SD Access 802.1X Wired Just authenticate one user

Heriberto Diaz — Mon, 18 Nov 2019 19:10:21 GMT

I have a issue with 802.1X, when I connect a laptop to port G1 / 0/2 it authenticates successfully and is reflected with the command show authentication session int g1 / 0/2 det and also in ISE but when I connect a second device in The G1 / 0/3 port does not see any session with sh authenticate session nor in the ISE but in the network card if the connection established to the domain appears and can have internet access.

I am using SD-Access Fabric with the closeAuthentication template.

Current configuration : 390 bytes
!
interface GigabitEthernet1/0/2 and G1/0/3
switchport access vlan 1038
switchport mode access
device-tracking attach-policy IPDT_MAX_10
load-interval 30
cts manual
policy static sgt 4
no propagate sgt
dot1x timeout tx-period 7
dot1x max-reauth-req 3
no macro auto processing
source template DefaultWiredDot1xClosedAuth
spanning-tree portfast
end

template DefaultWiredDot1xClosedAuth
dot1x pae authenticator
switchport access vlan 2047
switchport mode access
switchport voice vlan 4000
mab
access-session closed
access-session port-control auto
authentication periodic
authentication timer reauthenticate server
service-policy type control subscriber PMAP_DefaultWiredDot1xClosedAuth_1X_MAB

policy-map type control subscriber PMAP_DefaultWiredDot1xClosedAuth_1X_MAB
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x retries 2 retry-time 0 priority 10
event authentication-failure match-first
5 class DOT1X_FAILED do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
10 activate service-template DefaultCriticalAuthVlan_SRV_TEMPLATE
20 activate service-template DefaultCriticalVoice_SRV_TEMPLATE
30 authorize
40 pause reauthentication
20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure
10 pause reauthentication
20 authorize
30 class DOT1X_NO_RESP do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
40 class MAB_FAILED do-until-failure
10 terminate mab
20 authentication-restart 60
60 class always do-until-failure
10 terminate dot1x
20 terminate mab
30 authentication-restart 60
event aaa-available match-all
10 class IN_CRITICAL_AUTH_CLOSED_MODE do-until-failure
10 clear-session
20 class NOT_IN_CRITICAL_AUTH_CLOSED_MODE do-until-failure
10 resume reauthentication
event agent-found match-all
10 class always do-until-failure
10 terminate mab
20 authenticate using dot1x retries 2 retry-time 0 priority 10
event inactivity-timeout match-all
10 class always do-until-failure
10 clear-session
event authentication-success match-all
event violation match-all
10 class always do-until-failure
10 restrict
event authorization-failure match-all
10 class AUTHC_SUCCESS-AUTHZ_FAIL do-until-failure
10 authentication-restart 60
!

Also we did the test on other switch without SD-Access and the 802.1X authentication works fine with the same ISE, connecting 3 laptops and all session are shows.

Does anybody know what I missing?

Thanks and regards.

Re: SD Access 802.1X Wired Just authenticate one user

Mike.Cifelli — Tue, 19 Nov 2019 14:34:38 GMT

A few things:
If you have ISE implemented into your solution why not rely on ISE to push policy + SGT instead of statically assigning VN+SGT to port as you show in the config. I would check for a discrepancy either in how you configured the interfaces in host onboarding section, or if there is a discrepancy between the workstation supplicant configuration between the two hosts configured/tested.

Re: SD Access 802.1X Wired Just authenticate one user

Heriberto Diaz — Tue, 19 Nov 2019 16:06:25 GMT

Hi Mike

I used host onboarding to push the config on both ports,

Regards and Thanks

Re: SD Access 802.1X Wired Just authenticate one user

Mike.Cifelli — Tue, 19 Nov 2019 16:28:29 GMT

So the default host template will push the configs to your ENs in your fabric. You must then provision ports with Auth Template 'Closed Auth' if that is what you wish to use. On that same g1/0/4 try that, and let us know your outcome. Again, you can assign policy via ISE and then just setup your interfaces as DEVICE_TYPE User Devices & Auth Temp Closed Auth. HTH!

Re: SD Access 802.1X Wired Just authenticate one user

Heriberto Diaz — Wed, 20 Nov 2019 04:56:23 GMT

Mike

I deleted the CTS Manual (Policy static sgt) and configured cts role-based enforcement and finally the laptops authenticated.

Thanks and regards

topic SD Access 802.1X Wired Just authenticate one user in Software-Defined Access (SD-Access)

SD Access 802.1X Wired Just authenticate one user

Re: SD Access 802.1X Wired Just authenticate one user

Re: SD Access 802.1X Wired Just authenticate one user

Re: SD Access 802.1X Wired Just authenticate one user

Re: SD Access 802.1X Wired Just authenticate one user