topic Re: ISE v2.3 Location base MAB Authentication in Network Access Control

ISE v2.3 Location base MAB Authentication

Jason Weids — Fri, 21 Feb 2020 18:55:58 GMT

Hi,

We are having difficulty setting a policy to authenticate known devices based on location & MAC address in ISE v2.3.

I have created a network device group called "test" which I have my test 3650 switch in & an endpoint identity group called computing which has a few MAC addresses added for testing.

My policy set condition is set to use device location "test group" & radius flow type = WiredMAB with the default authentication policy set to use internal endpoints.

Here is my interface config;

interface GigabitEthernet1/0/2
switchport access vlan 400
switchport mode access
switchport voice vlan 108
authentication event fail action next-method
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 2
spanning-tree portfast
end

Below is the AAA config;

aaa new-model
!
!
aaa group server radius ISE-RADIUS
server name NPLNX-ISE1
deadtime 15
!
aaa group server tacacs+ ISE-SERVERS
server name NPLNX-ISE1
!
aaa authentication login CON group ISE-SERVERS local
aaa authentication login VTY group ISE-SERVERS local
aaa authentication enable default group ISE-SERVERS enable
aaa authentication dot1x default group ISE-RADIUS
aaa authorization console
aaa authorization config-commands
aaa authorization exec CON none
aaa authorization exec VTY group ISE-SERVERS local if-authenticated
aaa authorization commands 1 VTY group ISE-SERVERS local if-authenticated
aaa authorization commands 15 VTY group ISE-SERVERS local if-authenticated
aaa authorization network default group ISE-RADIUS
aaa authorization network auth-list group ISE-RADIUS
aaa accounting update periodic 10
aaa accounting dot1x default start-stop group ISE-RADIUS
aaa accounting exec default start-stop group ISE-SERVERS
aaa accounting commands 1 default start-stop group ISE-SERVERS
aaa accounting commands 15 default start-stop group ISE-SERVERS
aaa accounting system default start-stop group ISE-RADIUS
!

Authentication is not matching the policy or authorising the devices.

NPSYG01-A-3#sh authentication sessions
Interface MAC Address Method Domain Status Fg Session ID
--------------------------------------------------------------------------------------------
Gi1/0/2 7486.7a2c.5342 N/A UNKNOWN Unauth 00000000000000725E807E2B

Session count = 1

Key to Session Events Blocked Status Flags:

A - Applying Policy (multi-line status for details)
D - Awaiting Deletion
F - Final Removal in progress
I - Awaiting IIF ID allocation
P - Pushed Session
R - Removing User Profile (multi-line status for details)
U - Applying User Profile (multi-line status for details)
X - Unknown Blocker

NPSYG01-A-3#

Any help appreciated.

Re: ISE v2.3 Location base MAB Authentication

Rob Ingram — Mon, 14 May 2018 12:38:47 GMT

Hi,
Can you provide a screenshot of the ISE logs when authentication/authorization fails please?

Re: ISE v2.3 Location base MAB Authentication

Jason Weids — Mon, 14 May 2018 12:44:05 GMT

Hi,

We are not getting any authentication fail logs in ISE, I am not sure if the switch & interface config is set right but there is no data in the logs.

thanks

Re: ISE v2.3 Location base MAB Authentication

Rob Ingram — Mon, 14 May 2018 12:48:43 GMT

Ok, can you screenshot a successful authentication/authorization just so I can have a look and see what it does match please?

With an endpoint authenticated can you upload the output of "show authentication sessions interface gig 1/0/2" < or whatever interface you are using.

Can you screenshot the authorization policy, only saw the authentication policy section previously.

ta

Re: ISE v2.3 Location base MAB Authentication

Jason Weids — Mon, 14 May 2018 12:52:41 GMT

Hi, we have no successful authentication/authorisations in the logs at all accept for TACACS. There is nothing in the RADIUS logs.

Session count = 1

Re: ISE v2.3 Location base MAB Authentication

Jason Weids — Mon, 14 May 2018 12:58:11 GMT

I should add we have no working policies yet as we are working in a test environment & have not deployed across campus yet.

Re: ISE v2.3 Location base MAB Authentication

Rob Ingram — Mon, 14 May 2018 13:02:00 GMT

Ok, so you've not yet got any authentications working?

Can you show the output for "show aaa servers"?
Is dot1x enabled globally "dot1x system-auth-control"
Have you defined in ISE the NAD (the switch ip address) with the RADIUS shared secret?

Re: ISE v2.3 Location base MAB Authentication

Jason Weids — Mon, 14 May 2018 13:11:11 GMT

I'm getting no output from the show aaa servers.

dot1x system-auth-control is configured globally. The RADIUS shared secret is defined in the network device in ISE.

Re: ISE v2.3 Location base MAB Authentication

Rob Ingram — Mon, 14 May 2018 13:13:39 GMT

In that case what is the configuration of NPLNX-ISE1?

Re: ISE v2.3 Location base MAB Authentication

Jason Weids — Mon, 14 May 2018 14:12:22 GMT

Thanks for that. I was missing the radius global config. It is now authenticating, matching the policy set & reassigning the VLAN based on the authorisation profile.