topic Re: how to authorize switch port when ISE is down in Network Access Control

how to authorize switch port when ISE is down

kareali@cisco.com — Fri, 29 Jul 2016 21:08:10 GMT

Hello,

i'm trying to implement how to authorize the switch port when ISE nodes are dead

i tried some commands but i see that only one endpoint can work ip phone or pc ?

authentication event server dead action authorize vlan x

authentication event server alive action authorize voice

authentication host-mode multi-domain

so is there a way to authorize both endpoints when ISE is dead ? can i use service policy for example ?

Re: how to authorize switch port when ISE is down

hslai — Sat, 30 Jul 2016 00:43:23 GMT

If not already done, please check out this how-to How To: Universal IOS Switch Config for ISE and the other guides on Cisco Switches might be of interest to you, too.

Your inquiry is actually more on the switch side so I would suggest to seek support from Cisco switch platform team if you have further questions.

Re: how to authorize switch port when ISE is down

vibobrov — Sat, 30 Jul 2016 17:30:29 GMT

The correct command is authentication event server dead action authorize voice

Re: how to authorize switch port when ISE is down

kareali@cisco.com — Sun, 31 Jul 2016 11:12:44 GMT

Hello,

thanks a lot for the document but the PC is always stucked in dot1x authentication it is always running so PC never gets the critical vlan but ip phone worked perfectly . when i removed anyconnect from the PC it gets the critical vlan

so i guess the problem in timeouts maybe or something else and here is the switch command

interface GigabitEthernet1/0/15

switchport access vlan 15

switchport mode access

switchport voice vlan 248

authentication event fail action next-method

authentication event server dead action authorize vlan 15

authentication event server dead action authorize voice

authentication event server alive action reinitialize

authentication host-mode multi-domain

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

authentication violation restrict

mab

mls qos trust device cisco-phone

mls qos trust cos

dot1x pae authenticator

dot1x timeout tx-period 10

spanning-tree portfast

spanning-tree bpduguard enable

end

Re: how to authorize switch port when ISE is down

hslai — Mon, 01 Aug 2016 14:14:02 GMT

Are you seeing this issue with new authentications? If a DOT1X client already authorized, I do not think it would get put into critical VLAN. Also, it might depend on the AnyConnect NAM profile to allow DOT1X auth failures.

Re: how to authorize switch port when ISE is down

kareali@cisco.com — Tue, 02 Aug 2016 05:51:33 GMT

Hello,

yes i'm talking about new clients trying to connect when radius is dead and your suggestion is already enabled !!

the problem is that dot1x is keeping running it never fails in the switch !!

Re: how to authorize switch port when ISE is down

howon — Tue, 02 Aug 2016 11:12:47 GMT

Kareem, run 'dot1x critical eapol' global command and try the test again.

Re: how to authorize switch port when ISE is down

kareali@cisco.com — Sun, 07 Aug 2016 09:21:58 GMT

not working i should allow data before authentication from anyconnect and this is not acceptable

Re: how to authorize switch port when ISE is down

hslai — Sun, 07 Aug 2016 23:51:02 GMT

Have you tried it with Windows native supplicant? I would expect the same result as your AnyConnect NAM tests.

Please detail which switch model and Cisco IOS release on the switch. As I mentioned before, this is a switch feature, it's best to seek support from the switch platform teams.

Re: how to authorize switch port when ISE is down

deepuvarghese1 — Sun, 08 Apr 2018 10:29:39 GMT

Hi Kareem,

Is there any luck on the issue. We do have the same issue with the PC's installed with Anyconnect. It is stuck in authentication. PC's without anyconnect works fine and getting the critical auth VLAN but no luck for anyconnect installed machines.

Tried the option Enable the port exception mentioned above but same result

Re: how to authorize switch port when ISE is down

kareali@cisco.com — Sun, 08 Apr 2018 10:41:40 GMT

Hello Deepu,

i'm using the below switch template and it's working with anyconnect and without anyconnect

dot1x system-auth-control

dot1x critical eapol

interface GigabitEthernet w/x/y-z

switchport access vlan X

switchport voice vlan y

switchport mode access

authentication event fail action next-method

authentication event server dead action authorize vlan X

authentication event server dead action authorize voice

dot1x pae authenticator

dot1x port-control auto

authentication order dot1x mab

authentication priority dot1x mab

mab

dot1x timeout tx-period 10

authentication periodic

authentication timer reauthenticate server

authentication host-mode multi-domain

snmp trap mac-notification change added

spanning-tree portfast

exit

anyconnect configuration was allow data before authentication

i faced a disaster with a customer last month when all ISE nodes was down and AD was down but nobody complains because the critical VLAN applied to all interfaces.

Re: how to authorize switch port when ISE is down

deepuvarghese1 — Sun, 08 Apr 2018 12:54:18 GMT

Hi Karem,

Thank you for your quick reply. Much appreciated. I am using the same template on switches. But still the same problem. Could you please help how do you configure "anyconnect configuration was allow data before authentication" ?. Do you have the configuration.xml sample so that i can check the setting. My email ID is deepu.vargheset@gmail.com. Please send if possible.

