topic Access-session host-mode multi-domain enforcement issues in Network Access Control

Access-session host-mode multi-domain enforcement issues

Kevin Marcan — Fri, 01 Mar 2024 21:09:11 GMT

Hi Everyone,

Wanted to see if anyone has observed this design issue I have been noticing. (Across multiple code trains).
Most of my testing at this point has been done on 9200 Compact, but issues seems to be persistent on different hardware.

Goal: Restrict port to One Workstation, One Phone, using host-mode multi-domain.
Important to note the Interface is operating in open mode from an ISE authentication perspective

Issue: Enforcement behavior differences between "restrict" and "protect"
Restrict mode does not seem to properly enforce the expected behavior with Access-session host-mode multi-domain

1) Protect works as expected, and is properly enforcing the port to One Workstation, One Phone
protect - silently drop violating packets
2) Restrict mode seems to be operating in a very buggy pattern, and not enforcing (sort of)
restrict - drop violating packets and generate a syslog

To my understanding, both options should do enforcement, restrict mode also providing syslogging on the failure.

Details on findings:
On the surface, both modes seem to be doing the same thing. Here are the similarities (what's working)

1) Both modes restrict allowed authentications to 2 devices.

show access-session interface gigabitEthernet 1/0/8
Security violation caused by 1111.2222.3333: Violation action is (restrict or protect)
Interface                MAC Address    Method Domain Status Fg Session ID
Gi1/0/8                  1111.1111.1111 dot1x   VOICE   Auth        XXXXXXXXX
Gi1/0/8 2222.2222.2222 mab     DATA    Auth        XXXXXXXXX

2) Both modes limit the mac address table to 2 devices
show mac address-table | include 1/0/8
10 1111.1111.1111 STATIC Gi1/0/8
13 2222.2222.2222 STATIC Gi1/0/8

Here is what's not working / buggy? (Restrict mode only)

1) Device-Tracking Database is learning about additional devices

show device-tracking database | inc 1/0/8

ARP 10.10.13.1 2222.2222.2222 Gi1/0/8    13         0005       1s         REACHABLE
DH4 10.10.10.1 1111.1111.1111       Gi1/0/8    10         0024       41s        REACHABLE
DH4 10.10.13.2 1111.2222.3333 Gi1/0/8    13         0024       3s         REACHABLE

Now this is where things get weird
- Running restrict mode, only 2 devices are authenticated
- Only 2 MACs are learned in the MAC address table (matching the authenticated devices
- All 3 devices are still pingable / reachable

What this looks like to me, is while restrict mode is preventing additional devices from showing up in the MAC address table, it is NOT actually dropping traffic as described. Protect mode does not have the same issue.

Any thoughts on this fun one? !

Re: Access-session host-mode multi-domain enforcement issues

Ruben Cocheno — Fri, 01 Mar 2024 22:58:47 GMT

@Kevin Marcan

yeah 😞

Re: Access-session host-mode multi-domain enforcement issues

Arne Bier — Sun, 03 Mar 2024 20:50:05 GMT

@Kevin Marcan - that's interesting - I have not noticed this myself because I tend to shy away from multi-domain (mostly due to misbehaving desktop phones (avaya) that can have buggy FW from time to time - they don't land in the VOICE domain ... and then err-disable the port when PC and phone exceed the allowed MAC in DATA domain). This is in Low-Impact Mode BTW.

You mentioned open mode. Isn't it expected that there is no enforcement in open mode? I hadn't thought about what that means in terms of this MAC address limit though. I could be wrong.

Is it worth sharing your "show derived-interface XXX" so we can see what is configured ?

Re: Access-session host-mode multi-domain enforcement issues

Kevin Marcan — Mon, 04 Mar 2024 05:42:55 GMT

Pretty standard config. Some background is I am essentially looking to replicate what has been previously in place with port-security.
- Enforce a maximum mac address limit (Port Security)
- Open mode from a ISE Auth perspective.

Closed mode does technically make restrict work, but at this stage I am hoping to avoid closed mode.
What I do find interesting is the behavior difference between restrict and protect, that is the part I am really getting hung up on.

interface GigabitEthernet1/0/8
description WiredISE Normal Port
switchport access vlan 13
switchport mode access
switchport voice vlan 10
authentication periodic
authentication timer reauthenticate server
access-session host-mode multi-domain
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber DOT1X-MAB
ip dhcp snooping limit rate 100