topic Re: ISE - C3PL or legacy style ? in Network Access Control

ISE - C3PL or legacy style ?

tuenoerg — Fri, 27 May 2016 12:01:14 GMT

Hi all,

I´m working closely with a partner on a specific customer case - and we have some issue when testing high availability - in this case - AD is down.

In short :

Using the Legacy style – there was no way for the switch to see whether it was a dot1x request or a MAB. When AD is down the ISE servers are configured to do DROP on the packet so that the ISE PSN is marked dead in radius config.

Using MAB on the same switch causes the connected ports with 802.1x clients that have been put into “CRITICAL AUTH” to reinitialize and try to reauthenticate, whichs causes a on/off/on/off/on… etc. scenario

We have worked on multiple solutions - and for now we are working on using C3PL to get this working.

A really cool thing with C3PL is - that we will be able to start MAB and dot1x at the same time - any caveats/pitfalls we are not aware of ?

So - I want to hear what other customers/users do in this scenario ??

Do we (Cisco) recommend using C3PL for this or ?

And furthermore - if anyone is using C3PL - please share config

Best regards

Tue Noergaard

CSE - Cisco DK

Re: ISE - C3PL or legacy style ?

howon — Fri, 27 May 2016 12:19:14 GMT

Tue, thanks for sharing your experience. It is true that IBNS 2.0 (AKA C3PL Syntax) works wonders due to its flexibility. Aside from what you brought up it can provide CRITICAL ACL feature where switch can add/remove ACL based on AAA status, simplify interface configurations, use multiple RADIUS servers for ports and MAB/802.1X among other things. When it comes to ISE, customers can use either method on their switches based on their needs.

The simultaneous auth available with IBNS 2.0 should work but it hasn't been explicitly tested with ISE. One side effect of such configuration would be additional load on the servers as each endpoints connecting will have two authentications.

I am also interested in hearing from others around unique ways using IBNS 2.0 so please feel free to post sample configurations.

Hosuk

Re: ISE - C3PL or legacy style ?

tuenoerg — Fri, 27 May 2016 12:37:58 GMT

Hi,

Do we provide any best practise advice on this subject ?

The customer in this case needs to know if C3PL is the right way to go or not ...

br,

Tue

Re: ISE - C3PL or legacy style ?

howon — Fri, 27 May 2016 12:50:53 GMT

I can't say it is the best practice, but one workaround you can try is to define same ISE node two times with different RADIUS ports. One using 1645 & 1646 and another with same IP using 1812 & 1813. With IBNS 2.0 you can point 802.1X to the first one and MAB to the second one and getting no response due to AD will not impact the MAB requests as it is considered separate RADIUS server from switch side.

Hosuk

Re: ISE - C3PL or legacy style ?

tuenoerg — Fri, 27 May 2016 13:06:03 GMT

hi,

Thanks for your replies

Do you know of any customers actually using C3PL in production ?

We need to ease the customers mind that this is a "safe and/or recommend" way to follow.

/Tue

Re: ISE - C3PL or legacy style ?

howon — Fri, 27 May 2016 13:17:55 GMT

Yes many customers are already on IBNS 2.0 mainly due to CRITICAL ACL feature.

Re: ISE - C3PL or legacy style ?

tuenoerg — Wed, 01 Jun 2016 09:34:32 GMT

HI ..

This is the code we are working on now:

aaa new-model

aaa group server radius ISE-DOT1X-DK-TESTBED

server-private 10.158.33.216 timeout 1 retransmit 2 key 7 *gracefullyremoved*

server-private 10.158.33.225 timeout 1 retransmit 2 key 7 *gracefullyremoved*

aaa group server radius ISE-MAB-DK-TESTBED

server-private 10.158.33.225 timeout 1 retransmit 2 test username ise-tester idle-time 1 key 7 *gracefullyremoved*

server-private 10.158.33.216 timeout 1 retransmit 2 test username ise-tester idle-time 1 key 7 *gracefullyremoved*

