Hi,

Do we provide any best practise advice on this subject ?

The customer in this case needs to know if C3PL is the right way to go or not ...

br,

Tue

I can't say it is the best practice, but one workaround you can try is to define same ISE node two times with different RADIUS ports. One using 1645 & 1646 and another with same IP using 1812 & 1813. With IBNS 2.0 you can point 802.1X to the first one and MAB to the second one and getting no response due to AD will not impact the MAB requests as it is considered separate RADIUS server from switch side.

Hosuk

hi,

Thanks for your replies

Do you know of any customers actually using C3PL in production ?

We need to ease the customers mind that this is a "safe and/or recommend" way to follow.

/Tue

Yes many customers are already on IBNS 2.0 mainly due to CRITICAL ACL feature.

HI ..

This is the code we are working on now:

aaa new-model

!

!

aaa group server radius ISE-DOT1X-DK-TESTBED

server-private 10.158.33.216 timeout 1 retransmit 2 key 7 *gracefullyremoved*

server-private 10.158.33.225 timeout 1 retransmit 2 key 7 *gracefullyremoved*

!

aaa group server radius ISE-MAB-DK-TESTBED

server-private 10.158.33.225 timeout 1 retransmit 2 test username ise-tester idle-time 1 key 7 *gracefullyremoved*

server-private 10.158.33.216 timeout 1 retransmit 2 test username ise-tester idle-time 1 key 7 *gracefullyremoved*

!

aaa authentication dot1x DOT1X group ISE-DOT1X-DK-TESTBED

aaa authentication dot1x MAB group ISE-MAB-DK-TESTBED

aaa authorization network default group ISE-DOT1X-DK-TESTBED

aaa authorization network ISE-DOT1X-DK-TESTBED none

aaa accounting update periodic 60

aaa accounting identity default start-stop group ISE-DOT1X-DK-TESTBED

aaa accounting network default start-stop group ISE-DOT1X-DK-TESTBED

aaa accounting system default start-stop group ISE-DOT1X-DK-TESTBED

!

!

!

!

!

aaa server radius dynamic-author

client 10.158.33.216 server-key 7 *gracefullyremoved*

client 10.158.33.225 server-key 7 *gracefullyremoved*

!

service-template webauth-global-inactive

inactivity-timer 3600

service-template CRITICAL

access-group ACL-ALLOW

vlan 107

service-template CRITICAL_VOICE

access-group ACL-ALLOW

voice vlan

service-template CRITICAL_AUTHD

access-group ACL-ALLOW

vlan 107

service-template DEFAULT_CRITICAL_VOICE_TEMPLATE

voice vlan

!

!

vlan group useraccess vlan-list 107-108

vlan dot1q tag native

!

vlan 107

name 107-dot1x-UA

!

vlan 108

name 108-dot1x-UA

!

!

class-map type control subscriber match-all AAA_SVR_DOWN_AUTHD_HOST

match result-type aaa-timeout

match authorization-status authorized

!        

class-map type control subscriber match-all AAA_SVR_DOWN_UNAUTHD_HOST

match result-type aaa-timeout

match authorization-status unauthorized

!        

class-map type control subscriber match-all DOT1X

match method dot1x

!        

class-map type control subscriber match-all DOT1X_FAILED

match method dot1x

match result-type method dot1x authoritative

!        

class-map type control subscriber match-all DOT1X_NO_RESP

match method dot1x

match result-type method dot1x agent-not-found

!        

class-map type control subscriber match-all DOT1X_TIMEOUT

match method dot1x

match result-type method dot1x method-timeout

!        

class-map type control subscriber match-none IN_CRITICAL

match activated-service-template CRITICAL

!        

class-map type control subscriber match-any IN_CRITICAL_AUTHD

match activated-service-template CRITICAL_AUTHD

!        

class-map type control subscriber match-any IN_CRITICAL_VLAN

match activated-service-template CRITICAL

!        

class-map type control subscriber match-all MAB

match method mab

!        

class-map type control subscriber match-all MAB_FAILED

match method mab

match result-type method mab authoritative

!        

class-map type control subscriber match-none NOT_IN_CRITICAL_VLAN

match activated-service-template CRITICAL

!        

