topic Re: Use authentication violation shutdown but not shutting down the po in Network Access Control

Use authentication violation shutdown but not shutting down the port

albertofdez — Mon, 25 Apr 2022 15:58:17 GMT

Hi,

I am using MAB on a port together with the authentication violation shutdown command, but when I connect a device with a MAC that does not belong to any group, Cisco ISE denies access, but the port on the switch remains connected.

If I do a show interfaces status on the switch the port should be err-disabled, but it is still connected.

Shouldn't it work the same way as the switchport port-security violation shutdown command and set the port to err-disabled?

Thanks.

Re: Use authentication violation shutdown but not shutting down the po

Arne Bier — Tue, 26 Apr 2022 11:55:47 GMT

I don't have the authoritative answer on this, but a failed authentication is not a violation - and therefore the "violation" logic would not be executed. I would like someone to correct me if I am wrong, but a session violation is an event where the maximum number of allowed MAC addresses has been authorized on a port, thus causing either a notification, or a shutdown.

In my experience of using mult-domain host mode, the port will automatically err-disable if there is more then 2 MAC addresses in the DATA domain (no C3PL or legacy "authentication violation .." logic required).

If anyone has more information on what exactly a session violation is, please share here.

Re: Use authentication violation shutdown but not shutting down the po

michael.burke — Tue, 26 Apr 2022 13:36:26 GMT

Would you post the interface configuration and possibly show auth session interface if possible. Is this deployment in closed mode or maybe low impact open with a pre auth acl?

Re: Use authentication violation shutdown but not shutting down the po

Marcelo Morais — Tue, 26 Apr 2022 19:56:54 GMT

Hi @albertofdez and @Arne Bier

take the following example:

interface FastEthernet0/1
 switchport access vlan 10
 switchport mode access
 authentication control-direction in
 authentication event fail action next-method
 authentication event server dead action reinitialize vlan 10
 authentication event server alive action reinitialize
 authentication host-mode multi-auth
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 authentication timer inactivity server
 authentication violation restrict
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 7
 spanning-tree portfast
end

if I connect a TIP and a Notebook on Fa0/1:

#show authentication interface Fa0/1
Client list:
Interface MAC Address Method Domain Status Session ID
Fa0/1 1111.1111.1111 mab DATA Authz Success 000000000000000000000001
Fa0/1 2222.2222.2222 dot1x DATA Authz Success 000000000000000000000002
Available methods list:
Handle Priority Name
3      0        dot1x
2      1        mab
Runnable methods list:
Handle Priority Name
3      0        dot1x
2      1        mab

but now, I will change my configuration to:

interface FastEthernet0/1
 authentication host-mode multi-domain

in other words, one Voice and one Data (only):

#show authentication interface Fa0/1
Security violation caused by 2222.2222.2222: Port is restricted
Client list:
Interface MAC Address Method Domain Status Session ID
Fa0/1 2222.2222.2222 dot1x UNKNOWN Running 000000000000000000000003
Fa0/1 1111.1111.1111 mab DATA Authz Success 000000000000000000000004

if I change again my configuration to:

interface FastEthernet0/1
 authentication violation shutdown

then

#show authentication interface Fa0/1
Security violation caused by 2222.2222.2222: Port is shutdown
Client list: empty
Available methods list:
Handle Priority Name
3      0        dot1x
2      1        mab
Runnable methods list:
Handle Priority Name
3      0        dot1x
2      1        mab

#show interfaces Fa0/1
FastEthernet0/1 is down, line protocol is down (err-disabled)
...

Hope this helps !!!

Re: Use authentication violation shutdown but not shutting down the po

Arne Bier — Tue, 26 Apr 2022 20:48:18 GMT

thanks @Marcelo Morais - the explanation was very clear. As mentioned in my earlier response, I have experienced this behaviour in my IBNS 2.0 configs where the violation logic is expressed in C3PL language - but what I found strange is that when I tested multi-domain and caused an intentional violation, I got the err-disable by default, and I did not need to specify any C3PL commands - it seems that the default action in IBNS 2.0 for violation is "shutdown". I will retest one of these days to confirm.

I guess the overall point to @albertofdez is that a violation is not caused when authentication fails. A violation is something that happens when you break the rules about how many MAC addresses are allowed to be authenticated. In multi-domain this is obvious (1 voice, 1 data) - @Marcelo Morais in multi-host, do you know how to configure the switch port to set an arbitrary limit to say, 3 MAC addresses to cause the violation?

