topic Re: ISE shows auth passed but switch unauth in Network Access Control

ISE shows auth passed but switch unauth

jayage — Mon, 10 Sep 2018 11:45:47 GMT

Hi guys,

we got a strange situation where ISE shows Accesspoints (2702 / PAC provisioned) as authenticated but the switch (mainly cat3650 / 16.3.6) does not. We do have the same issue on different switches, also on 9300 with 16.6.3. I compared switch dot1x session ID with audit session ID in ISE, excactly the same. Might we hit a bug or is there something other wrong? We're using ISE internal user for the AP supplicant. APs are controller based, controller version is 8.3.140.0. When we close the port, no traffic flows. I attached show sess int gx/x/x + ISE auth details for reference. Can someone please advice?

Thank you!

Re: ISE shows auth passed but switch unauth

Cory Peterson — Mon, 10 Sep 2018 12:06:34 GMT

Can you please share what your Authorization profile looks like?

Re: ISE shows auth passed but switch unauth

jayage — Mon, 10 Sep 2018 13:52:06 GMT

The auth profile is simly set to permit access. The auth policy currently looks like that:

Under condition we're using predefined set of Wired_802.1X, source sequence contains AD lookup + internal identity store. Allowed protocols contain several like EAP-TLS and PEAP MSCHAPv2 but also EAP-FAST (with inner MSCHAPv2, EAP-GTC and EAP-TLS). Use PACs is enabled with anonymous and authenticated in-band PAC provisioning.

According to the hit counter you can see it is/was working several times but not for the specific AP mentioned in the earlier attached debug info. Several others are not working either.

Re: ISE shows auth passed but switch unauth

Cory Peterson — Mon, 10 Sep 2018 13:56:17 GMT

Hello,

That is the Authentication profile. I am interested in what your Authorization profile (Result) looks like.

Thanks!

Re: ISE shows auth passed but switch unauth

jayage — Mon, 10 Sep 2018 14:01:03 GMT

The result is the standard permit access.

Re: ISE shows auth passed but switch unauth

Cory Peterson — Mon, 10 Sep 2018 14:02:48 GMT

Do you have a Pre-auth ACL on the switch ports? Or is this only in monitor mode?

Re: ISE shows auth passed but switch unauth

paul — Mon, 10 Sep 2018 14:11:31 GMT

PAC provisioned is not authentication. When you are using EAP-FAST the client will first connect to ISE to do PAC provisioning then it will authenticate. So the AP is only doing the first part. You should see a Dot1x authentication attempt closely following the PAC provisioning.

Re: ISE shows auth passed but switch unauth

paul — Mon, 10 Sep 2018 14:19:33 GMT

Also if the step data you posted is from the actual authentication and not the PAC provisioning log entry it looks like you are passing authentication but failing authorization. I see an authentication succeeded, but the selected authorization profile is blank.

22037 Authentication Passed

15036 Evaluating Authorization Policy

15016 Selected Authorization Profile -

11401 Prepared RADIUS Access-Reject after the successful in-band PAC provisioning

Re: ISE shows auth passed but switch unauth

jayage — Mon, 10 Sep 2018 15:52:09 GMT

Don't know if pre-auth ACL are set, I only know pre-auth ACLs for web authentictaion at our guest wifi. Is there maybe the supplicant wrong on these APs?

Re: ISE shows auth passed but switch unauth

jayage — Mon, 10 Sep 2018 15:52:22 GMT

I just restarted one AP to watch the behavoir. PAC suceeded but no authentication session followed.

Is it normal that it got rejected at the end of the PAC prov:

11018	RADIUS is re-using an existing session
12104	Extracted EAP-Response containing EAP-FAST challenge-response
11401	Prepared RADIUS Access-Reject after the successful in-band PAC provisioning
61025	Open secure connection with TLS peer
11504	Prepared EAP-Failure
11003	Returned RADIUS Access-Reject

Honestly I don't know how to proceed.

Re: ISE shows auth passed but switch unauth

jayage — Tue, 11 Sep 2018 08:33:07 GMT

New finding, I recognized that only access points with trunk ports and wlan-vlan mapping are not working properly but only on IOS XE. Got some ISE 3750v2 with IOS 15.0.2SEx, using same static trunk port config for APs where authentication works as expected.

Port config looks like this:

switchport trunk native vlan 2
switchport trunk allowed vlan 2,100
switchport mode trunk
device-tracking
authentication host-mode multi-host
authentication open
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast trunk
spanning-tree bpduguard enable

Auth open ofc as it is not working atm. VLAN 2 is the standard 'client' VLAN used for the internal ssid while 100 is for voice.

Any clue? While researching I stumbled over the following article:https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200492-Securing-a-flexconnect-AP-switchport-wit.html

Do I have to go for NEAT? Or can we get it working with static port config?

Re: ISE shows auth passed but switch unauth

paul — Tue, 11 Sep 2018 09:02:34 GMT

You shouldn’t be doing authentication on trunk ports. If your APs are FlexConnect the shouldn’t have ISE on the ports. If the are local mode APs the shouldn’t be trunks. If you are worried about someone unplugging the AP and plugging in when the port is trunked, you can use Autosmart port macro applied by ISE to reconfigure the port.

So the port would be standard access port with authentication on it. When AP plugs in ISE would invoke macro to reconfigure port to a trunk and remove authentication. If AP is unplugged it goes back to access port with Auth enabled.

Search forums for smart port. I and others have posted on it.

Re: ISE shows auth passed but switch unauth

tom-ingram — Fri, 31 Jan 2025 09:53:49 GMT

Hello,

Did you ever get to the bottom of this one, please? I too have an issue where some MAB devices are showing as authenticated in the ISE RADIUS Live Logs but showing as un-auth on the switch.