!        

!        

policy-map type control subscriber DOT1X

event session-started match-all

  10 class always do-until-failure

   10 authenticate using dot1x aaa authc-list DOT1X authz-list DOT1X retries 2 retry-time 0 priority 10

   20 authenticate using mab aaa authc-list MAB priority 20

event authentication-failure match-first

  10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure

   10 activate service-template CRITICAL

   20 authorize

   30 authentication-restart 28800

  20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure

   10 pause reauthentication

  30 class DOT1X_NO_RESP do-until-failure

   10 terminate dot1x

   20 authenticate using mab priority 20

  40 class MAB_FAILED do-until-failure

   10 terminate mab

   20 authentication-restart 60

  50 class DOT1X_FAILED do-until-failure

   10 terminate dot1x

   20 authenticate using mab aaa authc-list MAB priority 20

  60 class always do-until-failure

   10 terminate dot1x

   20 terminate mab

   30 authentication-restart 60

event agent-found match-all

  10 class always do-until-failure

   10 terminate mab

   20 authenticate using dot1x retries 2 retry-time 0 priority 10

event aaa-available match-all

  10 class IN_CRITICAL do-until-failure

   10 clear-session

  20 class IN_CRITICAL_AUTHD do-until-failure

   10 resume reauthentication

  30 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure

   10 resume reauthentication

event violation match-all

  10 class always do-until-failure

   10 restrict

!

!

interface GigabitEthernet1/0/2

description End User Port VLAN 107  

switchport access vlan 107

switchport mode access

switchport nonegotiate

ip access-group ACL-ALLOW in

logging event link-status

authentication periodic

authentication timer reauthenticate server

access-session port-control auto

mab

no snmp trap link-status

dot1x pae authenticator

dot1x timeout tx-period 10

storm-control broadcast level 70.00

storm-control multicast level 70.00

storm-control action trap

no cdp enable

spanning-tree portfast

service-policy type control subscriber DOT1X

!

ip access-list extended ACL-ALLOW

permit ip any any

!

ip access-list extended REDIRECT

deny   ip any host 10.158.33.216

deny   ip any host 10.158.33.225

permit ip any any

!

radius-server attribute 6 on-for-login-auth

radius-server attribute 8 include-in-access-req

radius-server attribute 25 access-request include

radius-server dead-criteria time 30 tries 3

Comments ?

If anyone will share their code - I´d love to see it.

/Tue

Hi Tue and Hosuk

I'm actually trying out the same c3pl code based on the document for 3850 universal config (that Hosuk wrote) integrated with ISE 2.1.

For the moment I do see both auth's being triggered at the same time and it looks like it works fine, but ISE behaviour for now is to generate an alarm for the NAD misconfiguration as having too many accounting packets.

I have to admit that having both auth methods simultaneously confuses me in a few aspects:

- 802.1X takes longer to authenticate than mab (more transactions)

- if mab succeeds, an accounting start will be sent.

- but then 802.1X also succeeds (it just took longer) - which will also trigger an accounting start

- will the switch drop the mab session then?

I would also like to have best practice reference guide for C3PL covering multiple cases - 802.1X and MAB for endpoints (with ISE CWA); 802.1X, MAB and webauth; only MAB, etc... Does any of this exist?

If the use cases reference guide is not possible, then a more thorough explanation on how to design a C3PL policy covering multiple cases  - which events to look for, which classes to match, which actions to take and their impact.

Regards

Gustavo

Hello,

Just found out that actually there are a lot of templates already provided with the Auto-identity feature (http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/XE3-8-0E/15-24E/configuration/guide/xe-380-configuration/auto_id.pdf), besides a good lab guide in cisco live (LTRSEC-2017-LG).

Might help anyone trying to dive into C3PL for identity

Cheers

Gustavo