Issue Handling Dot1x Failures with CPL

paul — Fri, 18 May 2018 18:19:08 GMT

I am having a strange issue that I can't explain why CPL is not handling correctly. We are rolling out ISE in closed mode with CPL. If the devices happens to have the Wired Auth service enabled the device will briefly get let on with my MAB catch all rule, but then Dot1x will fail and the device will get blocked. The client is not trusting the ISE server which is expected as we haven't rolled out any GPO policies yet.

So the client sees this:

If the client hits "Connect" the switch will stop Dot1x as expected and the device will stay on the network via my MAB catch all rule.

If the client hits "Don't connect", hits the X to close out the window or doesn't respond the prompt the switch auth will initially look like this:

SC-A29-A116#show access-session int gig 2/13 det

Interface: GigabitEthernet2/13

MAC Address: a44c.c8e9.33b8

IPv6 Address: Unknown

IPv4 Address: 10.12.29.107

User-Name: A4-4C-C8-E9-33-B8

Status: Authorized

Domain: DATA

Oper host mode: multi-auth

Oper control dir: in

Session timeout: 65000s (server), Remaining: 64970s

Timeout action: Reauthenticate

Restart timeout: N/A

Periodic Acct timeout: N/A

Common Session ID: 0A0C0074000003C952FB4EAC

Acct Session ID: 0x0000B761

Handle: 0x310002CA

Current Policy: ISE_AUTH

Local Policies:

Server Policies:

ACS ACL: xACSACLx-IP-Wired_Monitor_Hostname_Exists_In_AD-5adf88eb

Method status list:

Method State

dot1x Running

mab Stopped

The MAB rule is still in effect and I can ping the device. Eventually the Dot1x will fail and it goes to this:

Interface: GigabitEthernet2/13

MAC Address: a44c.c8e9.33b8

IPv6 Address: Unknown

IPv4 Address: 10.12.29.107

User-Name: host/xyx.company.com

Status: Unauthorized

Domain: DATA

Oper host mode: multi-auth

Oper control dir: in

Session timeout: N/A

Restart timeout: N/A

Periodic Acct timeout: N/A

Common Session ID: 0A0C0074000003C752F8FE5C

Acct Session ID: 0x0000B749

Handle: 0x270002C8

Current Policy: ISE_AUTH

Local Policies:

Method status list:

Method State

dot1x Authc Failed

mab Stopped

At this point the user has no access to the network because we are in closed mode. The switch correctly logs the Auth fail:

May 18 14:08:24.380 EDT: %DOT1X-5-FAIL: Authentication failed for client (a44c.c8e9.33b8) on Interface Gi2/13 AuditSessionID 0A0C0074000003C752F8FE5C

My CPL accounts for Dot1x fail but it doesn't seem to be kicking in after this type of Dot1x fail:

!***CPL***

ip access-list extended PERMIT_ANY

permit ip any any

service-template CRITICAL_ACCESS

description Apply when ISE is unavailable to permit traffic and allow voice vlan

access-group PERMIT_ANY

voice vlan

class-map type control subscriber match-all AAA_DOWN_UNAUTHD_HOST

match result-type aaa-timeout

match authorization-status unauthorized

class-map type control subscriber match-all AAA_DOWN_AUTHD_HOST

match result-type aaa-timeout

match authorization-status authorized

class-map type control subscriber match-all DOT1X_FAILED

match method dot1x

match result-type method dot1x authoritative

class-map type control subscriber match-any IN_CRITICAL_AUTH

match activated-service-template CRITICAL_ACCESS

class-map type control subscriber match-none NOT_IN_CRITICAL_AUTH

match activated-service-template CRITICAL-ACCESS

policy-map type control subscriber ISE_AUTH

event session-started match-all

10 class always do-all

10 authenticate using dot1x priority 10

20 authenticate using mab priority 20

event violation match-all

10 class always do-all

10 restrict

event agent-found match-all

10 class always do-all

10 terminate mab

20 authenticate using dot1x priority 10

event authentication-failure match-first

10 class AAA_DOWN_UNAUTHD_HOST do-until-failure

10 activate service-template CRITICAL_ACCESS

20 authorize

30 pause reauthentication

40 terminate dot1x

50 terminate mab

20 class AAA_DOWN_AUTHD_HOST do-until-failure

10 pause reauthentication

20 authorize

30 class DOT1X_FAILED do-all

10 terminate dot1x

20 authenticate using mab priority 20

event aaa-available match-all

10 class IN_CRITICAL_AUTH do-until-failure

10 clear-session

20 class NOT_IN_CRITICAL_AUTH do-until-failure

10 resume reauthentication

The Dot1x fail definitely works if the client is not running Dot1x at all, but doesn't seem to work in this case.

Is this working as designed? The legacy ISE template doesn't have this issue.

I am probably going to open a TAC case, but wanted to post here as well.

Re: Issue Handling Dot1x Failures with CPL

kvenkata1 — Fri, 18 May 2018 21:41:13 GMT

Hi Paul,

On the switch C3PL configuration - Did you configure it from scratch or converted from a working IBNS 1.0 configuration? If it is the former, I would try the conversion option as documented in page 2.

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ibns/configuration/xe-3se/3850/ibns-xe-3se-3850-book/san-cntrl-pol.pdf

If you have already tried the conversion option please work with TAC for a resolution.

- Krish

Re: Issue Handling Dot1x Failures with CPL

paul — Fri, 18 May 2018 22:20:39 GMT

It is from scratch starting with the original 3850 CPL document and adding in components of IBNS 2.0. These are all fresh installs that we converted to new-style before any configuration was applied.

Re: Issue Handling Dot1x Failures with CPL

paul — Fri, 18 May 2018 22:54:34 GMT

Ahh I think I figured it out and probably something that should be added to the IBNS template. The switch was treating it as a dot1x timeout and not triggering the failure. I had to add this:

class-map type control subscriber match-all DOT1X_TIMEOUT

match method dot1x

match result-type method-timeout

policy-map type control subscriber ISE_AUTH

event session-started match-all

10 class always do-all

10 authenticate using dot1x priority 10

20 authenticate using mab priority 20

event violation match-all

10 class always do-all

10 restrict

event agent-found match-all

10 class always do-all

10 terminate mab

20 authenticate using dot1x priority 10

event authentication-failure match-first

10 class AAA_DOWN_UNAUTHD_HOST do-until-failure

10 activate service-template CRITICAL_ACCESS

20 authorize

30 pause reauthentication

40 terminate mab

50 terminate dot1x

20 class AAA_DOWN_AUTHD_HOST do-until-failure

10 pause reauthentication

20 authorize

30 class DOT1X_FAILED do-all

10 terminate dot1x

20 authenticate using mab priority 20

40 class DOT1X_TIMEOUT do-all

10 terminate dot1x

20 authenticate using mab priority 20

I am going to do more testing but that seemed to work nicely.

Re: Issue Handling Dot1x Failures with CPL

kvenkata1 — Mon, 21 May 2018 16:00:54 GMT

Great! I am glad it worked out. Please reach to TAC if you need any further assistance.

- Krish

topic Re: Issue Handling Dot1x Failures with CPL in Network Access Control

Issue Handling Dot1x Failures with CPL

Re: Issue Handling Dot1x Failures with CPL

Re: Issue Handling Dot1x Failures with CPL

Re: Issue Handling Dot1x Failures with CPL

Re: Issue Handling Dot1x Failures with CPL