topic Re: Deny access until host authenticates with ISE in Network Access Control

Deny access until host authenticates with ISE

ocs111992 — Wed, 30 Oct 2019 14:49:03 GMT

Our switches with with ISE but before it authenticates it has access to any network. This is an issue because if someone wants to access our network it just need to unplug/plug LAN cable every 15 seconds. Is there a way to deny all type access unitl the host authenticates with ISE?

Re: Deny access until host authenticates with ISE

Mike.Cifelli — Wed, 30 Oct 2019 17:24:46 GMT

Can you share your interface configs? Are you working with manual interface configs OR are you running IBNS with service templates, etc.? You can accomplish what you are looking for via the use of dacls. Essentially you would have some sort of "base" ACL on your interfaces that then gets overridden by a dacl push from ISE upon successful authc and authz policy. In ISE you can configure dacls here: Policy->Policy Elements->Results->Authorization->Downloadable ACLs. You can then assign the dacl to your desired authz profile. Good luck & HTH!

Re: Deny access until host authenticates with ISE

ocs111992 — Wed, 30 Oct 2019 18:38:12 GMT

This is the config of the interface:

interface FastEthernet0/1
switchport access vlan 30
switchport mode access
authentication event fail action next-method
authentication event server dead action authorize vlan 30
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable

On DACL, guest users when they connect to LAN have access to internet only but before the computer authenticates with ISE they have access to internal networks and I want to prevent this.

Re: Deny access until host authenticates with ISE

Mike.Cifelli — Wed, 30 Oct 2019 19:32:28 GMT

For a better understanding of the #authentication open command see: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_8021x/configuration/xe-3se/3650/sec-user-8021x-xe-3se-3650-book/sec-ieee-open-auth.html

You could configure a base_acl like this:
Extended IP access list Base_ACL
10 deny ip any any
Then under your interface add this:
ip access-group Base_ACL in

Your ISE dacl will override the Base_ACL and allow access with the respective configs in the dacl.