Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2038
Views
0
Helpful
3
Replies

Authorization Pending

Go to solution
s1nsp4wn
Level 1
Level 1

‎10-18-2019 10:48 AM - edited ‎10-18-2019 11:41 AM

Hello

 

I'm running ISE 2.4 and I'm trying to get NAC via dot1x/radius working.  I have a NX-OS 9K switch in my network devices with correct radius key.  I also have a default policy set to accept dotx wired users and allow them to do anything.  On the switch I have aaa setup to use ISE as a radius server and I've confirmed reachability.  I've also enabled dot1x on a test port I have a laptop connected to.  When I connect I get 'authorization pending' and see nothing else in show dot1x all or show radius.   I see nothing in ISE's radius logs so I assume I'm not even talking to it.  What else can I check?  I followed directions below:

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/7-x/security/configuration/guide/b_Cisco_Nexus_9000_Series_NX-

OS_Security_Configuration_Guide_7x/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide_7x_chapter_0100.html

 

Switch configs:

feature dot1x
radius-server host 1.3.5.7 key 7 "x" authentication accounting timeout 5 retransmit 3
radius-server host 2.4.6.8 key 7 "x" authentication accounting timeout 5 retransmit 3
aaa group server radius MuhISE
server 1.3.5.7
server 2.4.6.8
source-interface mgmt0
!
dot1x radius-accounting
dot1x radius-accounting
dot1x system-auth-control
!
ip access-list ALLOW-ALL
10 permit ip any any
!
aaa authentication dot1x default group MuhISE
aaa accounting dot1x default group MuhISE
aaa authentication login error-enable
!
interface Ethernet1/1
ip access-group ALLOW-ALL in
switchport
dot1x pae authenticator
dot1x port-control auto
dot1x re-authentication
dot1x timeout tx-period 10
switchport access vlan 666
spanning-tree port type edge
spanning-tree bpduguard enable
mtu 9216
no shutdown

 

ISE Configs:

network devices - nexus switch above added using mgmt0 interface in vrf

policy (radius = 802.1x)

authentication (wired mab and default both look in all stores0

authorization (wired mab and default both allow all)

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎10-18-2019 12:23 PM

This is not something I have gone down the path of configuring, I have only leveraged ISE with TrustSec functionality on Nexus. Maybe others will have direct 802.1x/Nexus experience.

However, I wanted to add that you're entering very rare territory trying to use access layer 802.1x features on Nexus. I understand that there is a Nexus 802.1x configuration section within the command guide, but Nexus isn't even listed within the Cisco validated ISE compatibility matrix. This would leave me questioning how well things have been tested before even starting.
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/compatibility/b_ise_sdt_24.html

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎10-18-2019 12:23 PM

This is not something I have gone down the path of configuring, I have only leveraged ISE with TrustSec functionality on Nexus. Maybe others will have direct 802.1x/Nexus experience.

However, I wanted to add that you're entering very rare territory trying to use access layer 802.1x features on Nexus. I understand that there is a Nexus 802.1x configuration section within the command guide, but Nexus isn't even listed within the Cisco validated ISE compatibility matrix. This would leave me questioning how well things have been tested before even starting.
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/compatibility/b_ise_sdt_24.html
0 Helpful

Go to solution
s1nsp4wn
Level 1
Level 1
In response to Damien Miller

‎10-18-2019 12:25 PM

Hi Damien,

What would you suggest for a NAC solution using NX-OS 9Ks as access switches and ISE as a radius server?
0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to s1nsp4wn

‎10-21-2019 03:42 AM

ISE is the NAC solution, nothing else to propose. these aren't access switches..
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents