topic Re: dot1x authorization failing in Network Access Control

dot1x authorization failing

lmqtechnology — Thu, 10 Mar 2022 19:04:10 GMT

I have configured dot1x with Cisco ISE and a 3850 switch, however I am unable to get the port to authorize. I check the ISE radius logs and it shows it authenticate successfully, but yet the switch fails to authorize the port..

Any help would be greatly appreciated!

%SESSION_MGR-5-FAIL: Switch 1 R0/0: sessmgrd: Authorization failed or unapplied for client (<mac_removed>) on Interface GigabitEthernet1/0/43 AuditSessionID

interface GigabitEthernet1/0/43
switchport private-vlan mapping 911 5,11,15,22-23,27,34,42,55,65,71,78,80,100
switchport mode private-vlan host
switchport port-security maximum 20
switchport port-security
ip arp inspection trust
authentication host-mode multi-host
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
ip verify source
end

Re: dot1x authorization failing

Rob Ingram — Thu, 10 Mar 2022 19:09:07 GMT

@lmqtechnology dot1x and port-security on the same interface is not supported.

Can you provide the output of "show authentication session interface gigX/X"

Re: dot1x authorization failing

lmqtechnology — Thu, 10 Mar 2022 19:14:51 GMT

Hi Rob,

With regards to port-security I believe that used to be the case, but not any more with "multi-host"

https://community.cisco.com/t5/network-access-control/port-security-and-802-1x-ise/td-p/2532438

output below.

Interface MAC Address Method Domain Status Fg Session ID
--------------------------------------------------------------------------------------------
Gi1/0/43 <mac_address> dot1x DATA Unauth 0A6434FA000001E1753E5A59

Key to Session Events Blocked Status Flags:

A - Applying Policy (multi-line status for details)
D - Awaiting Deletion
F - Final Removal in progress
I - Awaiting IIF ID allocation
P - Pushed Session
R - Removing User Profile (multi-line status for details)
U - Applying User Profile (multi-line status for details)
X - Unknown Blocker

Runnable methods list:
Handle Priority Name
12 5 dot1xSup
8 5 dot1x
13 10 webauth
11 15 mab

Re: dot1x authorization failing

MHM Cisco World — Thu, 10 Mar 2022 19:15:11 GMT

can I see
show auth session of this interface

Re: dot1x authorization failing

Rob Ingram — Thu, 10 Mar 2022 19:19:02 GMT

@lmqtechnology can you append "detail" to see the full output.

"show authentication session interface gig1/0/43 detail"

That's an 8 year old post, last recommendation is not to use dot1x and port security on the same interface.

Re: dot1x authorization failing

lmqtechnology — Thu, 10 Mar 2022 19:21:57 GMT

okay, I havent seen that.. can you provide a reference and link?

output below:

Interface: GigabitEthernet1/0/43
IIF-ID: 0x1EAD5FD0
MAC Address: <removed>
IPv6 Address: Unknown
IPv4 Address: Unknown
User-Name: host/<removed>
Status: Unauthorized
Domain: DATA
Oper host mode: multi-host
Oper control dir: both
Session timeout: N/A
Common Session ID: 0A6434FA000001E1753E5A59
Acct Session ID: Unknown
Handle: 0x72000040
Current Policy: POLICY_Gi1/0/43

Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Security Policy: Should Secure
Security Status: Link Unsecured

Server Policies:

Method status list:
Method State
dot1x Authc Success

Re: dot1x authorization failing

lmqtechnology — Thu, 10 Mar 2022 19:22:35 GMT

*posted above

Re: dot1x authorization failing

Rob Ingram — Thu, 10 Mar 2022 19:30:05 GMT

@lmqtechnology

Confirmed by Cisco employee, I've also seen other posts on this forum in the last few years by other Cisco employees who confirm the same.

https://community.cisco.com/t5/network-access-control/ise-switch-setup-with-port-security/td-p/3513432

Can you provide a screenshot of the ISE Live Log for this authenticated session and "show run aaa" from the switch.

Re: dot1x authorization failing

MHM Cisco World — Thu, 10 Mar 2022 19:34:24 GMT

DEFAULT_LINKSEC_POLICY_SHOULD_SECURE <- service template config or not ?

Re: dot1x authorization failing

lmqtechnology — Thu, 10 Mar 2022 19:48:05 GMT

aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ group ISE enable
aaa authentication dot1x default group radius
aaa authorization network default group ISE
!
!
radius server ISE-RADIUS
address ipv4 10.10.52.13 auth-port 1812 acct-port 1813
key 7 <removed>
!
tacacs server 10.10.52.13
address ipv4 10.10.52.13
tacacs-server key 7 <removed>
!
!
aaa group server radius ISE-RADIUS
server name ISE-RADIUS
!
aaa group server tacacs+ ISE
!
!
aaa new-model
aaa session-id common
!
!

