topic Re: NAC open authentication query in Network Access Control

NAC open authentication query

craiglebutt — Thu, 20 Aug 2020 08:55:06 GMT

Started to looking at NAC again.

I've dropped the config on to a switch which used in my lab.

This has a Openspace IP Phone plugged in to it.

I drop the config on to the port with open authentication, I can see the log that the phone connects to voice vlan and this is confirmed on the ISE log.

If this is in open auth it should connect the same as it did in switchport as before the config dropped on . the ISE Auth Policy is set to permit all while I configure a policy for it ?

But the phone gets an IP, but doesn't talk to the servers.

Unfortunately working from a distance on this, have to rely on good will of someone onsite to keep checking.

any help much appreicated

Re: NAC open authentication query

thomas — Thu, 20 Aug 2020 13:48:05 GMT

Review the section Monitoring Authentications with Open Access in the ISE Secure Wired Access Prescriptive Deployment Guide including Monitoring Authentication Sessions to see what ISE is authorizing.

Then confirm the authorized state on the switch with

show authentication session interface Gig x/y/z details

This should not be an issue in this scenario but our best practice timer values are very different than yours.

 dot1x timeout tx-period 7
 dot1x max-reauth-req 3

Re: NAC open authentication query

Colby LeMaire — Thu, 20 Aug 2020 13:54:10 GMT

At a quick glance, your configuration looks fine. With "authentication open", the only thing that could possibly be restricting traffic flow is if there is a default/pre-auth ACL configured on the port or if ISE is pushing down a dACL that restricts traffic. Sometimes ISE will show a good authentication but the switch is not able to apply the policy and will keep the port as not authorized. This can happen if you are pushing a VLAN assignment but the VLAN doesn't exist on the switch. Or if your dACL has errors in it that the switch doesn't like. So to be sure, you need to do a "show auth sessions int gx/y detail" and verify the output. Should show "Authorized" and if any dACL's are applied. If you are using a dACL (even a permit all), then IP Device Tracking will need to know the client's IP address. So verify that the IP address shows up in the show output as well. And for true monitor mode, don't use a default/pre-auth ACL unless it is a permit ip any any.

Re: NAC open authentication query

craiglebutt — Fri, 21 Aug 2020 15:00:22 GMT

thanks you for your reply's, very useful

cheers