topic Re: proxy dot1x request to third party RADIUS in Network Access Control

proxy dot1x request to third party RADIUS

martucci — Thu, 15 Sep 2016 07:08:09 GMT

Hello,

my customer would like to offload a dot1x request to an external RADIUS, but only after checking that the client is in a specific group of known MAC addresses on the local server.

This is not easily implemented as the proxy is configured inthe authentication policy, before I can actually perform a check on the local database.

I was wondering if anyone has any creative idea on how it would be possible to satisfy the request

Thanks

Re: proxy dot1x request to third party RADIUS

Craig Hyps — Fri, 16 Sep 2016 19:05:33 GMT

Per internal discussion, this is not possible using proxy. We cannot authenticate via ISE using MAB and then proxy same request to another RADIUS server for a secondary 802.1X auth. I recommend using RADIUS Token to authenticate user in ISE and then use external RADIUS server for authorization only.

To use proxy, you can leverage RADIUS, VSAs, Network Access and Device attributes to determine whether to proxy or to which server to proxy request. You can then process response through local ISE policy for authorization (for example, match on local profile or endpoint ID group). However, you cannot authorize first, and then send to proxy.

Craig

Re: proxy dot1x request to third party RADIUS

hariholla — Fri, 16 Sep 2016 20:57:01 GMT

You may explore IBNS 2.0 for this. ISE can authorize the MAB request with a service template name, and the switch can then clear the session and initiate a new 802.1X session (with a different RADIUS server) on the service-template active status. Haven’t validated this, but a policy something like this could do the trick:

aaa new-model

aaa group server radius mab-servers

server name ise

aaa group server radius 1x-servers

server name non-ise

!

aaa authentication login default group radius

aaa authentication login console none

aaa authentication dot1x default group radius

aaa authentication dot1x mab-servers group mab-servers

aaa authentication dot1x 1x-servers group 1x-servers

aaa authorization exec default local

aaa authorization network default group radius

aaa authorization network 1x-servers group 1x-servers

aaa authorization network mab-servers group mab-servers

aaa authorization auth-proxy default group radius

aaa accounting identity default start-stop group radius

aaa session-id common

!

radius-server dead-criteria time 15 tries 3

!

radius server ise

address ipv4 172.20.254.4 auth-port 1645 acct-port 1646

automate-tester username dummy

key xxxxxx

!

radius server non-ise

address ipv4 172.20.254.8 auth-port 1645 acct-port 1646

automate-tester username dummy

key xxxxxx

!

policy-map type control subscriber ent-access-pol

event session-started match-all

10 class always do-until-failure

   10 authenticate using mab aaa authc-list 1x-servers authz-list mab-servers

event template-activated match-all

10 class mab-classified do-all

   10 terminate mab

   20 authenticate using dot1x aaa authc-list non-ise authz-list non-ise

   30 deactivate service-template mab-classified

event authentication-failure match-first

10 class DOT1X_NO_RESP do-until-failure

   10 terminate dot1x

   20 authentication-restart 60

20 class MAB_FAILED do-until-failure

   10 terminate mab

   20 authentication-restart 60

30 class always do-until-failure

   10 terminate dot1x

   20 terminate mab

   30 authentication-restart 60

event agent-found match-all

10 class always do-until-failure

   10 terminate mab

   20 authenticate using dot1x priority 10

!

class-map type control subscriber match-all DOT1X_NO_RESP

match method dot1x

match result-type method dot1x agent-not-found

!

class-map type control subscriber match-all MAB_FAILED

match method mab

match result-type method mab authoritative

!

class-map type control subscriber match-all mab-classified

match service-template mab-classified

!

service-template mab-classified

description dummy template

tag dummy

!

Re: proxy dot1x request to third party RADIUS

martucci — Mon, 19 Sep 2016 07:07:50 GMT

Great, thanks Hari, I will give it a try

Francesca

==========================================================

Francesca Martucci – CISSP # 481718

CONSULTING SYSTEMS ENGINEER.SECURITY SALES

UKI

==========================================================