topic Re: ISE Configuration 802.1x in Network Security

ISE Configuration 802.1x

johnmcgrath29 — Tue, 07 Feb 2023 11:28:56 GMT

I have configured the interfaces on a switch with a failed authorize for it to go into a blackhole vlan 999

see config below however it's still connecting to our domain even though the machine only has a local account setup I am wondering if there is something I have missed on the ISE configuration? There is an AD Policy on the ISE

interface GigabitEthernet1/0/33
description test port
switchport access vlan 200
switchport mode access
authentication event fail action authorize vlan 999
authentication event server dead action authorize vlan 999
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
mls qos trust dscp
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable
end

Re: ISE Configuration 802.1x

Rob Ingram — Tue, 07 Feb 2023 12:33:16 GMT

@johnmcgrath29

Do you see anything in the live logs for that session?

Does it affect all devices connected to that switch?

If you run the command "show authentication session interface gi1/0/33" (you may need to append "details" to the end of that command, depending on IOS version). Does the output confirm Autorised By "Critical Auth" and Critical Authorization is in effect? If so then the switch is unable to authenticate to the RADIUS server, check switch is defined as a NAD on ISE, check the shared secrets on the switch and ISE are identical, also ensure there is communication between the switch and ISE.

If that isn't the case or doesn't resolve the issue, can you provide the output of "show authentication session interface gi1/0/33" and "show aaa servers" please.

Re: ISE Configuration 802.1x

johnmcgrath29 — Tue, 07 Feb 2023 12:55:56 GMT

1078030: Feb 7 12:18:21.136: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/0/43, changed state to up
1078031: Feb 7 12:18:22.798: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/33, changed state to up
1078032: Feb 7 12:18:23.800: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/33, changed state to up

However I do get logs like those below where it looks like it's doing what it's meant too so I am a bit confused

077825: Feb 7 11:41:19.734: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x0
1077826: Feb 7 11:41:19.734: dot1x-packet: length: 0x002E
1077827: Feb 7 11:41:19.734: dot1x-sm:[cc48.3ac5.f8ab, Gi2/0/34] Posting EAPOL_EAP for 0x5F000D7A
1077828: Feb 7 11:41:19.734: dot1x_auth_bend Gi2/0/34: during state auth_bend_request, got event 6(eapolEap)
1077829: Feb 7 11:41:19.739: @@@ dot1x_auth_bend Gi2/0/34: auth_bend_request -> auth_bend_response
1077830: Feb 7 11:41:19.739: dot1x-sm:[cc48.3ac5.f8ab, Gi2/0/34] 0x5F000D7A:entering response state
1077831: Feb 7 11:41:19.739: dot1x-ev:[cc48.3ac5.f8ab, Gi2/0/34] Response sent to the server from 0x5F000D7A
1077832: Feb 7 11:41:19.739: dot1x-sm:[cc48.3ac5.f8ab, Gi2/0/34] 0x5F000D7A:request response action
1077833: Feb 7 11:41:19.755: dot1x-packet:[cc48.3ac5.f8ab, Gi2/0/34] Received an EAP Success
1077834: Feb 7 11:41:19.755: dot1x-sm:[cc48.3ac5.f8ab, Gi2/0/34] Posting EAP_SUCCESS for 0x5F000D7A
1077835: Feb 7 11:41:19.755: dot1x_auth_bend Gi2/0/34: during state auth_bend_response, got event 11(eapSuccess)
1077836: Feb 7 11:41:19.755: @@@ dot1x_auth_bend Gi2/0/34: auth_bend_response -> auth_bend_success
1077837: Feb 7 11:41:19.755: dot1x-sm:[cc48.3ac5.f8ab, Gi2/0/34] 0x5F000D7A:exiting response state
1077838: Feb 7 11:41:19.755: dot1x-sm:[cc48.3ac5.f8ab, Gi2/0/34] 0x5F000D7A:entering success state
1077839: Feb 7 11:41:19.755: dot1x-sm:[cc48.3ac5.f8ab, Gi2/0/34] 0x5F000D7A:response success action
1077840: Feb 7 11:41:19.755: dot1x_auth_bend Gi2/0/34: idle during state auth_bend_success
1077841: Feb 7 11:41:19.755: @@@ dot1x_auth_bend Gi2/0/34: auth_bend_success -> auth_bend_idle
1077842: Feb 7 11:41:19.755: dot1x-sm:[cc48.3ac5.f8ab, Gi2/0/34] 0x5F000D7A:entering idle state
1077843: Feb 7 11:41:19.755: dot1x-sm:[cc48.3ac5.f8ab, Gi2/0/34] Posting AUTH_SUCCESS on Client 0x5F000D7A
1077844: Feb 7 11:41:19.755: dot1x_auth Gi2/0/34: during state auth_authenticating, got event 12(authSuccess_portValid)
1077845: Feb 7 11:41:19.755: @@@ dot1x_auth Gi2/0/34: auth_authenticating -> auth_authc_result
1077846: Feb 7 11:41:19.755: dot1x-sm:[cc48.3ac5.f8ab, Gi2/0/34] 0x5F000D7A:exiting authenticating state
1077847: Feb 7 11:41:19.755: dot1x-sm:[cc48.3ac5.f8ab, Gi2/0/34] 0x5F000D7A:entering authc result state
1077848: Feb 7 11:41:19.760: dot1x-packet:[cc48.3ac5.f8ab, Gi2/0/34] EAP Key data detected adding to attribute list
1077849: Feb 7 11:41:20.714: dot1x-ev:[cc48.3ac5.f8ab, Gi2/0/34] Received Authz Success for the client 0x5F000D7A (cc48.3ac5.f8ab)
1077850: Feb 7 11:41:20.714: dot1x-redundancy:[cc48.3ac5.f8ab, Gi2/0/34] State for client successfully retrieved
1077851: Feb 7 11:41:20.720: dot1x-sm:[cc48.3ac5.f8ab, Gi2/0/34] Posting AUTHZ_SUCCESS on Client 0x5F000D7A
1077852: Feb 7 11:41:20.720: dot1x_auth Gi2/0/34: during state auth_authc_result, got event 23(authzSuccess)
1077853: Feb 7 11:41:20.720: @@@ dot1x_auth Gi2/0/34: auth_authc_result -> auth_authenticated
1077854: Feb 7 11:41:20.720: dot1x-sm:[cc48.3ac5.f8ab, Gi2/0/34] 0x5F000D7A:entering authenticated state
1077855: Feb 7 11:41:20.720: dot1x-ev:[cc48.3ac5.f8ab, Gi2/0/34] Sending EAPOL packet
1077856: Feb 7 11:41:20.720: dot1x-registry:registry:dot1x_ether_macaddr called
1077857: Feb 7 11:41:20.720: dot1x-ev:[cc48.3ac5.f8ab, Gi2/0/34] Sending out EAPOL packet
1077858: Feb 7 11:41:20.720: dot1x-packet:EAPOL pak Tx - Ver: 0x3 type: 0x0
1077859: Feb 7 11:41:20.720: dot1x-packet: length: 0x0004

Re: ISE Configuration 802.1x

johnmcgrath29 — Tue, 07 Feb 2023 12:58:24 GMT

Modular_1#show authentication session interface gi1/0/33
No sessions match supplied criteria.

Runnable methods list:
Handle Priority Name
10 5 dot1x
17 10 mab
15 15 webauth

Re: ISE Configuration 802.1x

johnmcgrath29 — Tue, 07 Feb 2023 12:59:31 GMT

Modular_1#show aaa servers

RADIUS: id 1, priority 1, host 149.155.251.60, auth-port 1645, acct-port 1646
State: current UP, duration 4294967s, previous duration 0s
Dead: total time 0s, count 4
Quarantined: No
Authen: request 39271, timeouts 2, failover 0, retransmission 2
Response: accept 2560, reject 0, challenge 36709
Response: unexpected 0, server error 0, incorrect 0, time 10ms
Transaction: success 39269, failure 0
Throttled: transaction 0, timeout 0, failure 0
Author: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Account: request 8490, timeouts 13, failover 0, retransmission 10
Request: start 2426, interim 0, stop 2417
Response: start 2426, interim 0, stop 2415
Response: unexpected 0, server error 0, incorrect 0, time 32ms
Transaction: success 8477, failure 3
Throttled: transaction 0, timeout 0, failure 0
Elapsed time since counters last cleared: 43w19h9m
Estimated Outstanding Access Transactions: 0
Estimated Outstanding Accounting Transactions: 0
Estimated Throttled Access Transactions: 0
Estimated Throttled Accounting Transactions: 0
Maximum Throttled Transactions: access 0, accounting 0
Requests per minute past 24 hours:
high - 6 hours, 22 minutes ago: 20
low - 3 hours, 1 minutes ago: 0
average: 0

