Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1331
Views
5
Helpful
6
Replies

Combination of Dot1X and MAC is not working in ISE 2.4

Go to solution
dilnaazhum
Level 1
Level 1

‎12-08-2019 07:42 AM

Hello,

 

We have some strange behaviour with ISE 2.4 : in our infrastructure we have enabled dynamic VLAN matching to VLAN name for the assignment of IP..

 

Authentication - Dot1X  -->  Authorization - MAC matching --> Result is Dynamic VLAN with IP assignment,  it worked for few identity group but not to all..

 

Did anyone experienced this ?

 

 

Example:  We have few Laptops/Workstation which need to be in dedicated VLAN, so we allowed these type of devices into network by matching authentication policy  w.r.t certificates of Laptops/Workstation for 802.1X, since it need special VLAN assignment, we created matching endpoint identity group example PLC for authorization , but in 2.4 it never checked for PLC endpoint identity group, I have seen this weird issue not for all endpoint identity group, like if we move the same mac address of PLC to some other endpoint identity group like Domain-PC then it match and assign VLAN.. :(

 

it is really headache to me for migrate the complete infrastructure from 1.4 to 2.4, were 1/4th of the infrastructure is already migrated.

 

It is not a show stopper for migration as we found the alternative solution by executing the commands in switch:

"authentication order mab dot1x", but it generate lot of traffic towards Splunk also not record the hostname of Laptop/Workstation.

 

If anyone have experienced this, then please guide me for resolution or else I have to open the ticket with TAC, which is really not surprise me that take more weeks to troubleshoot by CISCO TAC and BU team, as I have one open ticket with cisco for about 7 weeks now for matching CISCO Profiling feature.

 

Thanks and regards

 

Afeez Mali

 

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to dilnaazhum

‎12-12-2019 09:17 PM

I see some potential issues here. It looks like you are leveraging a policy set that is actually designed for 802.1x. MAB and 802.1x are treated differently by ISE authentication.

The canned built in "wired_802.1x" compound condition does not match MAB authentication, only 802.1x authentication attempts. There is a separate pre built condition that comes with ISE that matches wired MAB.

The best practice is to create or use a policy set dedicated to wired MAB authentication. In the allowed protocols list that you select, you need to ensure you select or use one that has the "Process Host Lookup" checkbox selected so that ISE will evaluate the internal endpoint store.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Arne Bier
VIP
VIP

‎12-08-2019 09:59 PM

If I understand correctly, the Authorization Policy is not always finding the MAC address of the client (from the Calling-Station-ID attribute) in an Identity Group? if you are 100% sure that the Endpoint is indeed in that Endpoint Identity Group, but ISE AuthZ is not finding it, then you need to check the order of the Authorization Rules in the Authorization Policy. If the logic is good, then it might be a bug, but I have not seen such a bug before.

 

Are you able to paste a screenshot of your Authorization Policy ?

Go to solution
dilnaazhum
Level 1
Level 1
In response to Arne Bier

‎12-12-2019 05:21 AM

Hello Arne,

 

I am not sure how it differs in radius attribute which is generated from same switch to ISE. I have attached Policy set for reference.. If I add mac address to Domain-Client or Domain-VLAN1 it get the right IP address as well VLAN, if I move to the same mac address to FIS-Laptop_desktop (which is at the TOP of Policy) or other endpoint identity group it is not working, it matches the our final policy for Dot1X user (Policy to look at domain Certificates and 8021x - Radius:NAS-Port-Type = Ethernet,  Radius:Service-Type = Framed) and allow user to have USER VLAN and IP.

 

As said in discussion, I already have one SR# ( Issues with cisco Profiling created Endpoint identity) with TAC and it is almost seven week now - not yet solved, so will raise TAC for this after solution to first SR. It is decided by business not to open much tickets for same type of issues..

 

Appreciated for your response.

 

Thanks and regards

 

Afeez Mali

Preview file
145 KB
0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to dilnaazhum

‎12-12-2019 08:27 AM

Did you follow the Secure Wired at http://cs.co/ise-guides
0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to dilnaazhum

‎12-12-2019 09:17 PM

I see some potential issues here. It looks like you are leveraging a policy set that is actually designed for 802.1x. MAB and 802.1x are treated differently by ISE authentication.

The canned built in "wired_802.1x" compound condition does not match MAB authentication, only 802.1x authentication attempts. There is a separate pre built condition that comes with ISE that matches wired MAB.

The best practice is to create or use a policy set dedicated to wired MAB authentication. In the allowed protocols list that you select, you need to ensure you select or use one that has the "Process Host Lookup" checkbox selected so that ISE will evaluate the internal endpoint store.
0 Helpful

Go to solution
dilnaazhum
Level 1
Level 1
In response to Damien Miller

‎12-16-2019 04:44 AM

Hello All,

 

Thanks for your input and help, currently (CISCO ISE 1.4) we have not enabled "Process host lookup" in EAP-TLS allowed protocol, I may give a try and update, but still I had concern of why it works for few AuthZ condition result not for all Endpoint identity group.

 

Thanks and regards

 

Afeez Mali

0 Helpful

Go to solution
dilnaazhum
Level 1
Level 1
In response to dilnaazhum

‎12-16-2019 05:04 AM

Hello,

 

Eventually, it worked after enabling "Process host lookup" in EAP-TLS allowed protocol.

 

Thanks all for your help and support.. :)

 

Thanks and regards

 

Afeez Mali

0 Helpful
Customers Also Viewed These Support Documents