VLAN Change & Port-bounce Info

matteodapozzo — Sun, 06 Aug 2017 21:11:52 GMT

Hi Cisco ISE Community,

I would like to know if anyone have any suggestion on the following scenario:

Guests can connect to the corporate network through wired access in order to browse on the Internet.

Actually I have configured the following on the ISE side:

One authorization policy in order to trigger CWA with self registration portal
Another authorization policy in order to trigger the VLAN change for the guest user

On the switch side the "guest" switch port is configured as follows:

802.1X + MAB (priority dot1x then mab)
switch port by default on the corporate Client VLAN (if the user that is connecting to that switch port is not using a corporate PC it still need to authenticate through CWA)

The issue here is that when the VLAN change CoA is sent to the switch (including the port-bounce command) the client does not proceed with the new DHCP request ( the port VLAN change from 128 to 116). Actually I didn't figure out if the port-bounce is working correctly because from the switch configuration when I type "no authentication command port-bounce ignore" it still appear in the configuration.

Looking forward to know your opionion.

Thanks.

Below you can find the technical details:

####### SW CONFIG

SW03N#sh run all | i bounce

authentication command bounce-port ignore

SW03N#conf t

Enter configuration commands, one per line. End with CNTL/Z.

SW03N(config)#no authentication command bounce-port ignore

SW03N(config)#end

SW03N#sh run all | i bounce

authentication command bounce-port ignore

####### SW INFO

Switch Ports Model SW Version SW Image

------ ----- ----- ---------- ----------

* 1 52 WS-C2960X-48TS-L 15.0(2)EX5 C2960X-UNIVERSALK9-M

2 52 WS-C2960S-48TS-L 15.0(2)EX5 C2960S-UNIVERSALK9-M

####### AUTHORIZATION PROFILE ATTRIBUTES:

Access Type = ACCESS_ACCEPT

Tunnel-Private-Group-ID = 1:116

Tunnel-Type = 1:13

Tunnel-Medium-Type = 1:6

cisco-av-pair = subscriber:command=bounce-host-port

####### SW switch port facing the client:

interface GigabitEthernet2/0/25

description VLAN Client

switchport access vlan 128

switchport mode access

switchport port-security maximum 2

switchport port-security

switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

speed 100

duplex full

authentication event fail action next-method

authentication host-mode multi-auth

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

authentication violation restrict

mab

dot1x pae authenticator

dot1x timeout tx-period 3

spanning-tree portfast

spanning-tree bpduguard enable

end

####### SW MAB + CoA RADIUS:

Aug 4 16:21:01: RADIUS(00043565): Send Access-Request to 172.17.16.77:1812 id 1645/80,len 268

Aug 4 16:21:01: RADIUS: authenticator 60 25 BE 92 1E 26 E0 B8 - B1 A2 2F 63 3E 8B 9F 73

Aug 4 16:21:01: RADIUS: User-Name [1] 14 "002655f4f36d"

Aug 4 16:21:01: RADIUS: User-Password [2] 18 *

Aug 4 16:21:01: RADIUS: Service-Type [6] 6 Call Check [10]

Aug 4 16:21:01: RADIUS: Vendor, Cisco [26] 31

Aug 4 16:21:01: RADIUS: Cisco AVpair [1] 25 "service-type=Call Check"

Aug 4 16:21:01: RADIUS: Framed-IP-Address [8] 6 172.17.129.150

Aug 4 16:21:01: RADIUS: Framed-MTU [12] 6 1500

Aug 4 16:21:01: RADIUS: Called-Station-Id [30] 19 "70-10-5C-72-2A-99"

Aug 4 16:21:01: RADIUS: Calling-Station-Id [31] 19 "00-26-55-F4-F3-6D"

Aug 4 16:21:01: RADIUS: Message-Authenticato[80] 18

Aug 4 16:21:01: RADIUS: 9B 68 D6 BF 17 67 CA FB 38 47 D5 4B 5B A7 E6 0D [ hg8GK[]

Aug 4 16:21:01: RADIUS: EAP-Key-Name [102] 2 *

Aug 4 16:21:01: RADIUS: Vendor, Cisco [26] 49

Aug 4 16:21:01: RADIUS: Cisco AVpair [1] 43 "audit-session-id=AC1110300004343E10AF1DF4"

Aug 4 16:21:01: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]

Aug 4 16:21:01: RADIUS: NAS-Port [5] 6 50225

Aug 4 16:21:01: RADIUS: NAS-Port-Id [87] 23 "GigabitEthernet2/0/25"

Aug 4 16:21:01: RADIUS: Called-Station-Id [30] 19 "70-10-5C-72-2A-99"

Aug 4 16:21:01: RADIUS: NAS-IP-Address [4] 6 172.17.16.48

Aug 4 16:21:01: RADIUS(00043565): Started 5 sec timeout

Aug 4 16:21:01: RADIUS: Received from id 1645/80 172.17.16.77:1812, Access-Accept, len 245

Aug 4 16:21:01: RADIUS: authenticator 32 4F BD 12 EF 5A 4B AD - 71 DB 2E C5 9B 68 DA EA