Re: Use authentication violation shutdown but not shutting down the po

albertofdez — Wed, 27 Apr 2022 09:11:42 GMT

Thank you very much Arne and Marcelo for your help and information, I was clear about the multi-auth and multi-domain behavior, but I thought that in any case an authentication failure was also considered as a violation and therefore the port would be set to err-disabled.

Do you know if there is any port level command or configuration in Cisco ISE to set the port to shutdown if there is an authentication failure on the port?

Re: Use authentication violation shutdown but not shutting down the po

Marcelo Morais — Wed, 27 Apr 2022 12:30:50 GMT

Hi @albertofdez ,

I dind't recall any Port Level command or configuration on ISE to set the Port Shutdown if there is an Authentication Failure.

At Context Visibility > Endpoints, you are able to choose an Endpoint and select Change Authorization > CoA Session Terminate with Port Shutdown, but this is only possible if you have a Session (Authentication and Authorization Success).

Hope this helps !!!

Re: Use authentication violation shutdown but not shutting down the po

Arne Bier — Wed, 27 Apr 2022 20:18:34 GMT

I agree with @Marcelo Morais - there might be some potential to use an EEM (Embedded Event Manager) script on the switch to trigger a shutdown when it detects the Access-Reject for the port(s) in question. It's been a while since I used EEM, but if you can find a SYSLOG event to trigger on then you might have a solution.

Re: Use authentication violation shutdown but not shutting down the po

Marcelo Morais — Wed, 27 Apr 2022 20:27:39 GMT

Hi @Arne Bier and @albertofdez ,

I tried the multi-host option, after the following change:

interface FastEthernet0/1
 authentication host-mode multi-host

then

#show authentication interface Fa0/1
Client list:
Interface MAC Address Method Domain Status Session ID
Fa0/1 2222.2222.2222 dot1x DATA Authz Success 000000000000000000000005
Available methods list:
Handle Priority Name
3      0        dot1x
2      1        mab
Runnable methods list:
Handle Priority Name
3      0        dot1x
2      1        mab

#show ip device tracking interface Fa0/1
IP Device Tracking = Enabled
IP Device Tracking Probe Count = 3
IP Device Tracking Probe Interval = 30
IP Device Tracking Probe Delay Interval = 10
-----------------------------------------------------------------------
IP Address MAC Address Vlan Interface STATE
-----------------------------------------------------------------------
10.10.10.1 1111.1111.1111 10 FastEthernet0/5 ACTIVE
10.10.10.2 2222.2222.2222 10 FastEthernet0/5 ACTIVE

Total number interfaces enabled: 10
Enabled interfaces:
Fa0/2, Fa0/3, Fa0/4, Fa0/5, Fa0/6, Fa0/7, Fa0/8,
Fa0/9, Fa0/10, Fa0/11

#show mac address-table | inc Fa0/1
10 1111.1111.1111 DYNAMIC Fa0/1
10 2222.2222.2222 STATIC Fa0/1

in other words, since I am only able to check one MAC on the Authentication command (even though the Device Tracking and MAC Address-Table command have two MACs), I am not able to generate an err-disable/violation.

Note: for "desperate times" : ) ... use:

interface FastEthernet0/1
 switchport port-security
 switchport port-security maximum 1

Apr 27 14:48:03: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/1, putting Fa0/1 in err-disable state

Regards

Re: Use authentication violation shutdown but not shutting down the po

Arne Bier — Wed, 27 Apr 2022 20:38:43 GMT

thanks for checking this out - I thought perhaps the command

switchport port-security maximum 1

could be added to the NAC enabled multi-host port? We always say that the traditional switch port security and NAC are mutually exclusive - but in this case perhaps you need that command to trigger the violation while the port is in NAC mode. I have not seen any IBNS commands to set these limits.

Re: Use authentication violation shutdown but not shutting down the po

albertofdez — Thu, 28 Apr 2022 12:37:05 GMT

Thank you very much for your help.

I have tried the option CoA Session Terminate with Port Shutdown and it works perfectly, but as you say it only works if the endpoint has a Session (Authentication and Authorization Success).

I have thought about creating an authorization profile and put it in the last line, with this options

I have about 15 rules and in this way if a new endpoint does not match any condition already created, it allows access and then disabled the port.

Could it work?

Re: Use authentication violation shutdown but not shutting down the po

Marcelo Morais — Thu, 28 Apr 2022 18:25:17 GMT

Hi @albertofdez ,

although the Attribute Detail has a disable-host-port command, the Session did not exist on that particular time, it probably will not work !!!

It's possible to use ANC and API for that (take a look at Setup Adaptive Network Control, special attention to Figure 2. ANC Shutdown Flow)

Hope this helps !!!