use the event agent-found to re-start dot1x if we failed and mab succeeded.

event session-started match-all
10 class always do-until-failure
   10 authenticate using dot1x retries 2 retry-time 0 priority 10
event authentication-failure match-first
10 class DOT1X_FAILED do-until-failure
   10 terminate dot1x
   20 authenticate using mab priority 20

event agent-found match-all
10 class always do-until-failure
10 terminate mab
20 authenticate using dot1x retries 2 retry-time 0 priority 10

This should provide the same result as running them both at the same time and takes care of clients that are not ready to answer the switch eapol start at boot time.

Re: CPL Template MAB/Dot1x Simultaneously

Andrii Oliinyk — Fri, 01 Nov 2019 10:52:55 GMT

Hello Chris

unless u've intentionally didnt show full config of "class always" shouldnt it look similar to below for the concurrent .1x&mab authen? specifically it's about appearance of 2 "authenticate" statements one for each method?

10 class always do-until-failure
10 authenticate using mab aaa authc-list PSN-FOR-MAB authz-list PSN-FOR-MAB priority 20
20 authenticate using dot1x aaa authc-list PSN-FOR-DOT1X authz-list PSN-FOR-DOT1X priority 10

Re: CPL Template MAB/Dot1x Simultaneously

chris_day — Sat, 02 Nov 2019 22:58:51 GMT

I don't have all my config in the post but the config you posted up is the issue with this entire post. Cisco say sending dot1x and mab at the same time is not supported and Cisco ISE is designed to drop the session when multiple auths are seen at the same time from the same session. To get the benefits of sending both at the same time where we don't see issues around time out's my suggestion is to set the dot1x timeout tx-period to 1 or 3 and the retries to 1. In the policy we run dot1x only, but on a dot1x fail we then run mab. This configuration has worked well and allows computers that are in boot time and being woken up from a sleep timer to correctly join the network as well as mab device to never time out on dhcp request.

I was doing what you have below, except normally the aaa auth dot1x default meets my requirements so I don't add a specified method to the policy map action, but it's doing the exact same thing. I really find it useful in the lab where we have both ClearPass and ISE running and can utilize that approach to use both. I have a few policy-maps and port templates that I use based on customer requirements and some of them run mab and dot1x at the same time, and I have never ever had an issue but as Cisco say's ISE doesn't support it an alternative method to accomplish the same thing is provided in my previous post.

Re: CPL Template MAB/Dot1x Simultaneously

franklinb — Fri, 20 Dec 2019 05:04:34 GMT

I am also using simultaneous dot1x and MAB - ever since it was advertised from the 2015 Cisco Live IBNS2 presentation, and I also see no issues with this. In our case MAB is always faster than EAP-TLS but our policy gives dot1x higher priority so always takes over the MAB result immediately. ISE correctly shows both authentications as separate - why wouldn't it?? i have seem no evidence to the claims above.

Having said that we have had no end of issues with IBNS2 on various platforms since 3560X/4500E-Sup8 and now onto 9300 with 16.x. When I first started logging cases with TAC there was almost ZERO TAC knowledge and it was incredibly frustrating. We had one issue where windows machines kept falling to Unauthorized after reauthentication and I ended up just dropping it as the support was so poor.

Several years on and we are still refining our policy but do not have inactivity timers or reauthentication working properly so they are disabled. The inactivity probes seem to have broken in 16.x and not fixed.

Paul are you able to share any details of your policies? I would be interested to see how you handle reauthentication. Ideally once a host has authenticated with 802.1x we shouldn't need to reauthenticate with both MAB and dot1x.