Aug 4 16:21:01: RADIUS: User-Name [1] 10 "test1234"

Aug 4 16:21:01: RADIUS: State [24] 40

Aug 4 16:21:01: RADIUS: 52 65 61 75 74 68 53 65 73 73 69 6F 6E 3A 41 43 [ReauthSession:AC]

Aug 4 16:21:01: RADIUS: 31 31 31 30 33 30 30 30 30 34 33 34 33 45 31 30 [1110300004343E10]

Aug 4 16:21:01: RADIUS: 41 46 31 44 46 34 [ AF1DF4]

Aug 4 16:21:01: RADIUS: Class [25] 54

Aug 4 16:21:01: RADIUS: 43 41 43 53 3A 41 43 31 31 31 30 33 30 30 30 30 [CACS:AC111030000]

Aug 4 16:21:01: RADIUS: 34 33 34 33 45 31 30 41 46 31 44 46 34 3A 67 61 [4343E10AF1DF4:ga]

Aug 4 16:21:01: RADIUS: 2D 69 73 65 2F 32 39 31 31 32 39 32 34 31 2F 31 [-ise/291129241/1]

Aug 4 16:21:01: RADIUS: 38 33 34 38 [ 8348]

Aug 4 16:21:01: RADIUS: Session-Timeout [27] 6 59887

Aug 4 16:21:01: RADIUS: Termination-Action [29] 6 0

Aug 4 16:21:01: RADIUS: Tunnel-Type [64] 6 01:VLAN [13]

Aug 4 16:21:01: RADIUS: Tunnel-Medium-Type [65] 6 01:ALL_802 [6]

Aug 4 16:21:01: RADIUS: Message-Authenticato[80] 18

Aug 4 16:21:01: RADIUS: B3 61 E1 9F CD B9 61 81 D5 FD 8F 04 76 FE D2 9C [ aav]

Aug 4 16:21:01: RADIUS: Tunnel-Private-Group[81] 6 01:"116"

Aug 4 16:21:01: RADIUS: Vendor, Cisco [26] 43

Aug 4 16:21:01: RADIUS: Cisco AVpair [1] 37 "subscriber:command=bounce-host-port"

Aug 4 16:21:01: RADIUS: Vendor, Cisco [26] 30

Aug 4 16:21:01: RADIUS: Cisco AVpair [1] 24 "profile-name=HP-Device"

Aug 4 16:21:01: RADIUS(00043565): Received from id 1645/80

Aug 4 16:21:01: RADIUS/DECODE: parse unknown cisco vsa "profile-name" - IGNORE

Aug 4 16:21:01: %MAB-5-SUCCESS: Authentication successful for client (0026.55f4.f36d) on Interface Gi2/0/25 AuditSessionID AC1110300004343E10AF1DF4

Aug 4 16:21:01: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (0026.55f4.f36d) on Interface Gi2/0/25 AuditSessionID AC1110300004343E10AF1DF4

Aug 4 16:21:01: %AUTHMGR-5-VLANASSIGN: VLAN 116 assigned to Interface Gi2/0/25 AuditSessionID AC1110300004343E10AF1DF4

Aug 4 16:21:02: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0026.55f4.f36d) on Interface Gi2/0/25 AuditSessionID AC1110300004343E10AF1DF4

####### SW AUTH SESSION DETAILS

SW03N#show authentication sessions interface gigabitEthernet 2/0/25

Interface: GigabitEthernet2/0/25

MAC Address: 0026.55f4.f36d

IP Address: 172.17.129.150

User-Name: test1234

Status: Authz Success

Domain: DATA

Oper host mode: multi-auth

Oper control dir: both

Authorized By: Authentication Server

Vlan Policy: 116

Session timeout: N/A

Idle timeout: N/A

Common Session ID: AC1110300004343E10AF1DF4

Acct Session ID: 0x0004355B

Handle: 0x49000DF1

Runnable methods list:

Method State

dot1x Failed over

mab Authc Success

Re: VLAN Change & Port-bounce Info

Craig Hyps — Mon, 07 Aug 2017 11:26:49 GMT

In general, VLAN change is not a good idea for guest users since the connection is MAB, CoA for CWA is a reauth, and the client will not detect VLAN change, thus retains original IP. Consider SGTs, or device registration with terminate COA or else a workaround could be configuring the NAD profile as non-Cisco and disable reauth CoA option.

Re: VLAN Change & Port-bounce Info

umahar — Mon, 07 Aug 2017 14:51:29 GMT

Hi Matteo,

How are you sending CoA Port-Bounce for CWA ? I tried sending CoA Port-Bounce for the same use case but still could not make it work on 3850.

Our customer also wanted to have change of vlan using guest and we came up with a solution using macros for 3850.

Please see this link https://communities.cisco.com/thread/81859

However this solution might not work well in a multi-auth environment behind an IP Phone as we are disabling dot1x on ports where guests are connected.

topic VLAN Change & Port-bounce Info in Network Access Control

VLAN Change & Port-bounce Info

Re: VLAN Change & Port-bounce Info

Re: VLAN Change & Port-bounce Info