RADIUS: id 2, priority 2, host 149.155.251.61, auth-port 1645, acct-port 1646
State: current UP, duration 4294967s, previous duration 0s
Dead: total time 0s, count 4
Quarantined: No
Authen: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Author: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Account: request 12, timeouts 12, failover 3, retransmission 9
Request: start 0, interim 0, stop 2
Response: start 0, interim 0, stop 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 3
Throttled: transaction 0, timeout 0, failure 0
Elapsed time since counters last cleared: 43w19h9m
Estimated Outstanding Access Transactions: 0
Estimated Outstanding Accounting Transactions: 0
Estimated Throttled Access Transactions: 0
Estimated Throttled Accounting Transactions: 0
Maximum Throttled Transactions: access 0, accounting 0
Requests per minute past 24 hours:
high - 3 hours, 1 minutes ago: 0
low - 3 hours, 1 minutes ago: 0
average: 0

RADIUS: id 3, priority 3, host UNKNOWN, auth-port 1645, acct-port 1646
State: current UP, duration 4294967s, previous duration 0s
Dead: total time 0s, count 0
Quarantined: No
Authen: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Author: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Account: request 0, timeouts 0, failover 0, retransmission 0
Request: start 0, interim 0, stop 0
Response: start 0, interim 0, stop 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Elapsed time since counters last cleared: 43w19h9m
Estimated Outstanding Access Transactions: 0
Estimated Outstanding Accounting Transactions: 0
Estimated Throttled Access Transactions: 0
Estimated Throttled Accounting Transactions: 0
Maximum Throttled Transactions: access 0, accounting 0
Requests per minute past 24 hours:
high - 3 hours, 1 minutes ago: 0
low - 3 hours, 1 minutes ago: 0
average: 0

Re: ISE Configuration 802.1x

Rob Ingram — Tue, 07 Feb 2023 13:09:47 GMT

@johnmcgrath29 so do some devices on the same switch authenticate succesfully? Provide the output of "show auth session" from the switch.

Configure "authentication port-control auto" under the interface, this initiates authentication when the link state changes to the up state.

Re: ISE Configuration 802.1x

johnmcgrath29 — Tue, 07 Feb 2023 13:45:56 GMT

Modular_1#show auth session

Interface MAC Address Method Domain Status Fg Session ID
Gi2/0/36 7478.27a3.ea82 dot1x DATA Auth AC14FF2800001B8F0BB7B102
Gi2/0/29 7478.27df.a1d1 dot1x DATA Auth AC14FF2800001BB911455D6E
Gi2/0/15 7478.27ab.64ff dot1x DATA Auth AC14FF2800001BB71141C605
Gi2/0/30 7478.27df.a3b2 dot1x DATA Auth AC14FF2800001BAE1108BDC4
Gi2/0/28 6c2b.59dc.129d dot1x DATA Auth AC14FF2800001BBC11B7D1D6
Gi1/0/35 7478.27df.a2cd dot1x DATA Auth AC14FF2800001B8D0BAA7E96
Gi2/0/24 a44c.c892.60f3 dot1x DATA Auth AC14FF2800001BAB1100DF50
Gi2/0/34 cc48.3ac5.f8ab dot1x DATA Auth AC14FF2800001BBD11E51ABF
Gi1/0/25 7478.27ab.65ef dot1x DATA Auth AC14FF2800001BB5112F2A4F

Session count = 9

Key to Session Events Blocked Status Flags:

A - Applying Policy (multi-line status for details)
D - Awaiting Deletion
F - Final Removal in progress
I - Awaiting IIF ID allocation
N - Waiting for AAA to come up
P - Pushed Session
R - Removing User Profile (multi-line status for details)
U - Applying User Profile (multi-line status for details)
X - Unknown Blocker
Modular_1#

Re: ISE Configuration 802.1x

johnmcgrath29 — Tue, 07 Feb 2023 13:56:30 GMT

I have just configured my test port with

Modular_1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Modular_1(config)#int gi1/0/33
Modular_1(config-if)#authentication port-control auto
Modular_1(config-if)#end
Modular_1#wri mem
Building configuration...
[OK]

Re: ISE Configuration 802.1x

Rob Ingram — Tue, 07 Feb 2023 13:59:11 GMT

@johnmcgrath29 well obviously other sessions are authenticated ok, so not a communication issue with ISE.

You've not responded to all my questions, do you see any events in the ISE Live logs for the endpoint on Gi1/0/33?

Does authentication fail?

Do you not want authentication to failover to try MAB rather than place the user in VLAN 999?

Re: ISE Configuration 802.1x

johnmcgrath29 — Tue, 07 Feb 2023 14:11:59 GMT

Hi Rob,

Just applied that "authentication port-control auto" and it has resolved the issue the test machine has now been kicked off Thanks mate