cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

157
Views
0
Helpful
3
Replies
Beginner

Authorization Pending

Hello

 

I'm running ISE 2.4 and I'm trying to get NAC via dot1x/radius working.  I have a NX-OS 9K switch in my network devices with correct radius key.  I also have a default policy set to accept dotx wired users and allow them to do anything.  On the switch I have aaa setup to use ISE as a radius server and I've confirmed reachability.  I've also enabled dot1x on a test port I have a laptop connected to.  When I connect I get 'authorization pending' and see nothing else in show dot1x all or show radius.   I see nothing in ISE's radius logs so I assume I'm not even talking to it.  What else can I check?  I followed directions below:

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/7-x/security/configuration/guide/b_Cisco_Nexus_9000_Series_NX-

OS_Security_Configuration_Guide_7x/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide_7x_chapter_0100.html

 

Switch configs:

feature dot1x
radius-server host 1.3.5.7 key 7 "x" authentication accounting timeout 5 retransmit 3
radius-server host 2.4.6.8 key 7 "x" authentication accounting timeout 5 retransmit 3
aaa group server radius MuhISE
server 1.3.5.7
server 2.4.6.8
source-interface mgmt0
!
dot1x radius-accounting
dot1x radius-accounting
dot1x system-auth-control
!
ip access-list ALLOW-ALL
10 permit ip any any
!
aaa authentication dot1x default group MuhISE
aaa accounting dot1x default group MuhISE
aaa authentication login error-enable
!
interface Ethernet1/1
ip access-group ALLOW-ALL in
switchport
dot1x pae authenticator
dot1x port-control auto
dot1x re-authentication
dot1x timeout tx-period 10
switchport access vlan 666
spanning-tree port type edge
spanning-tree bpduguard enable
mtu 9216
no shutdown

 

ISE Configs:

network devices - nexus switch above added using mgmt0 interface in vrf

policy (radius = 802.1x)

authentication (wired mab and default both look in all stores0

authorization (wired mab and default both allow all)

 

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Advocate

Re: Authorization Pending

This is not something I have gone down the path of configuring, I have only leveraged ISE with TrustSec functionality on Nexus. Maybe others will have direct 802.1x/Nexus experience.

However, I wanted to add that you're entering very rare territory trying to use access layer 802.1x features on Nexus. I understand that there is a Nexus 802.1x configuration section within the command guide, but Nexus isn't even listed within the Cisco validated ISE compatibility matrix. This would leave me questioning how well things have been tested before even starting.
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/compatibility/b_ise_sdt_24.html

View solution in original post

3 REPLIES 3
VIP Advocate

Re: Authorization Pending

This is not something I have gone down the path of configuring, I have only leveraged ISE with TrustSec functionality on Nexus. Maybe others will have direct 802.1x/Nexus experience.

However, I wanted to add that you're entering very rare territory trying to use access layer 802.1x features on Nexus. I understand that there is a Nexus 802.1x configuration section within the command guide, but Nexus isn't even listed within the Cisco validated ISE compatibility matrix. This would leave me questioning how well things have been tested before even starting.
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/compatibility/b_ise_sdt_24.html

View solution in original post

Beginner

Re: Authorization Pending

Hi Damien,

What would you suggest for a NAC solution using NX-OS 9Ks as access switches and ISE as a radius server?
Cisco Employee

Re: Authorization Pending

ISE is the NAC solution, nothing else to propose. these aren't access switches..