topic Re: 'authentication control-direction in' in authentication CLOSED mode in Network Access Control

'authentication control-direction in' in authentication CLOSED mode

Josh Morris — Mon, 11 Mar 2019 05:38:40 GMT

Switch: 4510R+E, running a DEV version based off 3.6.0

ISE: 1.2.0.899 patch 7

Hi, I have been working on a weird issue where some of my clients would randomly drop their IP address and the only way I could get it back was to move their port to authentication open mode. I need to run in closed mode because I change VLANs via MAB.

I have been working with TAC, and they suggested I add the command 'authentication control-direction in' to my switchport config (below). With the couple tests Ive done, this seems to help. But I would like to understand why. Doesn't the control-direction command somewhat nullify the premise of running in closed mode? I.E. It allows some communication before the device is authorized. Thanks.

interface GigabitEthernet2/18
switchport access vlan 34
switchport mode access
switchport voice vlan 66
logging event link-status
authentication event fail action next-method
authentication event server dead action authorize vlan 34
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
service-policy input QoS-Input-Policy
service-policy output QoS-Host-Port-Output-Policy
end

Add this line to the DACL. it

Dave Saunders — Wed, 15 Apr 2015 16:35:44 GMT

Add this line to the DACL. it will resolve it.

permit udp any eq bootpc any eq bootps

Thanks Dave. I'm assuming you

Josh Morris — Thu, 16 Apr 2015 12:18:33 GMT

Thanks Dave. I'm assuming you mean add this line to the Auth-Default-ACL that gets applied prior to authorization. IN the 4510, it already allows that traffic. Here is the default ACL...

Extended IP access list Auth-Default-ACL
10 permit udp any any eq domain
20 permit tcp any any eq domain
30 permit udp any eq bootps any
40 permit udp any any eq bootpc
50 permit udp any eq bootpc any
60 deny ip any any

I also needed to use this

phosawyer — Thu, 16 Apr 2015 14:23:09 GMT

I also needed to use this command to keep devices authenticated. It was happening with a CCTV system that was an embedded Linux OS. It was on MAB and because it wasn't transmitting any traffic (unlike a noisy windows box) then the switch wouldn't be able to reauth it as it had no mac address to be able to auth, so would show up with an 'unknown' in the MAC field.

Basically it allows traffic to flow out of the port. This enabled the device to be able to receive HTTP traffic and made it respond and then the switch could auth it again once the device sent a frame.

when you do a show authentication sessions you will notice a Oper control dir: both will change to Oper control dir: in

Re: 'authentication control-direction in' in authentication CLOSED mode

yenaungoo — Tue, 03 Oct 2017 12:14:39 GMT

Hi I also have similar issue with MAB (authentication closed mode) for one legacy printer model (just sometimes).

- ISE 1.2, Cisco Switches (C3560, 2960X with IOS 12.2(55)SE7)

Can it be ISE / IOS bug issue, if so, can help to share the Bug ID?

Please also suggest how to verify the default rule "Auth-Default-ACL".

Thanks,

Re: 'authentication control-direction in' in authentication CLOSED mode

Romzy — Tue, 16 Jun 2020 22:12:56 GMT

Neither ISE or Switch are the root cause of the issue. This is the behavior of some hosts (Printers, Cameras, PCs, ...) that will go into sleeping mode and they need a WoL magic packet from the switch to wake up, so authentication control-direction in can help in such scenarios.