Thanks,

Deepu

Re: how to authorize switch port when ISE is down

Jason Kunst — Sun, 08 Apr 2018 15:54:21 GMT

It seems like you are talking about anyconnect NAM to allow network access when dot1x fails? This has nothing to do with ISE or the switch

Please reference the anyconnect document

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/administration/guide/b_AnyConnect_Administrator_Guide_4-0/configure-nam.html#ID-1424-00000172

If more questions on anyconnect nam please move this to the anyconnect forum

Re: how to authorize switch port when ISE is down

deepuvarghese1 — Mon, 09 Apr 2018 08:55:36 GMT

Kareem Ali wrote:

Hello Deepu,

i'm using the below switch template and it's working with anyconnect and without anyconnect

dot1x system-auth-control

dot1x critical eapol

interface GigabitEthernet w/x/y-z

switchport access vlan X

switchport voice vlan y

switchport mode access

authentication event fail action next-method

authentication event server dead action authorize vlan X

authentication event server dead action authorize voice

dot1x pae authenticator

dot1x port-control auto

authentication order dot1x mab

authentication priority dot1x mab

mab

dot1x timeout tx-period 10

authentication periodic

authentication timer reauthenticate server

authentication host-mode multi-domain

snmp trap mac-notification change added

spanning-tree portfast

exit

anyconnect configuration was allow data before authentication

i faced a disaster with a customer last month when all ISE nodes was down and AD was down but nobody complains because the critical VLAN applied to all interfaces.

Hello Kareem,

We have tried the option "data before authentication" in anyconnect configuration but the issue remains the same. Anyconnect is showing authenticating and on switch side dot1x is running and never fall back. We stopped the services of anyconnect and everything working fine as expected. So i believe we need some tweaking in anyconnect profile. Any idea ?. As below mentioned by Jason, do we need to post put discussion on anyconnect group ?

Are you using "authentication open" command on switch ports ?.

Re: how to authorize switch port when ISE is down

kareali@cisco.com — Mon, 09 Apr 2018 09:10:39 GMT

Hi,

I didn’t configure any special configuration for Anyconnect I just configured allow data before authentication and the remaining settings is the default settings .

From switch side the switch has to mark the ISE as dead in order to apply critical vlan . so do you see ISE dead ?

From switch configuration I do radius test every 5 minutes I believe this is important . here is the whole template I use in the switch

global configuration

Re: how to authorize switch port when ISE is down

deepuvarghese1 — Mon, 09 Apr 2018 09:14:27 GMT

Thanks Kareem for your reply. Could you please provide the global configuration for a reference.

Thanks

Deepu

Re: how to authorize switch port when ISE is down

kareali@cisco.com — Mon, 09 Apr 2018 10:21:29 GMT

global configuration

-----------------------

aaa new-model

username ISERADIUSTEST password ISEtest123

radius server Abb-ISE

address ipv4 x.x.x.x auth-port 1645 acct-port 1646

automate-tester username ISERADIUSTEST idle-time 15

key CSO@citc!

exit

radius server Oct-ISE

address ipv4 y.y.y.y auth-port 1645 acct-port 1646

automate-tester username ISERADIUSTEST idle-time 15

key CSO@citc!

exit

aaa group server radius ISE

server name Abb-ISE

server name Oct-ISE

deadtime 10

exit

aaa server radius dynamic-author

client x.x.x.x server-key CSO@citc!

client y.y.y.y server-key CSO@citc!

exit

aaa authentication dot1x default group ISE

aaa authorization network default group ISE

aaa accounting dot1x default start-stop group ISE

aaa accounting network default start-stop group ISE

aaa accounting delay-start all

aaa accounting update newinfo periodic 60

radius-server attribute 6 on-for-login-auth

radius-server attribute 8 include-in-access-req

radius-server attribute 25 access-request include

radius-server vsa send authentication

radius-server vsa send accounting

ip radius source-interface vlanxx

ip dhcp snooping

ip device tracking

epm logging

logging origin-id ip

logging source-interface Vlanxx

logging host 10.10.81.81 transport udp port 20514

logging host 20.10.81.81 transport udp port 20514

dot1x system-auth-control

dot1x critical eapol

ip http server

ip http secure-server

ip access-list extended redirection

permit tcp any any eq 80

permit tcp any any eq 443

permit tcp any any eq 8905

permit ip any host 1.1.1.1

deny ip any any

exit

mac address-table notification change

mac address-table notification mac-move

snmp-server trap-source vlanxx

snmp-server community CSO@citc! RO

snmp-server enable traps mac-notification change move threshold

snmp-server enable traps errdisable

snmp-server enable traps vlan-membership

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server host 10.10.81.40 version 2c CSO@citc! mac-notification snmp

snmp-server host 20.10.81.40 version 2c CSO@citc! mac-notification snmp

---------------------------------------------------------------------------------------------------------------

interface GigabitEthernet w/x/y-z

switchport access vlan X

switchport voice vlan y

switchport mode access

authentication event fail action next-method

authentication event server dead action authorize vlan X

authentication event server dead action authorize voice

dot1x pae authenticator

dot1x port-control auto

authentication order dot1x mab

authentication priority dot1x mab

mab

dot1x timeout tx-period 10

authentication periodic

authentication timer reauthenticate server

authentication host-mode multi-domain

snmp trap mac-notification change added

spanning-tree portfast

exit

Re: how to authorize switch port when ISE is down

mohdg — Mon, 30 Jul 2018 09:34:22 GMT

Does this configuration allows both vlans ie data and voice? because i have same scenario but IP phone connects to the switch and PC connects to an IP phone.