topic Re: Wired guest access ISE 2.3 in Network Access Control

Wired guest access ISE 2.3

walwar — Fri, 21 Feb 2020 18:43:03 GMT

Hi,

In my lab I try to authenticate non-joined domain PC with policy-map but I am having hard time achieving this. Any help would be greatly appreciated or if you can put me into right direction I would be very glad.

Short story of my lab:

Joined domain PC Port based authentication: Can access network

Mab authentication: Works fine

Policy-map configuration example:

sw01#show policy-map type control subscriber DOT1X_POLICY
DOT1X_POLICY
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x priority 10
event authentication-failure match-first
10 class always do-until-failure
10 terminate dot1x
20 authentication-restart 60
event agent-found match-all
10 class always do-until-failure
10 authenticate using dot1x priority 10
event authentication-success match-all
10 class always do-until-failure
10 activate service-template DEFAULT_LINKSEC_POLICY_MUST_SECURE

sw01#show policy-map type control subscriber MAB_POLICY
MAB_POLICY
event session-started match-all
10 class always do-until-failure
10 authenticate using mab priority 10
event authentication-failure match-first
10 class always do-until-failure
10 terminate mab
20 authentication-restart 60
event authentication-success match-all
10 class always do-until-failure
10 activate service-template DEFAULT_LINKSEC_POLICY_MUST_SECURE

Port configuration examples:

interface GigabitEthernet1/0/15
description DOT1X
switchport access vlan 3180
switchport mode access
access-session closed
access-session port-control auto
dot1x pae authenticator
no cdp enable
spanning-tree portfast
service-policy type control subscriber DOT1X_POLICY

interface GigabitEthernet1/0/14
description MAB
switchport access vlan 3180
switchport mode access
access-session closed
access-session port-control auto
mab
dot1x pae authenticator
no cdp enable
spanning-tree portfast
service-policy type control subscriber MAB_POLICY

What I am trying to achieve is that if the PC is not found in the domain, it should be only able to access internet not internal server i.e vlan 20 which is surf vlan. Can I achieve this with policy-map? I followed mostely this guide but I am stuck now. mhttps://communities.cisco.com/docs/DOC-64012

Thanks for stopping by and helping a fellow networker.

PS: Why I am getting these? I used to be able to do this couple of weeks ago.

sw01(config-if)#authentication event fail action authorize vlan 20
Command deprecated (authentication event fail action authorize vlan 20) - use cpl config

sw01(config)#dot1x guest-vlan supplicant
Command deprecated ('dot1x guest-vlan supplicant') - use cpl config instead

Re: Wired guest access ISE 2.3

Ben Walters — Fri, 05 Jan 2018 15:57:46 GMT

Are you set on using policy-maps? There should be an easier way to send non-domain devices into the guest VLAN.

I would much rather have ISE doing all the policy work instead of having the switches with bloated configs for policy maps.

I would have normal 802.1x/MAB auth and add in conditions in those policies in ISE that if a user is not part of the domain/fails MAB send them to the guest VLAN. That way you can clean up the config on the switches, basically just having the required config for 802.1x/MAB and create the guest VLAN on the switch itself.

Depending on how you want to set this up the default deny policy in ISE could be changed to send anyone to the guest VLAN who is unable to authenticate too.

Re: Wired guest access ISE 2.3

walwar — Sun, 07 Jan 2018 20:31:16 GMT

Honestly, these policies were created by default. I was able to use authentication command in interface mode, but not anymore. I would rather using ISE to do everything instead of having loads of commands in my switch.

Today both dot1x and MAB works fine but if I remove the service-policy command from the interface everything stops working, therefore I have these policy-map commands. As I said I'd rather to remove these policies from my switch and configure ISE to do this job instead. The one thing that I still can't figure out with policy-map is how to make non-joined domain and guest access to X vlan for only surfing the web.

Any recommendation of how to achieve these? I am not so familiar with ISE but the more I use it the more I start to understand it, but unfortunately the policy set is still very tricky.

This is what I am trying to do:
1. Dot1x
2. MAB
3. Guest and non-joined domain PC's redirection for webauth.

-W

Re: Wired guest access ISE 2.3

Octavian Szolga — Tue, 09 Jan 2018 12:59:38 GMT

HI Walwar,

non 802.1x authenticated can be MAB 🙂

The old style config in which the switch is using LWA or failed VLAN or guest VLAN or whatever is kind've legacy 🙂

You can configure ISE so that when a MAB request for an unkown MAC is requested, the device is placed into a 'guest' VLAN or is presented a web-auth portal. (from ISE)

The config you're using is IBNS 2.0 (policy-map oriented) which can be deactived so that you can use old-style syntax (dot1x authentication, etc).

Thanks,

Octavian

Re: Wired guest access ISE 2.3

walwar — Tue, 09 Jan 2018 13:29:28 GMT

Hello,

I probably should have pointed this out, my dot1X is only for wired joined domain PC.
MAB is used for Printers, Security cams, and non-joined domain PC I.e. guests which is redirected to a to authenticate through a webpage.

Now after many long nights in my basement I am kind of solved the webauth, but not 100%. The only thing that is not working in my lab, is that my guest PC is not getting access to Internet though when I look at the port is has assigned IP and I even see the dACL but the PC is not connecting. Now when I copy the dACL from the port and used it from another PC I get to the self-reg page and can register successfully and only then my guest PC is able to surf to the internet.

How do I deactivate this policy-map based config? It starts to get too complex and I could lose track of everything soon hehe.

What do you think of using policy-map vs old style syntax?

-walwar

Re: Wired guest access ISE 2.3

Octavian Szolga — Tue, 09 Jan 2018 15:27:44 GMT

Hi,

IBNS 2.0 is rather new (or at least not often implemented) and is not available on every existing Catalyst platform.

In Cisco's documentation is states that you cannot revert to the old style configuration mode for 802.1x if you saved the config and reloaded the device. I have my doubts about that and I suspect that the correct sentence would be that you cannot revert to the old style and keep your entire config.

I suspect that a write erase reload would allow you to revert to the old style config.

https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/whitepaper_C11-729965.html

There are some advantages of using the policy-map model, like running both MAB and dot1x simultaneoulsy on the switch (old style/auth manager cannot do it) but overall, it's not that user friendly like auth manager.

Thanks,

Octavian

Re: Wired guest access ISE 2.3

walwar — Tue, 09 Jan 2018 15:35:57 GMT

Hello,

Yeah, I saw that and unfortunately I had already saved and booted my switch and I won't bother troubleshooting if write erase will revert back to the legacy style. I will continue using policy-map though I need to clean it up and add back the class-maps I removed not knowing that the policies might be useful.

Do you have any experience with wired guest authentication? I am still having trouble figuring this out.

Thanks for taking time and helping out, much appreciated!

-walwar