topic Re: ISE should not use default policy set for dot1x auth! in Network Access Control

ISE should not use default policy set for dot1x auth!

islow1303 — Mon, 03 Jul 2017 09:31:05 GMT

Hello together,

I have configured a wired LAN authentication and I have fully configured the switches, the policies are according to documentations and everything I could think of seems to be set correctly.

Now the issue is, when I connect my devices (using LAN cables) to the switches, the default policy is being selected (see Screenshot -> Authentication Policy), even though "Radius NAS-PORT-TYPE = Ethernet & Device Type = Device Group Switches (my radius switches)!

Question: How do I disable the default policy or how to ensure that my wired policy is always used for wired dot1x?

Re: ISE should not use default policy set for dot1x auth!

B. BELHADJ — Mon, 03 Jul 2017 12:27:55 GMT

Hi Kadir

The Policy Sets in ISE are like the Service Selection Policy on ACS. The order is very important.

Please place you Policy Set "Access Wired" before the Default Policy Set.

Best regards

Re: ISE should not use default policy set for dot1x auth!

islow1303 — Mon, 03 Jul 2017 12:41:53 GMT

Hello Abdollah,

I have moved around the policy set from top to bottom...technically the "Access Wired" Policy set is at the very top, whereas the default policy set is at the bottom (not moveable anyway)...do you have another sugestions?

Kind regards,

Kadir

Re: ISE should not use default policy set for dot1x auth!

B. BELHADJ — Mon, 03 Jul 2017 12:47:52 GMT

Hi Kadir

Please upload a screenshot of your Policy Sets on ISE. I can help based on what you have in your configuration.

Best regards

Re: ISE should not use default policy set for dot1x auth!

ldanny — Mon, 03 Jul 2017 12:51:44 GMT

If you want to match on dot1x connectivity you need to add the radius attribute

Radius:Service-Type = Framed

Radius Attribute Authentication type:

Framed-User (2) = 802.1X

Call-Check (10) = MAB

Outbound (5) = Wired WebAuth

HTH,

Danny

Re: ISE should not use default policy set for dot1x auth!

islow1303 — Mon, 03 Jul 2017 12:51:54 GMT

I hope this helps...let me know if required more...

Re: ISE should not use default policy set for dot1x auth!

islow1303 — Mon, 03 Jul 2017 13:05:11 GMT

Hello Danny,

even when I add the Service-Type = Framed it uses the default policy...I have multiple Policy sets however it's only the "Access Wired" which is not being recognized for some reason...(see screenshot)

Re: ISE should not use default policy set for dot1x auth!

ldanny — Mon, 03 Jul 2017 13:12:38 GMT

I would remove radius attributes first and try to match based on your device type only, perhaps even narrow it down to a specific device your endpoint is hanging off of , keep it to a minimum and simple just to make sure you hit the policy set at first.

Re: ISE should not use default policy set for dot1x auth!

B. BELHADJ — Mon, 03 Jul 2017 13:28:03 GMT

I suggest the following configuration :

The SSP Access wired must have as condition: Network Access: Protocol EQUALS RADIUS
Create a new compound condition like New_Created_Compound_Condition with: Network Access: EapAuthentication Equals EAP-TLS and Certificate: SibjectAlternativeName – DNS Contains your_domain_name
In your Authentication Policy AD_Cert choose as condition (If): New_Created_Compound_Condition ==> Use AD_Cert_User
I suppose that the Certificate Authentication Profile AD_Cert_User is configured like that: Identity Store: [Not applicable] and Certificate Attribute: Subject Alternative Name

Also:

Configure the Authorization Plicy like that: AthZ_Policy_Name if Any and

CERTIFICAT: Subject Alternative Name – DNS contains “your_domain”

Network Access: AuthenticationMethod Equals X509_PKI

RADIUS: NAS-Poirt-Type Equals ETHERNET

Then: Admin_Wired

I hope that will help.

Best regards

Re: ISE should not use default policy set for dot1x auth!

B. BELHADJ — Mon, 03 Jul 2017 13:46:13 GMT

The Admin_Wired must be configured like that :

Access Type = ACCESS_ACCEPT

VLAN Tag ID 1 and Name: YOUR_VLAN_NAME

You can also enable the rethentication after 1h (as an example):

Reauthentication Timer: 3600

Maintain Connectivity During Reauthentication RADIUS-Request

Re: ISE should not use default policy set for dot1x auth!

islow1303 — Mon, 03 Jul 2017 14:57:09 GMT

This was the right answer!

Thank you, it now does work after creating a new Policy Set and by using some of your suggested method.

However after removing the (Device Type = Device Group Switches) and only setting it to Network Access = Radius & Nas-Port-Type = Ethernet...it started Running again!

Thanks you all for the professional help!

Re: ISE should not use default policy set for dot1x auth!

B. BELHADJ — Mon, 03 Jul 2017 15:56:19 GMT

Hi Kadir

I'm happy to know that you are able know to authenticate the users!

Best regards