topic Re: IBNS2.0 concurrent dot1x & mab authentication in Network Access Control

IBNS2.0 concurrent dot1x & mab authentication

Andrii Oliinyk — Wed, 20 May 2020 17:30:12 GMT

Hi Gentlemen

there r a lot of statements like ISE doesnt support SUBJ w/o clear explanation of the reason.

could somebody here enlighten on this?

tnx in advance

Re: IBNS2.0 concurrent dot1x & mab authentication

paul — Wed, 20 May 2020 22:20:26 GMT

Read the back and forth here:

https://community.cisco.com/t5/network-access-control/cpl-template-mab-dot1x-simultaneously/td-p/3749539

We do simultaneous MAB and Dot1x in all our IBNS 2.0 installs and have 10s of thousands of switches running it without an issue and millions of authentications. The only defense the BU has given for not officially supporting it is if the two authentications happen too close together ISE may get confused and not process them correctly.

The original IBNS 2.0 documentation listed this as a main feature and even the Cisco Live presentations show this feature as a major benefit:

https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2016/pdf/LTRSEC-2017-LG.pdf

(search for concurrent authentication)

We tell our customers that on the community forums Cisco says they don't officially support it, but we lay out our extensive track record of installs using without an issue as the reason we still recommend it. Granted our template is slightly different than the stock IBNS 2.0 template, but it is pretty close except for running MAB/Dot1x at the same time.

The only down side we have seen with running simultaneous is you are adding extra authentications to the ISE environment. Every 802.1x device will have a MAB authentication in the logs as well.

Re: IBNS2.0 concurrent dot1x & mab authentication

Andrii Oliinyk — Thu, 21 May 2020 12:07:55 GMT

Hi Paul
i'm not sure why concurrent adds extra authC/Z to ISE, because with those sequential the total number remains roughly the same but just dispersed in time (because both MAB & DOT1X are presented on intf & DOT1X usually configured to be attempted 1st often w/o quick answer preventing from MAB to be tried).
Here is another Q "why ISE has to be confused by 2 simultaneous DOT1X & MAB from the e/p?". ISE does quite predicted work in background which being drilled down shouldnt expose something preventing from the 2 sessions to be treated independently, isnt it? I would suggest that concurrent DOT1X & MAB from e/p could confuse ISE with some practical reason (like having 2 different -MAB&DOT1X - authenC/Zs to be assigned the same session ID for whatever reasons, f.e.).
But seems like actual reason will remain undiscovered for community :0)

Re: IBNS2.0 concurrent dot1x & mab authentication

paul — Thu, 21 May 2020 12:22:23 GMT

If you are running true concurrent MAB and Dot1x you will have a MAB transaction in ISE for every Dot1x guaranteed. Remember what triggers a session start is the switch learning a MAC address into its table. As soon as it learns the MAC address it fires off a MAB request to ISE and at the same time sends out an EAPol start to the device. ISE will process the MAB request. If the system responds to the EAPol start the switch side will terminate MAB, but ISE has already processed the MAB request. If you watch the ISE logs you will see a MAB entry in the log followed by a Dot1x entry a few 100ms later typically. This assumes the machine is online when it is plugged in. If the machine is booting up the MAB And Dot1x entries will be spaced a little farther apart.

Re: IBNS2.0 concurrent dot1x & mab authentication

Andrii Oliinyk — Thu, 21 May 2020 15:14:04 GMT

i've noticed the CPM/Audit session ID is the same for MAB & DOT1X for e/p. In my case they r separated with ~10 sec.
by the way could u pls advice on event <name> match-first keyword?
manual states:
"match-first (Optional) Evaluates only the first control class."
but having event with many classes defined it wouldn't make any sense.
should we read it "evaluates classes in sequence until 1st matches" instead?

also about event agent-not-found ("The agent for the authentication method was not detected"):
does it trigger with regard to MAB when port comes UP but no MAC is visible for whatever reason?
also does agent-found ("Agent for authentication method is successfully detected") triggers similarly when MAC is learned on port?

Re: IBNS2.0 concurrent dot1x & mab authentication

paul — Thu, 21 May 2020 15:19:37 GMT

Agent found/not found is 802.1x supplicant detection.

If you are doing true concurrent MAB/802.1x your session start would look like this:

event session-started match-all
10 class always do-all
10 authenticate using dot1x priority 10
20 authenticate using mab priority 20

This will result in MAB records in ISE for each 802.1x record.

Re: IBNS2.0 concurrent dot1x & mab authentication

Andrii Oliinyk — Thu, 21 May 2020 17:08:19 GMT

tnx Paul,
it's well known clause from IBNS20 DG. Could u pls help with below? it's really totally undiscoverable from CCO. May be u have better knowledge because of your deep experience?
by the way could u pls advice on event <name> match-first keyword?
manual states:
"match-first (Optional) Evaluates only the first control class."
but having event with many classes defined it wouldn't make any sense.
should we read it "evaluates classes in sequence until 1st matches" instead?

also about event agent-not-found ("The agent for the authentication method was not detected"):
does it trigger with regard to MAB when port comes UP but no MAC is visible for whatever reason?
also does agent-found ("Agent for authentication method is successfully detected") triggers similarly when MAC is learned on port?