topic Can't Connect to Endpoint when user logs off in Network Access Control

Can't Connect to Endpoint when user logs off

jmartin@mooresvillenc.gov — Tue, 24 Mar 2020 16:21:24 GMT

We are in the process of deploying ISE 2.6 Patch 3 and are using Cisco AnyConnect Network Access Manager for EAP Chaining. We have ran into a a situation where whenever no user is logged into the machine it becomes unreachable (no ping, VNC, etc.). I have attached screenshots of our NAM configuration from the AnyConnect Profile Editor. Are there additional settings in ISE that could be causing this behavior? We currently have a rule in our Policy in ISE that is Temp Roll Out rule that basically allows anything that is profiled as a Workstation, etc. to connect. I have a TAC case open as well but they aren't being very responsive.

Re: Can't Connect to Endpoint when user logs off

Mike.Cifelli — Tue, 24 Mar 2020 16:40:29 GMT

Can you please share screenshots or further describe how you have your test authz policies configured? There is a condition you should be utilizing that would allow access based on the eap-chaining result. It sounds like the issue you are facing is that hosts are dropping off the network when eap-chaining is user fail and machine pass. The authz condition is this: Network Access: EAPChainingResult EQUALS: User failed and machine succeeded. In your test case you would want to maybe push this type of result into a restricted area.

Re: Can't Connect to Endpoint when user logs off

jmartin@mooresvillenc.gov — Tue, 24 Mar 2020 16:58:40 GMT

I've attached screenshots of our Authz Policy

Re: Can't Connect to Endpoint when user logs off

Cristian Matei — Tue, 24 Mar 2020 17:07:15 GMT

Hi,

The required three authorisation policies seem to be in place. Ensure that the configuration is correct though, following this guide. When only the machine is authenticated, what is the status on ISE (what is the currently pushed policy) and on the switch "show authentication session" for the interface.

Regards,

Cristian Matei.

Re: Can't Connect to Endpoint when user logs off

Mike.Cifelli — Tue, 24 Mar 2020 17:22:23 GMT

Authz policy is configured as expected (right). Can you share what is configured in this authz profile (Computer Wired Access)? It looks like you have a few hundred hits on that authz policy. As @Cristian Matei mentioned see what the switch is showing for auth detail.

Re: Can't Connect to Endpoint when user logs off

jmartin@mooresvillenc.gov — Tue, 24 Mar 2020 17:27:08 GMT

I can't seem to find the Computer Wired Access auth profile to be able to check the configuration. I'll be glad to provide some screenshots but I seem to only be able to find it listed in the Policy Set

Re: Can't Connect to Endpoint when user logs off

Mike.Cifelli — Tue, 24 Mar 2020 17:36:57 GMT

Policy->Policy Elements->Results->Authorization->Authz Profiles

Re: Can't Connect to Endpoint when user logs off

jmartin@mooresvillenc.gov — Tue, 24 Mar 2020 17:44:23 GMT

Re: Can't Connect to Endpoint when user logs off

jmartin@mooresvillenc.gov — Tue, 24 Mar 2020 17:45:50 GMT

This is what the switch port shows: sh auth sessions | i Gi3/11
Gi3/11 d89e.f39e.7d5e dot1x DATA Auth 0A800A050000387C2389F8B4

Re: Can't Connect to Endpoint when user logs off

Mike.Cifelli — Tue, 24 Mar 2020 17:50:41 GMT

What vlan is being pushed? Is this vlan in the switch vlan.db? Show from switch: #Show auth session interface XXX detail

Re: Can't Connect to Endpoint when user logs off

jmartin@mooresvillenc.gov — Tue, 24 Mar 2020 17:52:41 GMT

Re: Can't Connect to Endpoint when user logs off

Mike.Cifelli — Tue, 24 Mar 2020 17:56:48 GMT

Could be a dacl issue. I would verify your dacl contains (allows) your test host where you are pinging from. Dacl in ISE can be found here: Policy->Policy Elements->Results->Authorization->Downloadable ACLs
Can you share that interface config as well please

Re: Can't Connect to Endpoint when user logs off

jmartin@mooresvillenc.gov — Tue, 24 Mar 2020 17:58:32 GMT

switchport access vlan 11
switchport mode access
switchport voice vlan 64
switchport port-security maximum 5
authentication event server dead action authorize vlan 254
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication timer reauthenticate server
authentication timer inactivity 60
authentication violation restrict
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
auto qos voip cisco-phone
dot1x pae authenticator
dot1x timeout tx-period 10
qos trust device cisco-phone
spanning-tree portfast edge
spanning-tree bpduguard enable
service-policy input AutoQos-4.0-Cisco-Phone-Input-Policy
service-policy output AutoQos-4.0-Output-Policy
ip dhcp snooping trust
end

Re: Can't Connect to Endpoint when user logs off

jmartin@mooresvillenc.gov — Tue, 24 Mar 2020 18:02:11 GMT

I don't think that I have a DACL assigned to that Authz Profile. My DACL config is:

permit udp any eq 68 any eq 67
permit udp any any eq 53
permit ip any host <DNS SERVER IP>
permit ip any host <DC IP>
deny ip any any

Re: Can't Connect to Endpoint when user logs off

Mike.Cifelli — Tue, 24 Mar 2020 18:11:25 GMT

Your sh auth detail output (server policies) tells me ISE authz profile is pushing dacl. Does sh ip access-list int XX return anything? Try adding your test host iip n that dacl, then force reauth, then try to ping.
I would take a peek at an admin guide: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_8021x/configuration/xe-3se/3650/sec-user-8021x-xe-3se-3650-book/sec-ieee-open-auth.html#GUID-65E5A890-B7C0-43AC-976D-D76BF6135085
Also, for future reference I recommend starting with less configs, get it working, then slowly add things back. May help with identifying root cause. Check out labminutes.com/sec as well for free config tutorials. HTH!

Re: Can't Connect to Endpoint when user logs off

jmartin@mooresvillenc.gov — Tue, 24 Mar 2020 18:26:22 GMT

Thank you so much! The issue was the DACL which I didn't event think that I had applied anywhere but clearly I had somehow managed to do just that. I really appreciate it and I have made adjustments to the DACL and now I am able to connect to the machine as expected when no user is logged in.