aaa authentication dot1x DOT1X group ISE-DOT1X-DK-TESTBED

aaa authentication dot1x MAB group ISE-MAB-DK-TESTBED

aaa authorization network default group ISE-DOT1X-DK-TESTBED

aaa authorization network ISE-DOT1X-DK-TESTBED none

aaa accounting update periodic 60

aaa accounting identity default start-stop group ISE-DOT1X-DK-TESTBED

aaa accounting network default start-stop group ISE-DOT1X-DK-TESTBED

aaa accounting system default start-stop group ISE-DOT1X-DK-TESTBED

aaa server radius dynamic-author

client 10.158.33.216 server-key 7 *gracefullyremoved*

client 10.158.33.225 server-key 7 *gracefullyremoved*

service-template webauth-global-inactive

inactivity-timer 3600

service-template CRITICAL

access-group ACL-ALLOW

vlan 107

service-template CRITICAL_VOICE

access-group ACL-ALLOW

voice vlan

service-template CRITICAL_AUTHD

access-group ACL-ALLOW

vlan 107

service-template DEFAULT_CRITICAL_VOICE_TEMPLATE

voice vlan

vlan group useraccess vlan-list 107-108

vlan dot1q tag native

vlan 107

name 107-dot1x-UA

vlan 108

name 108-dot1x-UA

class-map type control subscriber match-all AAA_SVR_DOWN_AUTHD_HOST

match result-type aaa-timeout

match authorization-status authorized

class-map type control subscriber match-all AAA_SVR_DOWN_UNAUTHD_HOST

match result-type aaa-timeout

match authorization-status unauthorized

class-map type control subscriber match-all DOT1X

match method dot1x

class-map type control subscriber match-all DOT1X_FAILED

match method dot1x

match result-type method dot1x authoritative

class-map type control subscriber match-all DOT1X_NO_RESP

match method dot1x

match result-type method dot1x agent-not-found

class-map type control subscriber match-all DOT1X_TIMEOUT

match method dot1x

match result-type method dot1x method-timeout

class-map type control subscriber match-none IN_CRITICAL

match activated-service-template CRITICAL

class-map type control subscriber match-any IN_CRITICAL_AUTHD

match activated-service-template CRITICAL_AUTHD

class-map type control subscriber match-any IN_CRITICAL_VLAN

match activated-service-template CRITICAL

class-map type control subscriber match-all MAB

match method mab

class-map type control subscriber match-all MAB_FAILED

match method mab

match result-type method mab authoritative

class-map type control subscriber match-none NOT_IN_CRITICAL_VLAN

match activated-service-template CRITICAL

policy-map type control subscriber DOT1X

event session-started match-all

10 class always do-until-failure

10 authenticate using dot1x aaa authc-list DOT1X authz-list DOT1X retries 2 retry-time 0 priority 10

20 authenticate using mab aaa authc-list MAB priority 20

event authentication-failure match-first

10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure

10 activate service-template CRITICAL

20 authorize

30 authentication-restart 28800

20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure

10 pause reauthentication

30 class DOT1X_NO_RESP do-until-failure

10 terminate dot1x

20 authenticate using mab priority 20

40 class MAB_FAILED do-until-failure

10 terminate mab

20 authentication-restart 60

50 class DOT1X_FAILED do-until-failure

10 terminate dot1x

20 authenticate using mab aaa authc-list MAB priority 20

60 class always do-until-failure

10 terminate dot1x

20 terminate mab

30 authentication-restart 60

event agent-found match-all

10 class always do-until-failure

10 terminate mab

20 authenticate using dot1x retries 2 retry-time 0 priority 10

event aaa-available match-all

10 class IN_CRITICAL do-until-failure

10 clear-session

20 class IN_CRITICAL_AUTHD do-until-failure

10 resume reauthentication

30 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure

10 resume reauthentication

event violation match-all

10 class always do-until-failure

10 restrict

interface GigabitEthernet1/0/2

description End User Port VLAN 107

switchport access vlan 107

switchport mode access

switchport nonegotiate

ip access-group ACL-ALLOW in

logging event link-status

authentication periodic

authentication timer reauthenticate server

access-session port-control auto

mab

no snmp trap link-status

dot1x pae authenticator

dot1x timeout tx-period 10

storm-control broadcast level 70.00

storm-control multicast level 70.00

storm-control action trap

no cdp enable

spanning-tree portfast

service-policy type control subscriber DOT1X

ip access-list extended ACL-ALLOW

permit ip any any

ip access-list extended REDIRECT

deny ip any host 10.158.33.216

deny ip any host 10.158.33.225

permit ip any any

radius-server attribute 6 on-for-login-auth

radius-server attribute 8 include-in-access-req

radius-server attribute 25 access-request include

radius-server dead-criteria time 30 tries 3

Comments ?

If anyone will share their code - I´d love to see it.

/Tue

Re: ISE - C3PL or legacy style ?

Gustavo Novais — Fri, 08 Jul 2016 18:21:00 GMT

Hi Tue and Hosuk

I'm actually trying out the same c3pl code based on the document for 3850 universal config (that Hosuk wrote) integrated with ISE 2.1.

For the moment I do see both auth's being triggered at the same time and it looks like it works fine, but ISE behaviour for now is to generate an alarm for the NAD misconfiguration as having too many accounting packets.

I have to admit that having both auth methods simultaneously confuses me in a few aspects:

- 802.1X takes longer to authenticate than mab (more transactions)

- if mab succeeds, an accounting start will be sent.

- but then 802.1X also succeeds (it just took longer) - which will also trigger an accounting start

- will the switch drop the mab session then?

I would also like to have best practice reference guide for C3PL covering multiple cases - 802.1X and MAB for endpoints (with ISE CWA); 802.1X, MAB and webauth; only MAB, etc... Does any of this exist?

If the use cases reference guide is not possible, then a more thorough explanation on how to design a C3PL policy covering multiple cases - which events to look for, which classes to match, which actions to take and their impact.

Regards

Gustavo

Re: ISE - C3PL or legacy style ?

Gustavo Novais — Fri, 08 Jul 2016 18:38:20 GMT

Hello,

Just found out that actually there are a lot of templates already provided with the Auto-identity feature (http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/XE3-8-0E/15-24E/configuration/guide/xe-380-configuration/auto_id.pdf), besides a good lab guide in cisco live (LTRSEC-2017-LG).

Might help anyone trying to dive into C3PL for identity

Cheers

Gustavo

Re: ISE - C3PL or legacy style ?

S M85 — Fri, 10 Mar 2017 15:22:13 GMT

Hi Guys,

Did someone has a solution for the AD availability. With the automatic-test the switch can send a username and the dead-criteria is working. However like Tue said, there is an on/off/on/off situation.

Is it possible that Cisco will provide a fix for this?

regards,
Sander