C3PL - Event Violation not working.

quangle1993 — Fri, 21 Feb 2020 18:41:04 GMT

Hi everybodu,

I have try to use C3PL but event violation not working. I mean when user authentication with dot1x or MAB failed, they still get access to network. The log on ISE showing they authentication failed and when i use command "show authentication session interface x/x/x detail" Status is UnAuthor. Method status list : both of dot1x and MAB is Authen Failed. But user still have access to network. There is nothing wrong with my Authen/Author rule on ISE cause when i use IBNS - classic, it work fine. Except that, everything working fine. DOT1X and MAB running at the same time, Fail-Open working fine. Are there anyway, any command to show that event violation are working or not. I mean, when you using port-security. You can use command "show port-security interface fx/x" to see what violation. And can you take a look on my configuration ? My configuration is below :

enable
config terminal
no ip domain lookup
lin con 0
logg syn
exit
hostname POC-SW1

ip domain-name Pru-POC
username admin password 123456
enable secret 123456
crypto key generate rsa general-keys modulus 1024

vtp mode tran

vlan 195
name DATA
vlan 14
name VOICE
exit

int range g1/0/1-12
spanning portfast
switchport access vlan 195
switchport voice vlan 14
exit

int vlan 195
ip add 10.145.195.245 255.255.255.0
no shut
exit

int g1/0/48
switchport access vlan 195
switchport voice vlan 14
exit

ip default-gateway 10.145.195.1

aaa new-model
aaa authentication dot1x default group radius
aaa authorization exec default local
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa session-id common
aaa accounting update periodic 5
radius-server host 10.145.220.19 auth-port 1812 acct-port 1813 key abcd2314

radius-server dead-criteria time 30 tries 3
radius-server vsa send authentication
radius-server vsa send accounting
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include

ip radius source-interface vlan 195

aaa server radius dynamic-author
client 10.145.220.19 server-key abcd2314
exit

dot1x system-auth-control
ip device tracking
logging console information

class-map type control subscriber match-any AAA-DOWN
yes
match result-type aaa-timeout
exit

class-map type control subscriber match-all DOT1X-FAILED
match method dot1x
match result-type method dot1x authoritative
exit

ip access-list extended ACL-ALLOW
permit ip any any 
exit

service-template CRITICAL
access-group ACL-ALLOW
exit

policy-map type control subscriber DOT1X-DEFAULT

event session-started match-all 
10 class always do-all 
10 authenticate using dot1x priority 10 
20 authenticate using mab priority 20 
exit
exit

event violation match-all 
10 class always do-all 
10 restrict 
exit
exit

event authentication-failure match-all 
10 class AAA-DOWN do-all 
10 authorize 
20 activate service-template CRITICAL 
30 terminate dot1x 
40 terminate mab
exit
20 class DOT1X-FAILED do-all 
10 authenticate using mab 
exit
exit
exit

interface range g1/0/5-6
switchport host
switchport access vlan 195
switchport voice vlan 14
service-policy type control subscriber DOT1X-DEFAULT
authentication periodic
authentication timer reauthenticate server
mab
access-session host-mode multi-auth
dot1x timeout tx-period 10
access-session port-control auto
exit

Re: C3PL - Event Violation not working.

Francesco Molino — Fri, 08 Dec 2017 01:18:22 GMT

Hi

I've not done a lot of deployments using C3PL.
I don't have all your config, but based on your output, there's a missing command : authentication display new-style

Have you run a debug? Can you paste the debug result to see what the switch receives?

Re: C3PL - Event Violation not working.

quangle1993 — Fri, 08 Dec 2017 08:08:52 GMT

HI Francesco Molino,

I don't using authentication display new-style cause i think it inly need when you have IBNS 1 (CPL) and you want to migration to IBNS 2 (C3PL). And i'm just using C3PL so i don't need that. And about log, i'm using these command :

- logging console information

- debug aaa authentication

- debug aaa authorization

- debug aaa accounting

But the problem is it only show failed authentication but not success authentication logs. Are there any log/debug command that i miss ? And below is all command i put into Switch.

Re: C3PL - Event Violation not working.

Francesco Molino — Fri, 08 Dec 2017 13:25:43 GMT

So we don't have the full output, we don't see if there was any legacy commands, that's why I asked about authentication display new-style.

Can you change the logging to debugging and add a debug radius to see what's going on with violation mode?

If you do a show authentication, can you see the violation parameter configured?

How are you testing it?

topic Re: C3PL - Event Violation not working. in Network Access Control

C3PL - Event Violation not working.

Re: C3PL - Event Violation not working.

Re: C3PL - Event Violation not working.

Re: C3PL - Event Violation not working.