from ISE

11001
Received RADIUS Access-Request

11017
RADIUS created a new session

15049
Evaluating Policy Group

15008
Evaluating Service Selection Policy

11507
Extracted EAP-Response/Identity

12500
Prepared EAP-Request proposing EAP-TLS with challenge

12625
Valid EAP-Key-Name attribute received

11006
Returned RADIUS Access-Challenge

11001
Received RADIUS Access-Request

11018
RADIUS is re-using an existing session

12301
Extracted EAP-Response/NAK requesting to use PEAP instead

12300
Prepared EAP-Request proposing PEAP with challenge

12625
Valid EAP-Key-Name attribute received

11006
Returned RADIUS Access-Challenge

11001
Received RADIUS Access-Request

11018
RADIUS is re-using an existing session

12302
Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated

12318
Successfully negotiated PEAP version 0

12800
Extracted first TLS record; TLS handshake started

12805
Extracted TLS ClientHello message

12806
Prepared TLS ServerHello message

12807
Prepared TLS Certificate message

12808
Prepared TLS ServerKeyExchange message

12810
Prepared TLS ServerDone message

12811
Extracted TLS Certificate message containing client certificate

12305
Prepared EAP-Request with another PEAP challenge

11006
Returned RADIUS Access-Challenge

11001
Received RADIUS Access-Request

11018
RADIUS is re-using an existing session

12304
Extracted EAP-Response containing PEAP challenge-response

12305
Prepared EAP-Request with another PEAP challenge

11006
Returned RADIUS Access-Challenge

11001
Received RADIUS Access-Request

11018
RADIUS is re-using an existing session

12304
Extracted EAP-Response containing PEAP challenge-response

12305
Prepared EAP-Request with another PEAP challenge

11006
Returned RADIUS Access-Challenge

11001
Received RADIUS Access-Request

11018
RADIUS is re-using an existing session

12304
Extracted EAP-Response containing PEAP challenge-response

12305
Prepared EAP-Request with another PEAP challenge

11006
Returned RADIUS Access-Challenge

11001
Received RADIUS Access-Request

11018
RADIUS is re-using an existing session

12304
Extracted EAP-Response containing PEAP challenge-response

12305
Prepared EAP-Request with another PEAP challenge

11006
Returned RADIUS Access-Challenge

11001
Received RADIUS Access-Request

11018
RADIUS is re-using an existing session

12304
Extracted EAP-Response containing PEAP challenge-response

12318
Successfully negotiated PEAP version 0

12812
Extracted TLS ClientKeyExchange message

12813
Extracted TLS CertificateVerify message

12804
Extracted TLS Finished message

12801
Prepared TLS ChangeCipherSpec message

12802
Prepared TLS Finished message

12816
TLS handshake succeeded

12310
PEAP full handshake finished successfully

12305
Prepared EAP-Request with another PEAP challenge

11006
Returned RADIUS Access-Challenge

11001
Received RADIUS Access-Request

11018
RADIUS is re-using an existing session

12304
Extracted EAP-Response containing PEAP challenge-response

12313
PEAP inner method started

11521
Prepared EAP-Request/Identity for inner EAP method

12305
Prepared EAP-Request with another PEAP challenge

11006
Returned RADIUS Access-Challenge

11001
Received RADIUS Access-Request

11018
RADIUS is re-using an existing session

12304
Extracted EAP-Response containing PEAP challenge-response

11522
Extracted EAP-Response/Identity for inner EAP method

11806
Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge

12305
Prepared EAP-Request with another PEAP challenge

11006
Returned RADIUS Access-Challenge

11001
Received RADIUS Access-Request

11018
RADIUS is re-using an existing session

12304
Extracted EAP-Response containing PEAP challenge-response

11808
Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated

15041
Evaluating Identity Policy

15048
Queried PIP - Normalised Radius.RadiusFlowType

15013
Selected Identity Source - <remove>

24431
Authenticating machine against Active Directory - <remove>

24325
Resolving identity - host/<remove>

24313
Search for matching accounts at join point - <remove>

24319
Single matching account found in forest - <remove>

24323
Identity resolution detected single matching account

24343
RPC Logon request succeeded - <remove>

24470
Machine authentication against Active Directory is successful - <remove>

22037
Authentication Passed

11824
EAP-MSCHAP authentication attempt passed

12305
Prepared EAP-Request with another PEAP challenge

11006
Returned RADIUS Access-Challenge

11001
Received RADIUS Access-Request

11018
RADIUS is re-using an existing session

12304
Extracted EAP-Response containing PEAP challenge-response

11810
Extracted EAP-Response for inner method containing MSCHAP challenge-response

11814
Inner EAP-MSCHAP authentication succeeded

11519
Prepared EAP-Success for inner EAP method

12314
PEAP inner method finished successfully

12305
Prepared EAP-Request with another PEAP challenge

11006
Returned RADIUS Access-Challenge

11001
Received RADIUS Access-Request

11018
RADIUS is re-using an existing session

12304
Extracted EAP-Response containing PEAP challenge-response

15036
Evaluating Authorization Policy

24209
Looking up Endpoint in Internal Endpoints IDStore - host/<remove>

24211
Found Endpoint in Internal Endpoints IDStore

15048
Queried PIP - Radius.NAS-Port-Type

15048
Queried PIP - EndPoints.LogicalProfile

15048
Queried PIP - Network Access.AuthenticationStatus

15016
Selected Authorization Profile - PermitAccess

22081
Max sessions policy passed

22080
New accounting session created in Session cache

12306
PEAP authentication succeeded

11503
Prepared EAP-Success

11002
Returned RADIUS Access-Accept

Re: dot1x authorization failing

Rob Ingram — Thu, 10 Mar 2022 20:01:31 GMT

@lmqtechnology

Refer to the ISE wired guide, ensure you enable accounting, device tracking and anything else you are missing.

https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

Ensure you remove port-security, I am not sure private VLAN would be supported either.

Re: dot1x authorization failing

MHM Cisco World — Thu, 10 Mar 2022 20:03:37 GMT

Auth is success no issue,
ISE authz network which mean
ISE assign VLAN
or
ISE send ACL
or
ISE send service-template <-here you can either VLAN or ACL

can you confirm which one you config in ISE Authz